Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

tcp resets, connectivity problems

Just wondering if anyone has any input on this:

We had a DMZ server that customers used to get to their information. This sever was the front end to get to the host that holds the customer information.

The server was in a DMZ, the path from Server to host was:

through DMZ switch, through firewall to 6509 switch to the host.

We never had a problem with this, the server application was old but worked great.

We have since moved to having someone host the front end. The front end connects via Internet to their thrid party router, to the same DMZ switch through same firewall, to same 6509 to host. The third party router is configured with VPN tunnel to remote end. Connection comes through Internet to their router and is NATed then goes to DMZ, to host.

Internet---E1 (Router NAT) E0 ---ASA---6509---Host

We have had nothing but trouble with this connection. Customers are complainging because the connections time out so much. We see a lot of tcp resets on the host to the Router NAT ip address (which is the DMZ side interface). The resets usually show "Invalid Query Header Length". The current connection is capped at 1Mbps, with average response times of 50ms (spikes to 200).

They keep telling us that something is wrong with the host, but I have to believe the latency is causing us problems. I can see that bandwidth seems to be enough as I do not see the interfaces utilizing that much, averages about 300K.

I was wondering could the IOS NAT be contributing to the problem as well?


tcp resets, connectivity problems

Is E1 new router? where is the front end server in your diagram? it would be nice to look into the E1 and E0 configurations, if you could paste them here, I will review them and let you know.


Posted by WebUser Neeraj Jagga from Cisco Support Community App

New Member

Re: tcp resets, connectivity problems

E1 and E0 are the same router and belong to the thrid party doing the hosting.

The router sits in our physical location with E0 on the outside network and E1 is on a DMZ.

I have no access to this router. All communication from this router is NATed from the E1 Interface.

The switch interfaces that the router plugs into do not show any excessive errors or anythng unusual.

CreatePlease to create content