• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

Problems with Netopia in pass through mode and cisco MTU statement

This might be a hard one to fix in this forum. I have an office that is very rural. we have been forced to settle for DSL.
There is a Netopia modem in pass through mode. Behind it is a cisco 831. We have had complaints from users not being able to get to certain web sites. The ISP has narrowed it down to the MTU statement on our router. We bypassed the router with one machine, and all problems were fixed. However, our network is a MPLS full mesh. The router has to stay in place. The only semi-stable MTU statement I have found is 1472. Any help will be greatly appreciated.
0
aadams1185
Asked:
aadams1185
  • 4
  • 3
1 Solution
 
chawcheskewCommented:
I had a similar problem with a netscreen firewall a long  time ago...  Forced into a dsl setup etc, PPPoE authentication and the likes.  It too was an mtu issue, however the  actual problem was the vpn encryption and the smaller MTU forcing packets to fragment.  Its been so long the details are somewhat fuzzy, however I do  rememver this, the solution was to set the firewall to allow some ICMP packets to be received by the firewall.  I WAS able to still  not allow the firewall to reply to pings, but I don't remember the specific ICMP messages that have to be enabled.  But Maybe that  will help you, or someone else who reads this post.  (by the way, with the ICMP enabled, I pushed MTU back to 1500 and that was when things   worked again)

regards,
c
0
 
aadams1185Author Commented:
Am I following correctly? There is an icmp statement on my router I should enable.
0
 
chawcheskewCommented:
From what I understand, the ICMP protocol has some features that allow connected hosts and routers in between to communicate and adjust for more efficient communication.  I had the ICMP protocol blocked on my firewall, and when the remote firewall was sending ICMP packets to make adjustments on communication parameters, they were being blocked rather than received by the firewall.  When I set rules to allow ICMP, the problems cleared up.

It might help if you made sure that the ICMP protocol was enabled on your firewall or router...  

Honestly, I think your problem is a little over my head.  But I thought I would share my experience in hopes that it might help you get closer to finding the source of your problem, or maybe help another EE Expert
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
aadams1185Author Commented:
I will keep the question open a little longer.
0
 
chawcheskewCommented:
I have found some articles and some IETF RFCs on ICMP and MTU's.  I will research these over the weekend if you will leave the question open that long.

And I have a couple of questions...  

1. Could you detail more specifically what happens when the websites won't pull up?  
2. Do they have any multimedia, encryption anything different from standard HTML.
3. When you change the MTU, what starts to work, and what still doesn't.  I suspect HTTPS or any encryption will have the most trouble with the MTU size and fragmenting packets
4. Can you paste a working config or full troubleshooting info here.  (either "show running-config" or show tech-support")  These commands may differ a little depending on your version of the IOS, but you should be able to use the help context "show ?" and get the correct command.  BE SURE TO BLANK ANY PASSWORDS WITH X's AND BE SURE TO BLANK ANY PUBLIC IP ADDRESSES!

Regards,
c
0
 
aadams1185Author Commented:
I had to open a ticket with Cisco. The hounds were at my heels! LOL
Here is the statement added to the ethernet interface that fixed the problem: ip tcp adjust-mss 1300
The Cisco Tech said the traffic needed to be shaped before it hit the dialer interface. I changed the MTU statement for the dialer 1 interface back to 1492. All is well now.


I will give you the points for your effort. Thanks
0
 
chawcheskewCommented:
thankyou!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now