• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1092
  • Last Modified:

Cisco 857 certain HTTPS sites won't load on the network

There are two login site this network cant access.
https://www.ntspays.com
https://www.spscommerce.net
Happens on every PC

They are HTTPS logins using port 443. Any other HTTPS sites work fine.... Anyone have any clues?
AW857w_RO#sh run
Building configuration...

Current configuration : 11181 bytes
!
! Last configuration change at 11:11:13 PST Fri Sep 3 2010 by AmericaWare
! NVRAM config last updated at 11:11:13 PST Fri Sep 3 2010 by AmericaWare
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AW857w_RO
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 xxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authorization network grouplist local
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PST recurring
!
crypto pki trustpoint TP-self-signed-2608867666
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2608867666
 revocation-check none
 rsakeypair TP-self-signed-2608867666
!
!
dot11 syslog
!
dot11 ssid xxxxxxxx
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 coffeecups
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.5.1 172.16.5.100
ip dhcp excluded-address 172.16.5.1
ip dhcp excluded-address 172.16.7.1 172.16.7.100
ip dhcp excluded-address 172.16.7.1
!
ip dhcp pool Internal-net
   import all
   network 172.16.5.0 255.255.255.0
   default-router 172.16.5.1
   domain-name xxxxx.com
   dns-server 172.16.5.1
   lease 4
   update arp
!
ip dhcp pool xxxxxxxxx-WPA
   import all
   network 172.16.7.0 255.255.255.0
   default-router 172.16.7.1
   domain-name xxxxxx.com
   dns-server 172.16.7.1
   lease 4
   update arp
!
!
ip cef
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall sip
ip inspect name firewall smtp
ip inspect name firewall https
ip inspect name firewall http
no ip bootp server
ip domain name xxxxxxx.com
ip name-server 68.238.64.12
ip name-server 68.238.96.12
ip name-server 68.238.128.12
!
!
!
file verify auto
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group AWvpn
 key xxxxx
 domain xxxx.com
 pool vpnclients
 acl 106
!
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac
!
crypto dynamic-map vpnusers 1
 description Client to Site VPN Users
 set transform-set tr-aes-sha
!
!
crypto map cm-cryptomap client authentication list userlist
crypto map cm-cryptomap isakmp authorization list grouplist
crypto map cm-cryptomap client configuration address respond
crypto map cm-cryptomap 65000 ipsec-isakmp dynamic vpnusers
!
archive
 log config
  hidekeys
!
!
ip tcp selective-ack
ip tcp timestamp
!
bridge irb
!
!
interface ATM0
 no ip address
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 ip virtual-reassembly
 ip route-cache flow
 no atm ilmi-keepalive
 pvc 0/35
  encapsulation aal5snap
 !
 dsl operating-mode auto
 bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 description 802.11B/G interface
 ip address 172.16.7.1 255.255.255.0
 ip access-group 103 in
 ip inspect firewall in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 !
 encryption mode ciphers tkip
 !
 ssid xxxxxxxxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 ba
sic-54.0
 station-role root
 world-mode dot11d country US indoor
!
interface Vlan1
 description Internal Network
 ip address 172.16.5.1 255.255.255.0
 ip access-group 102 in
 ip inspect firewall in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface BVI1
 ip address 173.55.x.x 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 ip inspect firewall out
 ip nat outside
 ip virtual-reassembly
 crypto map cm-cryptomap
!
ip local pool vpnclients 172.16.10.1 172.16.10.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.55.x.1
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 172.16.5.10 3389 interface BVI1 3389
ip nat inside source list 105 interface BVI1 overload
!
access-list 1 remark The local LAN.
access-list 1 permit 172.16.5.0 0.0.0.255
access-list 1 permit 172.16.7.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 permit 173.55.x.x
access-list 2 permit 172.16.5.0 0.0.0.255
access-list 2 permit 172.16.7.0 0.0.0.255
access-list 2 permit 172.16.10.0 0.0.0.255
access-list 3 remark Traffic not to check for intrusion detection.
access-list 3 deny   172.16.10.0 0.0.0.255
access-list 3 permit any
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.7.0 0.0.0.255
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.0.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 5900
access-list 101 permit udp any any eq 3283
access-list 101 permit esp any any
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 5900
access-list 101 permit tcp any any eq 3283
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 deny   icmp any any echo
access-list 102 remark Traffic allowed to enter the router from the Ethernet (wired LAN)
access-list 102 permit ip any host 172.16.5.1
access-list 102 deny   ip any host 172.16.5.255
access-list 102 permit ip 172.16.5.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 102 permit ip 172.16.5.0 0.0.0.255 172.16.7.0 0.0.0.255
access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny   udp any any eq 135 log
access-list 102 deny   tcp any any eq 135 log
access-list 102 deny   udp any any eq netbios-ns log
access-list 102 deny   udp any any eq netbios-dgm log
access-list 102 deny   tcp any any eq 445 log
access-list 102 permit ip 172.16.5.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 103 remark Traffic allowed to enter the router from the Ethernet (wireless LAN)
access-list 103 permit ip any host 172.16.7.1
access-list 103 deny   ip any host 172.16.7.255
access-list 103 permit ip 172.16.7.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 103 permit ip 172.16.7.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 103 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 103 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 103 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 103 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 103 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 103 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 103 deny   udp any any eq 135 log
access-list 103 deny   tcp any any eq 135 log
access-list 103 deny   udp any any eq netbios-ns log
access-list 103 deny   udp any any eq netbios-dgm log
access-list 103 deny   tcp any any eq 445 log
access-list 103 permit ip 172.16.7.0 0.0.0.255 any
access-list 103 permit ip any host 255.255.255.255
access-list 105 remark Traffic to NAT
access-list 105 deny   ip 172.16.5.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 105 deny   ip 172.16.7.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 105 permit ip 172.16.5.0 0.0.0.255 any
access-list 105 permit ip 172.16.7.0 0.0.0.255 any
access-list 106 remark User to Site VPN Clients
access-list 106 permit ip 172.16.5.0 0.0.0.255 any
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 exec-timeout 25 0
 password 7 xxxxx
 no modem enable
line aux 0
line vty 0 4
 access-class 2 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

0
andersenks
Asked:
andersenks
  • 8
  • 4
  • 2
  • +3
3 Solutions
 
NetExpert-WarszawaCommented:
I cannot access https://www.ntspays.com/ either (not using Cisco).
Error code: ssl_error_rx_record_too_long
0
 
anoopkmrCommented:
i can access both site using http , try http , i am not sure these are site that u r lokking for .


http://www.ntspays.com
http://www.spscommerce.net

or try
https://portal.hosted-commerce.net/sps/
0
 
shubhanshu_jaiswalCommented:
According to your router, you are inspecting HTTPS traffic. It may be the reason that you are not able to access certain https website.

You can try this command:

conf t
no ip inspect name firewall https


Let me know if it works for you.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
crouthamelaCommented:
Same here, and spcommerce leads to a blank page for me. Looks like the site's are the ones with issues, not you.
0
 
andersenksAuthor Commented:
I'm debugging the BVI interface and this came up.

Sep  3 19:01:06.396: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3890481951 1500 bytes is out-of-order; expected seq:3890457131. Reason: TCP reassembly queue overflow - session 172.16.5.10:1630 to 63.80.4.8:80
0
 
Jody LemoineNetwork ArchitectCommented:
This sort of symptom usually indicates an MTU problem (http doesn't mind fragmentation as much as https does) on the interface.  I'm not sure why this might be with the configuration presented, but the symptoms match.  Try adding the following statement to your VLAN1 and Dot11Radio0 interfaces and see if the problem clears up:

ip tcp adjust-mss 1240
0
 
andersenksAuthor Commented:
When going here https://portal.hosted-commerce.net/sps/ it loads fine... its when you click on the login link is when it times out.

This one doesn't load at all https://secure.nationsfastpay.com/

But at home they both work fine
0
 
Jody LemoineNetwork ArchitectCommented:
If you're getting re-assembly, you're getting fragmentation.  Try the MSS adjustment and see how that works for you.
0
 
andersenksAuthor Commented:
Tried adding "ip tcp adjust-mss 1240" to the inside interfaces
and removed "ip inspect name firewall https"

Same issue


0
 
anoopkmrCommented:
just remove the

ip inspect firewall out

from BVI1 and see
0
 
andersenksAuthor Commented:
Anoopkmr,

I forgot to mention I tried that earlier... same issue
0
 
andersenksAuthor Commented:
Here's a screen shot
https-error.jpg
0
 
andersenksAuthor Commented:
Is it possibly some sort of Certificate issue?
0
 
anoopkmrCommented:
is it working with out CBAC ?
0
 
andersenksAuthor Commented:
Well, it is now. Turned it back on (Firewall/CBAC) and its still working. Must have been something going on on the ISP side.

Thank You
0
 
anoopkmrCommented:
ok thanks for the update
0
 
andersenksAuthor Commented:
Issue seemed to be on the ISP side. Thanks for the input everyone!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 8
  • 4
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now