10-21-2008 11:33 AM - edited 03-04-2019 12:01 AM
We're using a 2811 router with a static DSL address provided by AT&T. At some point during the day, access to cisco.com PEC and most other (but not all) HTTPS sites was blocked. No changes were made to the router, we've checked ACL's (in fact, we are now allowing all traffic to and from 443), in doing a traceroute to wamu.com, for example, it reaches about 12 hops then fails. Any ideas ?
10-21-2008 01:29 PM
I would not think that your ISP or your router is selectively blocking https traffic. However, if you have an issue on the network - overutilization or performance problems due to e.g. packet loss, it may appear as if only https is affected due to the fact that https connections are more sensitive to increased delays, time-outs and packet drops than http traffic. Most https server admins set https timeouts to much shorter values than for http traffic, or firewalls more rigorously watch (and kill) https connections when no data are flowing. To the end user this may appear as a https problem since http still works, but the only thing that happens is that http is more resilient and continues after a network issue, while https does not. Is the https issue may be linked to spikes of high utilization?
HTH, Thomas
10-21-2008 02:03 PM
You bring up a good point. I will take a look at our network stats. We removed the router and tried a simple Netopia router in order to rule out the ISP. Sure enough, we were able to hit every HTTPS site without issue. Which led me to believe that the culprit had to be the 2811. However, we do have a DMVPN tunnel to headquarters on this 2811 and as you probably know, the processes in order to keep that tunnel up (eigrp,gre,esp....) are bandwidth intensive. I will check it out. If you..or anyone, have any more ideas, please, let me know.
10-22-2008 04:38 AM
I've monitored network traffic and bandwidth usage and found that usage of the link (1.5 Mbps)barely hits 15% at any one point. I am still unable to ping or access any HTTPS site (except for a few, Bank of America, for example)from the router even during very slow periods of the day. Any ideas ?
10-23-2008 02:57 AM
I could imagine that https servers would more often block pings, compared to standard websites (based on the idea that https normally is used for more security sensitive content). The only suggestion I would have is to use https connection attempts from your router, rather than pings. You can use
telnet x.x.x. 443
or - to avoid reiterating the same command -
ip sla 1
tcp-connect x.x.x.x 443 source-ip y.y.y.y
timeout 500
frequency 10
ip sla schedule 1 life forever start-time now
HTH, Thomas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: