Cisco Support Community
Community Member

TCP connections timing out

At work i have a 2801 router with advanced security image 12.4(3h)

Attached to FastEthernet0/0 is a switch and a load of subinterfaces.

Attached to FastEthernet0/1 is a docsis modem that connects to internet using PPPoE.

The router performs NAT to make sure all hosts in the network can reach internet.

Mostly this all works fine, but there are some specific sites that start a transfer, and after a random amount of data the data from the other side start coming back at longer intervals, doubling each interval.

A wireshark capture is available on

In the same building there are 2 more companies, same provider, different router (Linksys) and they can download this same file just fine.

Below are snippets from the running config belonging to the interface and the dialer.

interface FastEthernet0/1

description $FW_OUTSIDE$$ETH-WAN$

no ip address

no ip redirects

no ip proxy-arp

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no mop enabled

crypto map SDM_CMAP_1

interface Dialer0

ip address negotiated

ip access-group Mathijs_inkomend in

ip mtu 1492

ip inspect Inspect_Mathijs out

ip nat outside

no ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1412

dialer pool 1

dialer idle-timeout 0

dialer-group 2

no fair-queue

no cdp enable

ppp authentication pap callin

ppp pap sent-username *name* password 7 *password*

crypto map SDM_CMAP_1

Hall of Fame Super Gold

Re: TCP connections timing out

On each subinterface that has nat inside, configure:

ip tcp mss-adjust 1452

That should solve your issue.

Community Member

Re: TCP connections timing out

That was the original configuration which already had the problem.

The ip tcp mss-adjust 1412 on the dialer already tackles this problem, even when using the VPN.

Just for good measure i did put it on all nat inside interfaces, and the connection went to 8MB downloaded without dieing, so i nearly cheered, but then it still died. Later tries died a lot faster again.

Hall of Fame Super Gold

Re: TCP connections timing out

Command on dialer should have no effect.

It has to be on the inside interfaces as 1452, not 1412.

Community Member

Re: TCP connections timing out

No adjust-mss: Many sites don't work

adjust-mss 1452 on all inside interfaces: Most sites work

adjust-mss 1452 on dialer: same as on all inside interfaces, but only on 1 interface requires the command.

This was tried and tested, it doesn't matter if it's on the inside or outside, just as long as 1 has it. Also it's 1412 because of the fact we use a VPN which eats up another set of TCP and IP headers.

Also visible in the trace is the fact we do get a lot of packets, if the packet size was a problem, there would be no packets coming in.

The packets just suddenly slow down for no apparent reason.

Hall of Fame Super Gold

Re: TCP connections timing out

If you have a VPN, the diffrence will not be just 40, because VPN overhead it's not just a set of IP+TCP headers.

You probably have to reconsider how your packets travel and from where, these in different points, to find where you have to configure.

CreatePlease to create content