Answer the question
In order to leave comments, you need to log in
Cisco, tcp adjust-mss and websites not opening
Dear habra-people, I ask for help, since for the second day I can not defeat one problem, namely, www.facebook.com and several other sites do not open.
Topology:
PPPoE-->Cisco 2801-->Switch-->client
Hardware:
Cisco 2801 (Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(17), RELEASE SOFTWARE (fc1))
MacPro (Lion ) 10.7) / Windows 7 x64
The problem is that www.facebook.com and a few other necessary sites do not open.
Question - How to treat?
How the problem looks from the client side
How it looks from the router side,
but from the router, the trace will not reach any address.
router config
Thanks in advance.
ping facebook.com
PING facebook.com (69.63.181.12): 56 data bytes
64 bytes from 69.63.181.12: icmp_seq=0 ttl=246 time=244.621 ms
64 bytes from 69.63.181.12: icmp_seq=1 ttl=246 time=243.474 ms
64 bytes from 69.63.181.12: icmp_seq=2 ttl=246 time=243.472 ms
ping www.facebook.com
ping: cannot resolve www.facebook.com: Unknown host
nskc2801#ping facebook.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.63.189.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 204/205/208 ms
nskc2801#ping www.facebook.com
Translating "www.facebook.com"...domain server (217.70.119.206) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.171.229.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 244/248/260 ms
!
version 12.4
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname nskc2801
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
clock timezone NOVST 7
no ip source-route
ip cef
!
!
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp router-traffic
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip inspect name INSPECT_OUT ftp
!
!
ip ips sdf location flash://128MB.sdf
ip ips notify SDEE
ip ips name ips_rule
no ip bootp server
ip domain name name.domain.name
ip name-server 217.70.119.206
ip name-server 217.70.119.150
ip name-server 8.8.8.8
!
!
!
!
username cisco privilege 15 secret <ПАРОЛЬ>
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
description === WAN ===
no ip address
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
description === LAN ===
ip address 10.10.45.1 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip access-group FIREWALL in
no ip proxy-arp
ip mtu 1492
ip inspect INSPECT_OUT out
ip ips ips_rule in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ЛОГИН
ppp chap password 7 ПАРОЛЬ
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface Dialer0 overload
ip dns server
!
ip access-list extended FIREWALL
!
! тут полотенце из правил (для теста удалил все)
!
ip access-list extended NAT
permit ip host 10.10.45.2 any
permit ip host 10.10.45.3 any
! и еще куча хостов, динамический нат я не использую по ряду причин
!
dialer-list 1 protocol ip permit
!
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user! ^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179814
ntp update-calendar
ntp server 62.117.76.142
ntp server 10.10.45.2
end
Answer the question
In order to leave comments, you need to log in
There is nothing super criminal. But I would remove
ip inspect name INSPECT_OUT http for tests.
And also lower tcpadjustmss, for example, to 1300.
It won't help to run wireshark and watch.
Thanks for the answer, the problem turned out to be much funnier - from me to the Facebook servers and some others (including my two routers) there were more than 255 hops.
Our providers are designed mainly for home users and assume that the cord is plugged directly into the computer. After changing the route at the provider, everything worked.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question