Solved

Cisco 857 certain HTTPS sites won't load on the network

Posted on 2010-09-03
17
1,032 Views
Last Modified: 2012-05-10
There are two login site this network cant access.
https://www.ntspays.com
https://www.spscommerce.net
Happens on every PC

They are HTTPS logins using port 443. Any other HTTPS sites work fine.... Anyone have any clues?
AW857w_RO#sh run

Building configuration...



Current configuration : 11181 bytes

!

! Last configuration change at 11:11:13 PST Fri Sep 3 2010 by AmericaWare

! NVRAM config last updated at 11:11:13 PST Fri Sep 3 2010 by AmericaWare

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AW857w_RO

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

enable secret 5 xxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login userlist local

aaa authorization network grouplist local

!

!

aaa session-id common

clock timezone PST -8

clock summer-time PST recurring

!

crypto pki trustpoint TP-self-signed-2608867666

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2608867666

 revocation-check none

 rsakeypair TP-self-signed-2608867666

!

!

dot11 syslog

!

dot11 ssid xxxxxxxx

   authentication open

   authentication key-management wpa

   guest-mode

   wpa-psk ascii 0 coffeecups

!

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.5.1 172.16.5.100

ip dhcp excluded-address 172.16.5.1

ip dhcp excluded-address 172.16.7.1 172.16.7.100

ip dhcp excluded-address 172.16.7.1

!

ip dhcp pool Internal-net

   import all

   network 172.16.5.0 255.255.255.0

   default-router 172.16.5.1

   domain-name xxxxx.com

   dns-server 172.16.5.1

   lease 4

   update arp

!

ip dhcp pool xxxxxxxxx-WPA

   import all

   network 172.16.7.0 255.255.255.0

   default-router 172.16.7.1

   domain-name xxxxxx.com

   dns-server 172.16.7.1

   lease 4

   update arp

!

!

ip cef

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall icmp

ip inspect name firewall cuseeme

ip inspect name firewall h323

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall streamworks

ip inspect name firewall vdolive

ip inspect name firewall sqlnet

ip inspect name firewall tftp

ip inspect name firewall ftp

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall rtsp

ip inspect name firewall pptp

ip inspect name firewall sip

ip inspect name firewall smtp

ip inspect name firewall https

ip inspect name firewall http

no ip bootp server

ip domain name xxxxxxx.com

ip name-server 68.238.64.12

ip name-server 68.238.96.12

ip name-server 68.238.128.12

!

!

!

file verify auto

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group AWvpn

 key xxxxx

 domain xxxx.com

 pool vpnclients

 acl 106

!

!

crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac

crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac

crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac

crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac

!

crypto dynamic-map vpnusers 1

 description Client to Site VPN Users

 set transform-set tr-aes-sha

!

!

crypto map cm-cryptomap client authentication list userlist

crypto map cm-cryptomap isakmp authorization list grouplist

crypto map cm-cryptomap client configuration address respond

crypto map cm-cryptomap 65000 ipsec-isakmp dynamic vpnusers

!

archive

 log config

  hidekeys

!

!

ip tcp selective-ack

ip tcp timestamp

!

bridge irb

!

!

interface ATM0

 no ip address

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 ip virtual-reassembly

 ip route-cache flow

 no atm ilmi-keepalive

 pvc 0/35

  encapsulation aal5snap

 !

 dsl operating-mode auto

 bridge-group 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

 description 802.11B/G interface

 ip address 172.16.7.1 255.255.255.0

 ip access-group 103 in

 ip inspect firewall in

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 !

 encryption mode ciphers tkip

 !

 ssid xxxxxxxxx

 !

 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 ba

sic-54.0

 station-role root

 world-mode dot11d country US indoor

!

interface Vlan1

 description Internal Network

 ip address 172.16.5.1 255.255.255.0

 ip access-group 102 in

 ip inspect firewall in

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

!

interface BVI1

 ip address 173.55.x.x 255.255.255.0

 ip access-group 101 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 ip accounting access-violations

 ip inspect firewall out

 ip nat outside

 ip virtual-reassembly

 crypto map cm-cryptomap

!

ip local pool vpnclients 172.16.10.1 172.16.10.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 173.55.x.1

!

ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat inside source static tcp 172.16.5.10 3389 interface BVI1 3389

ip nat inside source list 105 interface BVI1 overload

!

access-list 1 remark The local LAN.

access-list 1 permit 172.16.5.0 0.0.0.255

access-list 1 permit 172.16.7.0 0.0.0.255

access-list 2 remark Where management can be done from.

access-list 2 permit 173.55.x.x

access-list 2 permit 172.16.5.0 0.0.0.255

access-list 2 permit 172.16.7.0 0.0.0.255

access-list 2 permit 172.16.10.0 0.0.0.255

access-list 3 remark Traffic not to check for intrusion detection.

access-list 3 deny   172.16.10.0 0.0.0.255

access-list 3 permit any

access-list 101 remark Traffic allowed to enter the router from the Internet

access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.5.0 0.0.0.255

access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.7.0 0.0.0.255

access-list 101 deny   ip 0.0.0.0 0.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 169.254.0.0 0.0.255.255 any

access-list 101 deny   ip 172.16.0.0 0.0.255.255 any

access-list 101 deny   ip 192.0.2.0 0.0.0.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 198.18.0.0 0.1.255.255 any

access-list 101 deny   ip 224.0.0.0 0.15.255.255 any

access-list 101 deny   ip any host 255.255.255.255

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit udp any any eq domain

access-list 101 permit udp any eq domain any

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq 5900

access-list 101 permit udp any any eq 3283

access-list 101 permit esp any any

access-list 101 permit gre any any

access-list 101 permit tcp any any eq 5900

access-list 101 permit tcp any any eq 3283

access-list 101 permit tcp any any eq 3389

access-list 101 permit tcp any any eq 22

access-list 101 permit tcp any any eq telnet

access-list 101 deny   icmp any any echo

access-list 102 remark Traffic allowed to enter the router from the Ethernet (wired LAN)

access-list 102 permit ip any host 172.16.5.1

access-list 102 deny   ip any host 172.16.5.255

access-list 102 permit ip 172.16.5.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 102 permit ip 172.16.5.0 0.0.0.255 172.16.7.0 0.0.0.255

access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log

access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log

access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log

access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log

access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log

access-list 102 deny   udp any any eq 135 log

access-list 102 deny   tcp any any eq 135 log

access-list 102 deny   udp any any eq netbios-ns log

access-list 102 deny   udp any any eq netbios-dgm log

access-list 102 deny   tcp any any eq 445 log

access-list 102 permit ip 172.16.5.0 0.0.0.255 any

access-list 102 permit ip any host 255.255.255.255

access-list 103 remark Traffic allowed to enter the router from the Ethernet (wireless LAN)

access-list 103 permit ip any host 172.16.7.1

access-list 103 deny   ip any host 172.16.7.255

access-list 103 permit ip 172.16.7.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 103 permit ip 172.16.7.0 0.0.0.255 172.16.5.0 0.0.0.255

access-list 103 deny   ip any 127.0.0.0 0.255.255.255 log

access-list 103 deny   ip any 169.254.0.0 0.0.255.255 log

access-list 103 deny   ip any 172.16.0.0 0.15.255.255 log

access-list 103 deny   ip any 192.0.2.0 0.0.0.255 log

access-list 103 deny   ip any 192.168.0.0 0.0.255.255 log

access-list 103 deny   ip any 198.18.0.0 0.1.255.255 log

access-list 103 deny   udp any any eq 135 log

access-list 103 deny   tcp any any eq 135 log

access-list 103 deny   udp any any eq netbios-ns log

access-list 103 deny   udp any any eq netbios-dgm log

access-list 103 deny   tcp any any eq 445 log

access-list 103 permit ip 172.16.7.0 0.0.0.255 any

access-list 103 permit ip any host 255.255.255.255

access-list 105 remark Traffic to NAT

access-list 105 deny   ip 172.16.5.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 105 deny   ip 172.16.7.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 105 permit ip 172.16.5.0 0.0.0.255 any

access-list 105 permit ip 172.16.7.0 0.0.0.255 any

access-list 106 remark User to Site VPN Clients

access-list 106 permit ip 172.16.5.0 0.0.0.255 any

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

 exec-timeout 25 0

 password 7 xxxxx

 no modem enable

line aux 0

line vty 0 4

 access-class 2 in

 privilege level 15

 transport input telnet ssh

!

scheduler max-task-time 5000

end

Open in new window

0
Comment
Question by:andersenks
  • 8
  • 4
  • 2
  • +3
17 Comments
 
LVL 10

Expert Comment

by:NetExpert-Warszawa
Comment Utility
I cannot access https://www.ntspays.com/ either (not using Cisco).
Error code: ssl_error_rx_record_too_long
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
i can access both site using http , try http , i am not sure these are site that u r lokking for .


http://www.ntspays.com
http://www.spscommerce.net

or try
https://portal.hosted-commerce.net/sps/
0
 
LVL 5

Assisted Solution

by:shubhanshu_jaiswal
shubhanshu_jaiswal earned 166 total points
Comment Utility
According to your router, you are inspecting HTTPS traffic. It may be the reason that you are not able to access certain https website.

You can try this command:

conf t
no ip inspect name firewall https


Let me know if it works for you.
0
 
LVL 11

Expert Comment

by:crouthamela
Comment Utility
Same here, and spcommerce leads to a blank page for me. Looks like the site's are the ones with issues, not you.
0
 

Author Comment

by:andersenks
Comment Utility
I'm debugging the BVI interface and this came up.

Sep  3 19:01:06.396: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3890481951 1500 bytes is out-of-order; expected seq:3890457131. Reason: TCP reassembly queue overflow - session 172.16.5.10:1630 to 63.80.4.8:80
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 167 total points
Comment Utility
This sort of symptom usually indicates an MTU problem (http doesn't mind fragmentation as much as https does) on the interface.  I'm not sure why this might be with the configuration presented, but the symptoms match.  Try adding the following statement to your VLAN1 and Dot11Radio0 interfaces and see if the problem clears up:

ip tcp adjust-mss 1240
0
 

Author Comment

by:andersenks
Comment Utility
When going here https://portal.hosted-commerce.net/sps/ it loads fine... its when you click on the login link is when it times out.

This one doesn't load at all https://secure.nationsfastpay.com/

But at home they both work fine
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
If you're getting re-assembly, you're getting fragmentation.  Try the MSS adjustment and see how that works for you.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:andersenks
Comment Utility
Tried adding "ip tcp adjust-mss 1240" to the inside interfaces
and removed "ip inspect name firewall https"

Same issue


0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 167 total points
Comment Utility
just remove the

ip inspect firewall out

from BVI1 and see
0
 

Author Comment

by:andersenks
Comment Utility
Anoopkmr,

I forgot to mention I tried that earlier... same issue
0
 

Author Comment

by:andersenks
Comment Utility
Here's a screen shot
https-error.jpg
0
 

Author Comment

by:andersenks
Comment Utility
Is it possibly some sort of Certificate issue?
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
is it working with out CBAC ?
0
 

Author Comment

by:andersenks
Comment Utility
Well, it is now. Turned it back on (Firewall/CBAC) and its still working. Must have been something going on on the ISP side.

Thank You
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
ok thanks for the update
0
 

Author Closing Comment

by:andersenks
Comment Utility
Issue seemed to be on the ISP side. Thanks for the input everyone!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
2 LAN/WAN on One Server 2 43
Route summarization 5 20
NSD FAIL 2 18
Resource cost of NAT vs routing 3 13
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now