05-14-2009 01:55 AM - edited 03-04-2019 04:45 AM
At work i have a 2801 router with advanced security image 12.4(3h)
Attached to FastEthernet0/0 is a switch and a load of subinterfaces.
Attached to FastEthernet0/1 is a docsis modem that connects to internet using PPPoE.
The router performs NAT to make sure all hosts in the network can reach internet.
Mostly this all works fine, but there are some specific sites that start a transfer, and after a random amount of data the data from the other side start coming back at longer intervals, doubling each interval.
A wireshark capture is available on http://home.kabelfoon.nl/~labenitt/probleem.pcap
In the same building there are 2 more companies, same provider, different router (Linksys) and they can download this same file just fine.
Below are snippets from the running config belonging to the interface and the dialer.
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
no ip address
no ip redirects
no ip proxy-arp
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no mop enabled
crypto map SDM_CMAP_1
interface Dialer0
ip address negotiated
ip access-group Mathijs_inkomend in
ip mtu 1492
ip inspect Inspect_Mathijs out
ip nat outside
no ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer-group 2
no fair-queue
no cdp enable
ppp authentication pap callin
ppp pap sent-username *name* password 7 *password*
crypto map SDM_CMAP_1
05-16-2009 10:38 PM
On each subinterface that has nat inside, configure:
ip tcp mss-adjust 1452
That should solve your issue.
05-18-2009 12:32 AM
That was the original configuration which already had the problem.
The ip tcp mss-adjust 1412 on the dialer already tackles this problem, even when using the VPN.
Just for good measure i did put it on all nat inside interfaces, and the connection went to 8MB downloaded without dieing, so i nearly cheered, but then it still died. Later tries died a lot faster again.
05-18-2009 06:05 AM
Command on dialer should have no effect.
It has to be on the inside interfaces as 1452, not 1412.
05-20-2009 01:23 AM
No adjust-mss: Many sites don't work
adjust-mss 1452 on all inside interfaces: Most sites work
adjust-mss 1452 on dialer: same as on all inside interfaces, but only on 1 interface requires the command.
This was tried and tested, it doesn't matter if it's on the inside or outside, just as long as 1 has it. Also it's 1412 because of the fact we use a VPN which eats up another set of TCP and IP headers.
Also visible in the trace is the fact we do get a lot of packets, if the packet size was a problem, there would be no packets coming in.
The packets just suddenly slow down for no apparent reason.
05-20-2009 05:53 AM
If you have a VPN, the diffrence will not be just 40, because VPN overhead it's not just a set of IP+TCP headers.
You probably have to reconsider how your packets travel and from where, these in different points, to find where you have to configure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide