Certain websites won't load using Cisco 1751-V

Discussion in 'Hardware' started by doublea1535, Dec 4, 2009.

  1. doublea1535

    doublea1535

    Joined:
    Dec 4, 2009
    Messages:
    1
    Was at a client's last night. They have Qwest DSL using a Netopia router. I tried to upgrade this to a Cisco 1751-V with a ADSL WIC running C1700-ADVIPSERVICESK9-M Version 12.4(25b). It was running a later version of code but I tried upgrading it, no change.

    Ran into a very funky issue where certain websites would not load, and some would only load partially. I did not take extensive notes about which sites would not load but some that I do remember are cnn.com, schwab.com, msn.com, microsoft.com, digg.com. Ebay.com would only load the first portion of the header graphic and then stop. Reddit.com, google, cisco.com, personal websites of mine all came up fine. Flickr.com seemed to have many missing/blank images. As soon as we reverted to the Netopia everything worked.

    I ran tcpdump on my laptop and I was able to complete the 3-way handshake as far as I could tell, and the last packet was the webserver sending me data but then nothing ... it just stalled there. I turned off the 'ip inspect' and the ACL and this seemed to improve things, but still several of the sites listed above would not load. Speed tests at dslrports.com and some NDT sites would at times show varying things. Someimes I could get the full speed (2.5M/786) other times only 700K/200K. NDT reported packet queueing before I turned off the inspection but generally reported decent speeds.

    No one was in the office at the time, the NAT table was not being exhausted and like I said above, I had no problem clicking happily through many websites. Also, going direct to the IP address of cnn.com for example did no good. The issue happened on all computers in the office (Windows) and even mine (Ubuntu 9.04).

    Here is the config of the 1751-V that I tried last (there is some room for cleanup on the crypto client and acl's but this should not be causing the issue) :

    -----------------
    Cisco IOS Software, C1700 Software (C1700-ADVIPSERVICESK9-M), Version 12.4(25b), RELEASE SOFTWARE (fc1)
    Technical Support:
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Wed 12-Aug-09 10:27 by prod_rel_team

    ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

    fw01 uptime is 1 hour, 31 minutes
    System returned to ROM by reload at 17:20:20 MST Thu Feb 28 2002
    System image file is "flash:c1700-advipservicesk9-mz.124-25b.bin"


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be found at:

    If you require further assistance please contact us by sending email to

    Cisco 1751-V (MPC860P) processor (revision 0x600) with 91630K/6674K bytes of memory.
    Processor board ID FOC10343P81 (1044357779), with hardware revision 0000
    MPC860P processor: part number 5, mask 2
    1 FastEthernet interface
    1 ATM interface
    1 Virtual Private Network (VPN) Module
    32K bytes of NVRAM.
    32768K bytes of processor board System flash (Read/Write)

    Configuration register is 0x2102

    ------
    Current configuration : 3415 bytes
    !
    version 12.4
    service timestamps debug datetime
    service timestamps log datetime
    service password-encryption
    !
    hostname fw01
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 IMaPAssword
    !
    aaa new-model
    !
    !
    aaa authentication login vpn local
    aaa authentication ppp default local
    aaa authorization network vpn local
    !
    aaa session-id common
    clock timezone MST -7
    clock summer-time MDT recurring 2 Sun Mar 0:00 1 Sun Nov 0:00
    ip cef
    !
    !
    no ip dhcp conflict logging
    ip dhcp excluded-address 10.55.66.1 10.55.66.99
    ip dhcp excluded-address 10.55.66.200 10.55.66.254
    !
    !
    ip domain name domain.com
    ip name-server 205.171.3.65
    ip name-server 205.171.2.65
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    username superduper password 7 sadflksafd
    username usera password 7 sadlfj;lkdsajf
    !
    !
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group vpn
    key keykeykey
    pool vpn-pool
    acl 102
    !
    crypto isakmp client configuration group 2ndvpn
    key keykeykey
    pool vpn-pool
    acl 102
    !
    !
    crypto ipsec transform-set vpn esp-3des esp-sha-hmac
    !
    crypto dynamic-map vpn 10
    set transform-set vpn
    !
    !
    crypto map vpn client authentication list vpn
    crypto map vpn isakmp authorization list vpn
    crypto map vpn client configuration address respond
    crypto map vpn 10 ipsec-isakmp dynamic vpn
    !
    !
    !
    !
    interface ATM0/0
    no ip address
    no atm ilmi-keepalive
    bundle enable
    !
    dsl operating-mode auto
    !
    interface ATM0/0.1 point-to-point
    pvc 0/32
    pppoe-client dial-pool-number 1
    !
    !
    interface FastEthernet0/0
    ip address 10.55.66.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    speed auto
    !
    interface Dialer1
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    ppp authentication chap callin
    ppp pap sent-username user@qwest.net password 7 PPPPassword
    crypto map vpn
    !
    ip local pool vpn-pool 10.77.88.100 10.77.88.199
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list 100 interface Dialer1 overload
    !
    access-list 100 deny ip any 10.77.88.0 0.0.0.255
    access-list 100 remark outbound-nat
    access-list 100 deny ip 10.55.66.0 0.0.0.255 10.77.88.0 0.0.0.255
    access-list 100 deny ip 10.77.88.0 0.0.0.255 any
    access-list 100 permit ip 10.55.66.0 0.0.0.255 any
    access-list 101 remark inbound-remote-access
    access-list 101 permit udp any any eq non500-isakmp
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit ip 10.77.88.0 0.0.0.255 any
    access-list 101 permit esp any any
    access-list 102 remark vpn-split-tunnel
    access-list 102 permit ip 10.55.66.0 0.0.0.255 any
    !
    !
    !
    control-plane
    !
    !
    !
    !
    mgcp behavior g729-variants static-pt
    !
    !
    !
    !
    !
    line con 0
    logging synchronous
    line aux 0
    line vty 0 4
    password 7 password
    transport input ssh
    line vty 5 15
    password 7 password
    transport input ssh
    !
    ntp clock-period 17179874
    ntp server 69.36.241.112
    ntp server 67.222.149.177
    ntp server 69.10.36.3
    end
    --------------------

    Also the following commands were present when the issue was worse :

    ip inspect name firewall tcp 300 (I also tried 600)
    ip inspect name firewall tcp 300 (I also tried 600)
    ip inspect name firewall icmp

    int dialer1
    ip access-group 101 in
    ip inspect name firewall out

    --------------------

    Again, for the most part connectivity was great. VPN access worked. I saw no interface errors, saw no packet loss. And again, when I swapped back in the Netopia everything was great.

    I then brought the 1751-V to my house, loaded my config on it and am running on it right now with no issues - I can pull up cnn.com, etc. Streaming video works great.

    The only thing I can think to try next is :

    - debug ip error
    - for grins, try another 1700 chassis
    - netflow

    Any ideas would be greatly appreciated!
    doublea1535, Dec 4, 2009
    #1
    1. Advertising

  2. doublea1535

    araishee

    Joined:
    Feb 18, 2010
    Messages:
    2
    try typing the command
    ip tcp adjust-mss 1450

    on the lan interface
    it will be a fragmentation problem i think
    araishee, Feb 18, 2010
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andy

    prolems accessing certain websites

    Andy, Jul 1, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    574
    renie
    Jul 2, 2003
  2. nigel.latimer

    Unable to open linksin certain websites

    nigel.latimer, Nov 10, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    1,371
    Gadget
    Nov 10, 2003
  3. ken gallagher
    Replies:
    3
    Views:
    1,145
    ken gallagher
    Oct 24, 2006
  4. jimmie
    Replies:
    1
    Views:
    685
    The-Wisest-One
    Feb 26, 2006
  5. Brian W
    Replies:
    7
    Views:
    15,220
    Chris M
    Jan 31, 2010
Loading...

Share This Page