Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Problems opening secure web pages

We have a router 877 connected with an ADSL2+ connection. The router syncs at 17000Mbps/950Kbps, and it seems working well. But when we try to open some web pages using secure protocol (https) it fails. For example, gmail.com, hotmail.com, cisco.com, banks web pages...it takes quite long, and sometimes the page is loaded correctly; another times the page is loaded partially with errors; another times we receive a timeout error...It very strange.

We have spoken with ISP (Jazztel Spain) and they say that the line is correctly, and the configuration of our router should be ok because if it was wrong it does not work anything (i don't know if parametes like mtu size or something like that could affect to https traffic and not http). If we use the router provided by the ISP (Comtrend HG365+) it works perfectly.

What can I do? With the atm debugs I cannot see any strange behaviour.

Thanks.

Best regards.

3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Problems opening secure web pages

Hi Victor,

  Try to modify the MTU and MSS size in the interfaces. The MTU and MSS could be a problem with https and not http because https has implications in the fragment process.

  We had the exactly the same problem with Euskaltel and VPN configuration.

Read this http://en.wikipedia.org/wiki/Maximum_segment_size

a show running-config posted here could be useful

Regards

Hall of Fame Super Gold

Re: Problems opening secure web pages

Try:

interface Dialer0
  ip mtu 1492

  no ip virtual-reassembly


interface Vlan1

  no ip virtual-reassembly

New Member

Re: Problems opening secure web pages

Hi Victor,

Remember :=       MSS = MTU - 40

Then:

interface Dialer0
[...]

  ip mtu 1454
[...]

!

interface Vlan1

[..]
  ip tcp adjust-mss 1414

I suggest you don't disable the "ip virtual-reassembly" if you are using Cisco IOS Firewall:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_vfrag.html

The optimal value for PPPoE should be:

1454 bytes for the MTU (interface Dialer0) and 1414 for the MSS (interface Vlan1) this values are related with the ATM layer in the ADSL

PPPoE 1454 bytes Frame:

PortionBytes
TCP/IP Payload1454
PPP Headers+2
PPPoE Headers+6
Ethernet Headers+18
Total Frame Size1480

1480 / 48 bytes= 30 cells plus a 40 byte remainder       + 8   bytes for the SAR ATM Trailer

Read this article in Internet:

http://www.mynetwatchman.com/kb/ADSL/pppoemtu.htm

Espero que te sirva.

Regards.

8 REPLIES
New Member

Re: Problems opening secure web pages

Hi Victor,

  Try to modify the MTU and MSS size in the interfaces. The MTU and MSS could be a problem with https and not http because https has implications in the fragment process.

  We had the exactly the same problem with Euskaltel and VPN configuration.

Read this http://en.wikipedia.org/wiki/Maximum_segment_size

a show running-config posted here could be useful

Regards

Re: Problems opening secure web pages

Hello Jorge, thanks for your response. We had tested some values of MTU (1492, 1450) and no changes. What is the recommended value for an ATM connection? What was your config?

The configuration of the router is as following:

interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
pvc 8/35
  pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxx

ppp chap password 7 xxxxxxxxxx

ppp pap sent-username xxxxxxxxxx password 7 xxxxxxxxxxxx

!

interface Vlan1
description LAN-Datos
ip address 10.200.0.2 255.255.255.0
ip helper-address 10.200.0.220
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452

Thank you.

Best regards.

Hall of Fame Super Gold

Re: Problems opening secure web pages

Try:

interface Dialer0
  ip mtu 1492

  no ip virtual-reassembly


interface Vlan1

  no ip virtual-reassembly

New Member

Re: Problems opening secure web pages

Hi Victor,

Remember :=       MSS = MTU - 40

Then:

interface Dialer0
[...]

  ip mtu 1454
[...]

!

interface Vlan1

[..]
  ip tcp adjust-mss 1414

I suggest you don't disable the "ip virtual-reassembly" if you are using Cisco IOS Firewall:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_vfrag.html

The optimal value for PPPoE should be:

1454 bytes for the MTU (interface Dialer0) and 1414 for the MSS (interface Vlan1) this values are related with the ATM layer in the ADSL

PPPoE 1454 bytes Frame:

PortionBytes
TCP/IP Payload1454
PPP Headers+2
PPPoE Headers+6
Ethernet Headers+18
Total Frame Size1480

1480 / 48 bytes= 30 cells plus a 40 byte remainder       + 8   bytes for the SAR ATM Trailer

Read this article in Internet:

http://www.mynetwatchman.com/kb/ADSL/pppoemtu.htm

Espero que te sirva.

Regards.

Re: Problems opening secure web pages

Hello Paolo and Jorge for your responses. Yesterday I changed some values:

Dialer 0 --> mtu 1492

Vlan 1 --> ip tcp adjust-mss 1452

This morning we have done some tests and it is working great. Effectively the config match exactly with the values provided by Paolo. THANK YOU AGAIN!!!

The following question, is it really better the values referred in the article Paolo says? I mean, have you tested it? Now it seems working well, but I don't know if it could work better.

Thank you both for your helpful information.

Best regards.

New Member

Re: Problems opening secure web pages

Hi Victor,

  I think that the different is not very big.

  If this values works for you, perfect.

Dialer 0 --> mtu 1492

Vlan 1 --> ip tcp adjust-mss 1452

As you can see in this article

http://www.mynetwatchman.com/kb/ADSL/pppoemtu.htm

With a value of 1492 the last cell in the ATM (cell number 32) protocol has 10 bytes of cell padding. Cell padding means no information. You are using 32 ATM cells.

With a value of 1454 the last cell in the ATM (cell number 31) protocol has not cell padding and you only use 31 cells.

Then with MTU = 1454 you save 1/32 cell you optimize a bit you line.

Review the article it's really brief and usefull

Pero esto es hilar muy fino   (I can't translate this to English)

Re: Problems opening secure web pages

Thank you Jorge. I have tested both configs and I cannot appreciate any difference, so as you say, es hilar muy fino.

Best regards.

Hall of Fame Super Gold

Re: Problems opening secure web pages

That appears to be correct, in fact I never did these calculations before.

However, if you really want to optimize your PPPoE circuit, try configuring the PVC for PPP instead than PPPoE, leaving the dialer configuration to be same.

You will find that many DLAM/BRAS are set for auto-encapsulation, that is they work indifferently either way.

With PPP you can use a regular MTU of 1500, no MSS adjust, and eliminate the ethernet addresses overhead.


Està barbaro hilar fino, entonces hilamos bien

481
Views
0
Helpful
8
Replies
CreatePlease to create content