cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
555
Views
0
Helpful
4
Replies

Unable to access certain HTTPS sites from router

Michael Marzol
Level 1
Level 1

We're using a 2811 router with a static DSL address provided by AT&T. At some point during the day, access to cisco.com PEC and most other (but not all) HTTPS sites was blocked. No changes were made to the router, we've checked ACL's (in fact, we are now allowing all traffic to and from 443), in doing a traceroute to wamu.com, for example, it reaches about 12 hops then fails. Any ideas ?

4 Replies 4

tcordier
Level 1
Level 1

I would not think that your ISP or your router is selectively blocking https traffic. However, if you have an issue on the network - overutilization or performance problems due to e.g. packet loss, it may appear as if only https is affected due to the fact that https connections are more sensitive to increased delays, time-outs and packet drops than http traffic. Most https server admins set https timeouts to much shorter values than for http traffic, or firewalls more rigorously watch (and kill) https connections when no data are flowing. To the end user this may appear as a https problem since http still works, but the only thing that happens is that http is more resilient and continues after a network issue, while https does not. Is the https issue may be linked to spikes of high utilization?

HTH, Thomas

You bring up a good point. I will take a look at our network stats. We removed the router and tried a simple Netopia router in order to rule out the ISP. Sure enough, we were able to hit every HTTPS site without issue. Which led me to believe that the culprit had to be the 2811. However, we do have a DMVPN tunnel to headquarters on this 2811 and as you probably know, the processes in order to keep that tunnel up (eigrp,gre,esp....) are bandwidth intensive. I will check it out. If you..or anyone, have any more ideas, please, let me know.

I've monitored network traffic and bandwidth usage and found that usage of the link (1.5 Mbps)barely hits 15% at any one point. I am still unable to ping or access any HTTPS site (except for a few, Bank of America, for example)from the router even during very slow periods of the day. Any ideas ?

I could imagine that https servers would more often block pings, compared to standard websites (based on the idea that https normally is used for more security sensitive content). The only suggestion I would have is to use https connection attempts from your router, rather than pings. You can use

telnet x.x.x. 443

or - to avoid reiterating the same command -

ip sla 1

tcp-connect x.x.x.x 443 source-ip y.y.y.y

timeout 500

frequency 10

ip sla schedule 1 life forever start-time now

HTH, Thomas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco