<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

SSL Sites won’t load on PPOE connections.

Published on
8,045 Points
2,045 Views
Last Modified:
Sometimes you have to pull out old tricks to get a new firewall to work…

While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understand what was happening.  Everything in the Sonicwall was checked and rechecked to no avail.  Then it dawned on me!  Looking at the WAN connection, I saw the dreaded “PPoE”.  It’s been a long time since I’ve worked with a PPoE circuit.  In fact I was surprised to see it.  I thought they all died…

Anyway, I had to into the archives of my brain (boy it sure is dusty in here) and remember how to figure out the proper MTU to set on the WAN interface to get this going.

For those of you wondering what an MTU is, it is a Maximum Transmission Unit.  Basically a cap on the size of your Ethernet packets.  Normal Ethernet packets have an MTU of 1500.  PPoE doesn’t like that 1500 and it is almost always to big.  So we have to reduce the packet size so communications can work effectively.

First we have to determine the MTU, this is easily done with the ping command:

    ping <sitename> to see if you get a response.  You should always get a response even if you MTU is not correct because ping will allow fragmentation of packets.  I usually use google.com since it always responds.
    Next we have to force the ping command to use a certain packet size.  This is done using the /f and /l switches. /f will set the “Don’t Fragment” flag in the packet. /l <size> will set the size of the packet. our command should look like this:  “ping www.google.com /f /l1500¿  We should get a response “Packet needs to be fragmented but DF set.”
    Now we reduce the size of the packets by 8 and retry: “ping www.google.com /f /l 1492¿ If we get the same “Packet needs to be fragmented but DF set.” then we are not low enough, subtract 8 and do it again.
    Continue subtracting 8 until you get a good ping response.  It should look like this:
    Reply from 173.194.64.147: bytes=32 time=29ms TTL=46
    Reply from 173.194.64.147: bytes=32 time=89ms TTL=46
    Reply from 173.194.64.147: bytes=32 time=27ms TTL=46
    Reply from 173.194.64.147: bytes=32 time=27ms TTL=46
    The number you used will be our MTU!
    Take the number you just used and plug it into the WAN interface settings of your router and you’ll be browsing secure sites in no time!

This article is a reprint from the original on my blog: SSL Sites won’t load on PPOE connections..
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
0 Comments

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Join & Write a Comment

Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month