Problems with Netopia in pass through mode and cisco MTU statement

This might be a hard one to fix in this forum. I have an office that is very rural. we have been forced to settle for DSL.
There is a Netopia modem in pass through mode. Behind it is a cisco 831. We have had complaints from users not being able to get to certain web sites. The ISP has narrowed it down to the MTU statement on our router. We bypassed the router with one machine, and all problems were fixed. However, our network is a MPLS full mesh. The router has to stay in place. The only semi-stable MTU statement I have found is 1472. Any help will be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I had a similar problem with a netscreen firewall a long  time ago...  Forced into a dsl setup etc, PPPoE authentication and the likes.  It too was an mtu issue, however the  actual problem was the vpn encryption and the smaller MTU forcing packets to fragment.  Its been so long the details are somewhat fuzzy, however I do  rememver this, the solution was to set the firewall to allow some ICMP packets to be received by the firewall.  I WAS able to still  not allow the firewall to reply to pings, but I don't remember the specific ICMP messages that have to be enabled.  But Maybe that  will help you, or someone else who reads this post.  (by the way, with the ICMP enabled, I pushed MTU back to 1500 and that was when things   worked again)

aadams1185Author Commented:
Am I following correctly? There is an icmp statement on my router I should enable.
From what I understand, the ICMP protocol has some features that allow connected hosts and routers in between to communicate and adjust for more efficient communication.  I had the ICMP protocol blocked on my firewall, and when the remote firewall was sending ICMP packets to make adjustments on communication parameters, they were being blocked rather than received by the firewall.  When I set rules to allow ICMP, the problems cleared up.

It might help if you made sure that the ICMP protocol was enabled on your firewall or router...  

Honestly, I think your problem is a little over my head.  But I thought I would share my experience in hopes that it might help you get closer to finding the source of your problem, or maybe help another EE Expert
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

aadams1185Author Commented:
I will keep the question open a little longer.
I have found some articles and some IETF RFCs on ICMP and MTU's.  I will research these over the weekend if you will leave the question open that long.

And I have a couple of questions...  

1. Could you detail more specifically what happens when the websites won't pull up?  
2. Do they have any multimedia, encryption anything different from standard HTML.
3. When you change the MTU, what starts to work, and what still doesn't.  I suspect HTTPS or any encryption will have the most trouble with the MTU size and fragmenting packets
4. Can you paste a working config or full troubleshooting info here.  (either "show running-config" or show tech-support")  These commands may differ a little depending on your version of the IOS, but you should be able to use the help context "show ?" and get the correct command.  BE SURE TO BLANK ANY PASSWORDS WITH X's AND BE SURE TO BLANK ANY PUBLIC IP ADDRESSES!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aadams1185Author Commented:
I had to open a ticket with Cisco. The hounds were at my heels! LOL
Here is the statement added to the ethernet interface that fixed the problem: ip tcp adjust-mss 1300
The Cisco Tech said the traffic needed to be shaped before it hit the dialer interface. I changed the MTU statement for the dialer 1 interface back to 1492. All is well now.

I will give you the points for your effort. Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.