Answer the question
In order to leave comments, you need to log in
Sites not loading from local servers
Hello!
Faced with an incomprehensible situation.
There are two offices interconnected using VPN (IPSec): 192.168.1.0/24 and 192.168.2.0/24 subnets, they have been working this way for almost 3 years.
And 2 web servers located in the first office 192.168.1.0/24
Today, the sites located on the servers stopped opening in the second office when specifying the local address of the server / site of the form 192.168.1.XXX (the address is always by IP address, domain names are not used). If you connect via an external white IP address issued by the provider (redirection works), then everything is fine! At the first office at any addressing all sites work.
Another interesting thing revealed that those sites where there is a tag <link rel="stylesheet" href="styles.css">
or similar in the html markup are not loaded. Those. page type<h1>Hello world!</h1>
are loaded without problems, it means that the 80th port is not blocked at any interval. And as soon as there is an attachment of styles or icons or scripts, they stop loading. Explorer 6 just spins to infinity, like Firefox - "Waiting for a response from the ip-address-server", and Chrome after about a minute writes "The web page is not available" (ERR_CONNECTION_RESET). Checked from several machines.
I repeat, when you go to the same sites from the same machines via an external IP, everything loads perfectly!
VPN between offices is provided by servers based on the Endian Community Firewall. Rebooted both gateways and web servers.
Tell me where to dig, how to check why the download stops, what's in the way?
Answer the question
In order to leave comments, you need to log in
In general, it looks like a black hole (PMTUD Blackhole).
I asked the provider a question, I'm waiting for an answer.
I ran the SG TCP Optimizers utility, at first it wrote:
The largest possible non-fragmented packet is 1391 (1419 - 28 ICMP & IP headers).
You can set your MTU to 1419,
and after a while:
The largest possible non-fragmented packet is 1464 (1492 - 28 ICMP & IP headers).
You can set your MTU to 1492
Temporarily solved the problem ( read here ) with the command on the gateway:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1492
service
iptables restart
indicated the size of 1360, then tried 1492 - it works.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question