?
Solved

Cisco 857 certain HTTPS sites won't load on the network

Posted on 2010-09-03
17
Medium Priority
?
1,072 Views
Last Modified: 2012-05-10
There are two login site this network cant access.
https://www.ntspays.com
https://www.spscommerce.net
Happens on every PC

They are HTTPS logins using port 443. Any other HTTPS sites work fine.... Anyone have any clues?
AW857w_RO#sh run
Building configuration...

Current configuration : 11181 bytes
!
! Last configuration change at 11:11:13 PST Fri Sep 3 2010 by AmericaWare
! NVRAM config last updated at 11:11:13 PST Fri Sep 3 2010 by AmericaWare
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AW857w_RO
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 xxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authorization network grouplist local
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PST recurring
!
crypto pki trustpoint TP-self-signed-2608867666
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2608867666
 revocation-check none
 rsakeypair TP-self-signed-2608867666
!
!
dot11 syslog
!
dot11 ssid xxxxxxxx
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 coffeecups
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.5.1 172.16.5.100
ip dhcp excluded-address 172.16.5.1
ip dhcp excluded-address 172.16.7.1 172.16.7.100
ip dhcp excluded-address 172.16.7.1
!
ip dhcp pool Internal-net
   import all
   network 172.16.5.0 255.255.255.0
   default-router 172.16.5.1
   domain-name xxxxx.com
   dns-server 172.16.5.1
   lease 4
   update arp
!
ip dhcp pool xxxxxxxxx-WPA
   import all
   network 172.16.7.0 255.255.255.0
   default-router 172.16.7.1
   domain-name xxxxxx.com
   dns-server 172.16.7.1
   lease 4
   update arp
!
!
ip cef
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall sip
ip inspect name firewall smtp
ip inspect name firewall https
ip inspect name firewall http
no ip bootp server
ip domain name xxxxxxx.com
ip name-server 68.238.64.12
ip name-server 68.238.96.12
ip name-server 68.238.128.12
!
!
!
file verify auto
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group AWvpn
 key xxxxx
 domain xxxx.com
 pool vpnclients
 acl 106
!
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac
!
crypto dynamic-map vpnusers 1
 description Client to Site VPN Users
 set transform-set tr-aes-sha
!
!
crypto map cm-cryptomap client authentication list userlist
crypto map cm-cryptomap isakmp authorization list grouplist
crypto map cm-cryptomap client configuration address respond
crypto map cm-cryptomap 65000 ipsec-isakmp dynamic vpnusers
!
archive
 log config
  hidekeys
!
!
ip tcp selective-ack
ip tcp timestamp
!
bridge irb
!
!
interface ATM0
 no ip address
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 ip virtual-reassembly
 ip route-cache flow
 no atm ilmi-keepalive
 pvc 0/35
  encapsulation aal5snap
 !
 dsl operating-mode auto
 bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 description 802.11B/G interface
 ip address 172.16.7.1 255.255.255.0
 ip access-group 103 in
 ip inspect firewall in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 !
 encryption mode ciphers tkip
 !
 ssid xxxxxxxxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 ba
sic-54.0
 station-role root
 world-mode dot11d country US indoor
!
interface Vlan1
 description Internal Network
 ip address 172.16.5.1 255.255.255.0
 ip access-group 102 in
 ip inspect firewall in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface BVI1
 ip address 173.55.x.x 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 ip inspect firewall out
 ip nat outside
 ip virtual-reassembly
 crypto map cm-cryptomap
!
ip local pool vpnclients 172.16.10.1 172.16.10.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.55.x.1
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 172.16.5.10 3389 interface BVI1 3389
ip nat inside source list 105 interface BVI1 overload
!
access-list 1 remark The local LAN.
access-list 1 permit 172.16.5.0 0.0.0.255
access-list 1 permit 172.16.7.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 permit 173.55.x.x
access-list 2 permit 172.16.5.0 0.0.0.255
access-list 2 permit 172.16.7.0 0.0.0.255
access-list 2 permit 172.16.10.0 0.0.0.255
access-list 3 remark Traffic not to check for intrusion detection.
access-list 3 deny   172.16.10.0 0.0.0.255
access-list 3 permit any
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.7.0 0.0.0.255
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.0.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 5900
access-list 101 permit udp any any eq 3283
access-list 101 permit esp any any
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 5900
access-list 101 permit tcp any any eq 3283
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 deny   icmp any any echo
access-list 102 remark Traffic allowed to enter the router from the Ethernet (wired LAN)
access-list 102 permit ip any host 172.16.5.1
access-list 102 deny   ip any host 172.16.5.255
access-list 102 permit ip 172.16.5.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 102 permit ip 172.16.5.0 0.0.0.255 172.16.7.0 0.0.0.255
access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny   udp any any eq 135 log
access-list 102 deny   tcp any any eq 135 log
access-list 102 deny   udp any any eq netbios-ns log
access-list 102 deny   udp any any eq netbios-dgm log
access-list 102 deny   tcp any any eq 445 log
access-list 102 permit ip 172.16.5.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 103 remark Traffic allowed to enter the router from the Ethernet (wireless LAN)
access-list 103 permit ip any host 172.16.7.1
access-list 103 deny   ip any host 172.16.7.255
access-list 103 permit ip 172.16.7.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 103 permit ip 172.16.7.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 103 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 103 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 103 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 103 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 103 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 103 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 103 deny   udp any any eq 135 log
access-list 103 deny   tcp any any eq 135 log
access-list 103 deny   udp any any eq netbios-ns log
access-list 103 deny   udp any any eq netbios-dgm log
access-list 103 deny   tcp any any eq 445 log
access-list 103 permit ip 172.16.7.0 0.0.0.255 any
access-list 103 permit ip any host 255.255.255.255
access-list 105 remark Traffic to NAT
access-list 105 deny   ip 172.16.5.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 105 deny   ip 172.16.7.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 105 permit ip 172.16.5.0 0.0.0.255 any
access-list 105 permit ip 172.16.7.0 0.0.0.255 any
access-list 106 remark User to Site VPN Clients
access-list 106 permit ip 172.16.5.0 0.0.0.255 any
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 exec-timeout 25 0
 password 7 xxxxx
 no modem enable
line aux 0
line vty 0 4
 access-class 2 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

0
Comment
Question by:andersenks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 2
  • +3
17 Comments
 
LVL 10

Expert Comment

by:NetExpert-Warszawa
ID: 33599715
I cannot access https://www.ntspays.com/ either (not using Cisco).
Error code: ssl_error_rx_record_too_long
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33599827
i can access both site using http , try http , i am not sure these are site that u r lokking for .


http://www.ntspays.com
http://www.spscommerce.net

or try
https://portal.hosted-commerce.net/sps/
0
 
LVL 5

Assisted Solution

by:shubhanshu_jaiswal
shubhanshu_jaiswal earned 664 total points
ID: 33599848
According to your router, you are inspecting HTTPS traffic. It may be the reason that you are not able to access certain https website.

You can try this command:

conf t
no ip inspect name firewall https


Let me know if it works for you.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 11

Expert Comment

by:crouthamela
ID: 33599850
Same here, and spcommerce leads to a blank page for me. Looks like the site's are the ones with issues, not you.
0
 

Author Comment

by:andersenks
ID: 33600081
I'm debugging the BVI interface and this came up.

Sep  3 19:01:06.396: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3890481951 1500 bytes is out-of-order; expected seq:3890457131. Reason: TCP reassembly queue overflow - session 172.16.5.10:1630 to 63.80.4.8:80
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 668 total points
ID: 33600092
This sort of symptom usually indicates an MTU problem (http doesn't mind fragmentation as much as https does) on the interface.  I'm not sure why this might be with the configuration presented, but the symptoms match.  Try adding the following statement to your VLAN1 and Dot11Radio0 interfaces and see if the problem clears up:

ip tcp adjust-mss 1240
0
 

Author Comment

by:andersenks
ID: 33600094
When going here https://portal.hosted-commerce.net/sps/ it loads fine... its when you click on the login link is when it times out.

This one doesn't load at all https://secure.nationsfastpay.com/

But at home they both work fine
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 33600105
If you're getting re-assembly, you're getting fragmentation.  Try the MSS adjustment and see how that works for you.
0
 

Author Comment

by:andersenks
ID: 33600159
Tried adding "ip tcp adjust-mss 1240" to the inside interfaces
and removed "ip inspect name firewall https"

Same issue


0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 668 total points
ID: 33600220
just remove the

ip inspect firewall out

from BVI1 and see
0
 

Author Comment

by:andersenks
ID: 33600264
Anoopkmr,

I forgot to mention I tried that earlier... same issue
0
 

Author Comment

by:andersenks
ID: 33600307
Here's a screen shot
https-error.jpg
0
 

Author Comment

by:andersenks
ID: 33600312
Is it possibly some sort of Certificate issue?
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33600405
is it working with out CBAC ?
0
 

Author Comment

by:andersenks
ID: 33614838
Well, it is now. Turned it back on (Firewall/CBAC) and its still working. Must have been something going on on the ISP side.

Thank You
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33615233
ok thanks for the update
0
 

Author Closing Comment

by:andersenks
ID: 33620903
Issue seemed to be on the ISP side. Thanks for the input everyone!
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question