Karrillion
asked on
Certain websites very slow or not available through Cisco 2901 Router
I have a strange issue which I've done a lot of research and troubleshooting on but so far to no avail.
Certain websites like yahoo.com, ajc.com, letscelebrateevents.com, etc. either come up very slowly or not at all. Yahoo comes up very slowly except there's no pictures or content, only some links. ajc.com (the local Atlanta newpaper) comes up very slowly with pictures and content. letscelebrateevents.com does not come up at all.
The vast majority of websites come up fine, but there are certain websites critical to our business that will not come up or act like the previous 3 sites I mentioned.
I can traceroute yahoo and ajc.com. When I traceroute letscelebrateevents I get the IP but it times out after a few hops. I cannot ping the IP.
I can telnet on port 80 to yahoo and ajc but not to letscelebrateevents.
Our network consists of a Cisco ASA5510 firewall and a Cisco 2901 Router. The PC's are connected to Cisco stackable switches. We use AT&T Metro E with XO Communications as our ISP. The fiber connects over a patch cable to the router on Gigabit0/0 which connects to the firewall over Gigabit0/1.
I took a laptop and connected it directly to the Gigabit0/1 interface on the router and was still unable to connect properly to those sites. I then connected the same laptop directly via crossover cable to the Fiber ethernet port on the box that AT&T installed, input the proper IP addresses, and tested. All websites came up fine.
I contacted Cisco. The support rep and I repeated my tests. Again while connected directly to the fiber box all websites work fine. While connected directly to the inside interface of the router, those websites would not work correctly.
He says the router config is very basic and tried a few things, none of which resolved the issue. I suggested the router might have a defect.
One other note of interest: Last week, everything suddenly worked fine. A couple days later, it went back to having problems. A day later it worked fine again, but then the next day, those sites were again giving us issues. I had done nothing to the router at all.
It seems to point to some strange glitch in the router. I have even changed the cable from the fiber box to the router and saw no improvement. Rebooting or power cycling the router has no effect.
In summary, gentlemen, I am stumped. The Cisco rep is doing some research and will get back to me tomorrow. Unless you or I or he come up with anything I can only determine that the router must have some defect on the quantum level that hates Yahoo and those other websites.
Any ideas?
Certain websites like yahoo.com, ajc.com, letscelebrateevents.com, etc. either come up very slowly or not at all. Yahoo comes up very slowly except there's no pictures or content, only some links. ajc.com (the local Atlanta newpaper) comes up very slowly with pictures and content. letscelebrateevents.com does not come up at all.
The vast majority of websites come up fine, but there are certain websites critical to our business that will not come up or act like the previous 3 sites I mentioned.
I can traceroute yahoo and ajc.com. When I traceroute letscelebrateevents I get the IP but it times out after a few hops. I cannot ping the IP.
I can telnet on port 80 to yahoo and ajc but not to letscelebrateevents.
Our network consists of a Cisco ASA5510 firewall and a Cisco 2901 Router. The PC's are connected to Cisco stackable switches. We use AT&T Metro E with XO Communications as our ISP. The fiber connects over a patch cable to the router on Gigabit0/0 which connects to the firewall over Gigabit0/1.
I took a laptop and connected it directly to the Gigabit0/1 interface on the router and was still unable to connect properly to those sites. I then connected the same laptop directly via crossover cable to the Fiber ethernet port on the box that AT&T installed, input the proper IP addresses, and tested. All websites came up fine.
I contacted Cisco. The support rep and I repeated my tests. Again while connected directly to the fiber box all websites work fine. While connected directly to the inside interface of the router, those websites would not work correctly.
He says the router config is very basic and tried a few things, none of which resolved the issue. I suggested the router might have a defect.
One other note of interest: Last week, everything suddenly worked fine. A couple days later, it went back to having problems. A day later it worked fine again, but then the next day, those sites were again giving us issues. I had done nothing to the router at all.
It seems to point to some strange glitch in the router. I have even changed the cable from the fiber box to the router and saw no improvement. Rebooting or power cycling the router has no effect.
In summary, gentlemen, I am stumped. The Cisco rep is doing some research and will get back to me tomorrow. Unless you or I or he come up with anything I can only determine that the router must have some defect on the quantum level that hates Yahoo and those other websites.
Any ideas?
rfc1180
Are you able to post the configs and output of the show interfaces?
ASKER
Here's the config:
PAGEINC#sh config
Using 3511 out of 262136 bytes
!
! Last configuration change at 16:57:11 UTC Thu Mar 10 2011 by server
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PAGEINC
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1030121226
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1030121226
!
!
crypto pki certificate chain TP-self-signed-1030121226
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO2901/K9 sn FTX145100M7
!
!
username <redacted>
!
redundancy
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 65.46.217.166 255.255.255.252
duplex full
speed 100
!
!
interface GigabitEthernet0/1
ip address 66.239.221.129 255.255.255.224
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 65.46.217.165
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 66.239.221.128 0.0.0.31
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
--------------------------
^C
banner login ^C
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
--------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
PAGEINC#
PAGEINC#sh config
Using 3511 out of 262136 bytes
!
! Last configuration change at 16:57:11 UTC Thu Mar 10 2011 by server
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PAGEINC
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1030121226
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1030121226
!
!
crypto pki certificate chain TP-self-signed-1030121226
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO2901/K9 sn FTX145100M7
!
!
username <redacted>
!
redundancy
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 65.46.217.166 255.255.255.252
duplex full
speed 100
!
!
interface GigabitEthernet0/1
ip address 66.239.221.129 255.255.255.224
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 65.46.217.165
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 66.239.221.128 0.0.0.31
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
--------------------------
^C
banner login ^C
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
--------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
PAGEINC#
ASKER
Here's the interface:
PAGEINC#sh int
GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is c471.fee0.95b0 (bia c471.fee0.95b0)
Description: $ETH-LAN$$ETH-SW-LAUNCH$$I
Internet address is 65.46.217.166/30
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:34, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 430000 bits/sec, 77 packets/sec
5 minute output rate 215000 bits/sec, 65 packets/sec
453386 packets input, 279567681 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
472630 packets output, 372148737 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
2 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet0/1 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is c471.fee0.95b1 (bia c471.fee0.95b1)
Internet address is 66.239.221.129/27
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:03:16, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 214000 bits/sec, 66 packets/sec
5 minute output rate 426000 bits/sec, 78 packets/sec
471827 packets input, 372772606 bytes, 0 no buffer
Received 15 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
454012 packets output, 279136335 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
PAGEINC#
PAGEINC#sh int
GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is c471.fee0.95b0 (bia c471.fee0.95b0)
Description: $ETH-LAN$$ETH-SW-LAUNCH$$I
Internet address is 65.46.217.166/30
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:34, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 430000 bits/sec, 77 packets/sec
5 minute output rate 215000 bits/sec, 65 packets/sec
453386 packets input, 279567681 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
472630 packets output, 372148737 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
2 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet0/1 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is c471.fee0.95b1 (bia c471.fee0.95b1)
Internet address is 66.239.221.129/27
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:03:16, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 214000 bits/sec, 66 packets/sec
5 minute output rate 426000 bits/sec, 78 packets/sec
471827 packets input, 372772606 bytes, 0 no buffer
Received 15 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
454012 packets output, 279136335 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
PAGEINC#
Your configs look great, other than a hardware issue, what you describe is fairly closely related to MTU and Path MTU Discovery issues; however, your interfaces have the correct MTU and you are not blocking ICMP (At least not from the router). Do you have anything else between the host and the MetroE that is filtering packets? Some things you can do to detect PMTUD issues are:
Get a baseline:
ping ajc.com
Pinging ajc.com [96.17.49.106] with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
This is normal due to the 8 bytes of overhead of ICMP
Then check for MTU issues
ping ajc.com
Pinging ajc.com [96.17.49.106] with 1472 bytes of data:
Reply from 96.17.49.106: bytes=1472 time=126ms TTL=53
Reply from 96.17.49.106: bytes=1472 time=121ms TTL=53
Ping statistics for 96.17.49.106:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 121ms, Maximum = 126ms, Average = 123ms
Control-C
This link deals the MTU and fragmentation issues over GRE/IPSEC, the link is provided as a guide to use some of the troubleshooting steps they have listed as an aid; not that your issue is with GRE/IPSEC.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
Issues with ICMP filtering end to end:
http://www.znep.com/~marcs/mtu/
This is all something to keep in the back of your head and rule out as an issue before attempting to replace the router.
Another step you can bring into the equation is wireshark, what is happenning from a packet perspective.
Billy
Get a baseline:
ping ajc.com
Pinging ajc.com [96.17.49.106] with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
This is normal due to the 8 bytes of overhead of ICMP
Then check for MTU issues
ping ajc.com
Pinging ajc.com [96.17.49.106] with 1472 bytes of data:
Reply from 96.17.49.106: bytes=1472 time=126ms TTL=53
Reply from 96.17.49.106: bytes=1472 time=121ms TTL=53
Ping statistics for 96.17.49.106:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 121ms, Maximum = 126ms, Average = 123ms
Control-C
This link deals the MTU and fragmentation issues over GRE/IPSEC, the link is provided as a guide to use some of the troubleshooting steps they have listed as an aid; not that your issue is with GRE/IPSEC.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
Issues with ICMP filtering end to end:
http://www.znep.com/~marcs/mtu/
This is all something to keep in the back of your head and rule out as an issue before attempting to replace the router.
Another step you can bring into the equation is wireshark, what is happenning from a packet perspective.
Billy
Sorry, the commend did not get appended on the second ping example:
ping -l 1492 -f ajc.com
Pinging ajc.com [96.17.49.106] with 1472 bytes of data:
Reply from 96.17.49.106: bytes=1472 time=126ms TTL=53
Reply from 96.17.49.106: bytes=1472 time=121ms TTL=53
Billy
ping -l 1492 -f ajc.com
Pinging ajc.com [96.17.49.106] with 1472 bytes of data:
Reply from 96.17.49.106: bytes=1472 time=126ms TTL=53
Reply from 96.17.49.106: bytes=1472 time=121ms TTL=53
Billy
ASKER
I have done some ping tests involving MTU to try and figure this out from a host PC.
Right now the topography is PC--Switches--ASA5510--Rou
I have tried: PC--Router2901--Fiber (didn't work)
and PC--Fiber (all sites worked)
I tested the ping command from my PC and here are the results:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\jcorwin>ping -l 1492 -f ajc.com
Pinging ajc.com [96.17.49.106] with 1492 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 96.17.49.106:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\jcorwin>ping -l 1472 -f ajc.com
Pinging ajc.com [96.17.49.106] with 1472 bytes of data:
Reply from 96.17.49.106: bytes=1472 time=16ms TTL=58
Reply from 96.17.49.106: bytes=1472 time=16ms TTL=58
Reply from 96.17.49.106: bytes=1472 time=16ms TTL=58
Reply from 96.17.49.106: bytes=1472 time=16ms TTL=58
Ping statistics for 96.17.49.106:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 16ms, Average = 16ms
C:\Users\jcorwin>ping -l 1472 -f yahoo.com
Pinging yahoo.com [98.137.149.56] with 1472 bytes of data:
Reply from 98.137.149.56: bytes=1472 time=76ms TTL=52
Reply from 98.137.149.56: bytes=1472 time=78ms TTL=52
Reply from 98.137.149.56: bytes=1472 time=76ms TTL=52
Reply from 98.137.149.56: bytes=1472 time=76ms TTL=52
Ping statistics for 98.137.149.56:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 76ms, Maximum = 78ms, Average = 76ms
C:\Users\jcorwin>ping -l 1472 -f letscelebrateevents.com
Pinging letscelebrateevents.com [64.29.145.9] with 1472 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 64.29.145.9:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
^C
C:\Users\jcorwin>
Right now the topography is PC--Switches--ASA5510--Rou
I have tried: PC--Router2901--Fiber (didn't work)
and PC--Fiber (all sites worked)
I tested the ping command from my PC and here are the results:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\jcorwin>ping -l 1492 -f ajc.com
Pinging ajc.com [96.17.49.106] with 1492 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 96.17.49.106:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\jcorwin>ping -l 1472 -f ajc.com
Pinging ajc.com [96.17.49.106] with 1472 bytes of data:
Reply from 96.17.49.106: bytes=1472 time=16ms TTL=58
Reply from 96.17.49.106: bytes=1472 time=16ms TTL=58
Reply from 96.17.49.106: bytes=1472 time=16ms TTL=58
Reply from 96.17.49.106: bytes=1472 time=16ms TTL=58
Ping statistics for 96.17.49.106:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 16ms, Average = 16ms
C:\Users\jcorwin>ping -l 1472 -f yahoo.com
Pinging yahoo.com [98.137.149.56] with 1472 bytes of data:
Reply from 98.137.149.56: bytes=1472 time=76ms TTL=52
Reply from 98.137.149.56: bytes=1472 time=78ms TTL=52
Reply from 98.137.149.56: bytes=1472 time=76ms TTL=52
Reply from 98.137.149.56: bytes=1472 time=76ms TTL=52
Ping statistics for 98.137.149.56:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 76ms, Maximum = 78ms, Average = 76ms
C:\Users\jcorwin>ping -l 1472 -f letscelebrateevents.com
Pinging letscelebrateevents.com [64.29.145.9] with 1472 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 64.29.145.9:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
^C
C:\Users\jcorwin>
>I can telnet on port 80 to yahoo and ajc but not to letscelebrateevents.
Same thing here as well.
One thing to mention:
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 65.46.217.166 255.255.255.252
duplex full
speed 100
speed and duplex is hard-set; can you confirm the other side (XO switch) is also the same, if they are auto, then their side will negociate to 100-Half and this can cause issues that you are seeing.
Billy
Same thing here as well.
One thing to mention:
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 65.46.217.166 255.255.255.252
duplex full
speed 100
speed and duplex is hard-set; can you confirm the other side (XO switch) is also the same, if they are auto, then their side will negociate to 100-Half and this can cause issues that you are seeing.
Billy
ASKER
The Cisco guy tried to set it as AUTO but then the interface showed down, down and I had to reset it to 100 again. Maybe he used the wrong command?
>The Cisco guy tried to set it as AUTO but then the interface showed down, down and I had to reset it to 100 again. Maybe he used the wrong command?
Interesting; I would call XO to confirm that settings on the port, this is very important. it should have not went down. What type of cable are you using on the link (Xover to straight)?
Billy
Interesting; I would call XO to confirm that settings on the port, this is very important. it should have not went down. What type of cable are you using on the link (Xover to straight)?
Billy
ASKER
From the ethernet port on the fiber box to the router, I'm using a patch cable. When I hook up a laptop, I have to use an Xover. Do you think I should be using an Xover or is that a non-issue?
The fiber is 20mbit, btw, and I know it needs fast ethernet so I'd assume their port is set to 100. I'll see if I can email one of my contacts there and find out.
The fiber is 20mbit, btw, and I know it needs fast ethernet so I'd assume their port is set to 100. I'll see if I can email one of my contacts there and find out.
Well, switch to switch you need a crossover; however, if using Auto-MDX and using auto-negotiation, then typically the protocol can switch the pins internally to match up with a 568A or 568B straight through over crossover.
>Do you think I should be using an Xover or is that a non-issue?
is the XO connection a media converter, switch or router? Typically a straigh through is used from Host to switch and a crossover from Host to Router.
Billy
>Do you think I should be using an Xover or is that a non-issue?
is the XO connection a media converter, switch or router? Typically a straigh through is used from Host to switch and a crossover from Host to Router.
Billy
ASKER
It's a Canoga Perkins 9145 Network Interface Device.
The fiber goes in one interface and ethernet comes out the other.
There are LED's for Auto, 1000, and 100. The 100 is the only green one; the others are blank.
The FDX light is solid green and, of course, the TX and RX lights blink alternatively.
The fiber goes in one interface and ethernet comes out the other.
There are LED's for Auto, 1000, and 100. The 100 is the only green one; the others are blank.
The FDX light is solid green and, of course, the TX and RX lights blink alternatively.
So it appears the device is at 100-Full hard-set, so you are fine in this case then. So it appears that from your tests, you have eliminated all aspects of what the issue could be and appears to be related to the router; why TCP/80 works for other sites and not for the specific ones you have mentioned is interesting and is why I am a little hesitant in thinking it is related to the router (possible); When you connect directly to the 9145, what IP address, subnet, and gateway are you using to test connectivity?
Is everything working here yet?
ASKER
@rfc1180: I use IP 65.46.217.166 with a gateway of 65.46.217.165 and netmask 255.255.255.252. DNS servers are 65.106.1.196 and 65.106.7.196.
For direct connect to the router, I used IP 66.239.221.130, gateway 66.239.221.129, netmask 255.255.255.224 and the same DNS servers.
@joshuaJE: Nope, still puzzled as to what the issue could be.
I have to head home now but I plan to attack this thing again tomorrow. Just wish I knew how to attack it. Ugh.
For direct connect to the router, I used IP 66.239.221.130, gateway 66.239.221.129, netmask 255.255.255.224 and the same DNS servers.
@joshuaJE: Nope, still puzzled as to what the issue could be.
I have to head home now but I plan to attack this thing again tomorrow. Just wish I knew how to attack it. Ugh.
I'm a little confused as to why you ddin't post the interface of the ASA?
ASKER
Because I hooked directly to the router, thus eliminating everything but the router and the ISP interface and the problem persisted. I then hooked in directly to the ethernet port of the fiber box and everything worked fine.
In other words, I don't think the firewall is the issue since I think I've eliminated everything but the router as the issue.
In other words, I don't think the firewall is the issue since I think I've eliminated everything but the router as the issue.
The only thing left to advise is to use wireshark to see what is happening from a packet perspective; what does the TCP handshake indicate from the time the client sends a GET/HEAD. I am very skeptical that it is the router is other sites are working. If you can see evidence that the router is handling the packets incorrectly (Dropping, queuing, delaying, etc) then you can use this as evidence, but blindly stating it is the router is typically not the route to go (Personally, I like captured data and analyzation to determine what is going on) then use that data to make a diagnose.
Billy
Billy
ASKER
I'll try to do that but why would everything work perfectly from the fiber ethernet box and then not work properly once the router is added to the equation? Either it's not communicating with the fiber box correctly or the router config is interfering or the router is bugged somehow.
why don't you schedule diagnostics on your router
> Either it's not communicating with the fiber box correctly or the router config is interfering or the router is bugged somehow
What does not make sense is why when you use the router, other sites work perfectly and the ones you mentioned do not; it either works for all or does not work at all. TCP is TCP and the router does not care about what site is accessed. Its job is to route and switch incoming packets to an outgoing interface based on the destination address. It appears that it is routing is working and very possible the router could be corrupting the packets, but for specific site is what has me puzzled.
What does not make sense is why when you use the router, other sites work perfectly and the ones you mentioned do not; it either works for all or does not work at all. TCP is TCP and the router does not care about what site is accessed. Its job is to route and switch incoming packets to an outgoing interface based on the destination address. It appears that it is routing is working and very possible the router could be corrupting the packets, but for specific site is what has me puzzled.
ASKER
I'll just have to find a good time to put a PC on the router and run wireshark on it to see what's going on. Of course the network will be without internet connectivity for that duration. If it were just the firewall I could mirror the port on the switch and put a PC on it but the router is another matter unless there's a better way I don't know about, which is likely since I'm no expert in routing.
ASKER
I received a new router from Cisco. The tech and I configured it. The only difference is that it has a slightly newer version of IOS on it. It did not solve the issue, however. I invited a network analyst out last week. We captured data with Wireshark between the fiber and router, between the router and firewall, and between the firewall and switches.
Unfortunately she did not have enough time to find any issues due to prior commitments. I guess I'll have to find someone else who can do that sort of in-depth analysis.
I'm slowly losing what little sanity I have left. :(
Unfortunately she did not have enough time to find any issues due to prior commitments. I guess I'll have to find someone else who can do that sort of in-depth analysis.
I'm slowly losing what little sanity I have left. :(
ASKER
I want to try to set this up using a Linksys WRT54G router just to see if things work with a completely different type of router in there. I understand Linksys isn't exactly cut out for this duty, but maybe it can offer a different perspective.
The only issue is, I'm not exactly sure how to set this up. It's asking for a gateway which I don't think I supply for the cisco router. Anyway, I go to the Linksys router basic setup page and set the IP to be static.
ip address 65.46.217.166
netmask 255.255.255.252
gateway: 65.46.217.165
I left the local IP's as 192.168.1.x since that shouldn't make a difference. I went to advanced routing and checked out the routing tables but it shows the destination LAN IP for the WAN port to be 65.46.217.164. Shouldn't it be .165? It won't let me change that or add a rule for .165.
I hooked the router to the fiber box using both a patch and X-over cable. I couldn't reach the internet.
The Cisco router routes between 65.46.217.166 to 66.239.221.129 which include our public IP range. I shouldn't have to worry about those, right?
Anyway, I just want something quick and dirty to see if the same issue persists with a completely different router. Anyone have suggestions to get this Linksys to do the trick?
The only issue is, I'm not exactly sure how to set this up. It's asking for a gateway which I don't think I supply for the cisco router. Anyway, I go to the Linksys router basic setup page and set the IP to be static.
ip address 65.46.217.166
netmask 255.255.255.252
gateway: 65.46.217.165
I left the local IP's as 192.168.1.x since that shouldn't make a difference. I went to advanced routing and checked out the routing tables but it shows the destination LAN IP for the WAN port to be 65.46.217.164. Shouldn't it be .165? It won't let me change that or add a rule for .165.
I hooked the router to the fiber box using both a patch and X-over cable. I couldn't reach the internet.
The Cisco router routes between 65.46.217.166 to 66.239.221.129 which include our public IP range. I shouldn't have to worry about those, right?
Anyway, I just want something quick and dirty to see if the same issue persists with a completely different router. Anyone have suggestions to get this Linksys to do the trick?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
These sites are being blocked from your firewall goto usermode and run the command
pix(config)#sh runn policy and check under inspect if it shows http is under inspect then one should be able to access sites if it is blocked then one will face difficulty in accessing or browsing sites.
These sites are being blocked from your firewall goto usermode and run the command
pix(config)#sh runn policy and check under inspect if it shows http is under inspect then one should be able to access sites if it is blocked then one will face difficulty in accessing or browsing sites.
ASKER
This ended up being something to do with the block of IP's that our ISP gave us. Some websites apparently blocked them for some reason. This has nothing to do with SPAM blacklists, although SORBS has that IP block totally blacklisted as dynamic.
We switched back to our old IP addresses and now everything works as it should.
We switched back to our old IP addresses and now everything works as it should.
ASKER
I found this solution on the Cisco web forums. My issue ended up having nothing to do with firewalls or routers, but with websites apparently blocking access to certain IP blocks.
Interesting you did not give out points for assistance; What is also interesting that Wireshark would have pointed out the issue as directed to do so (03/10/11 02:24 PM, ID: 35100542)
ASKER
If the mod can re-open ore reassign points, I'll gladly give you the points for so much assistance although even the wireshark expert I hired was unable to pinpoint the issue.
I was not expecting all of the points, as no solution had been given; however, some advice had been stated to give you at least a direction to go in. Interesting that the expert was not able to point point the issue. It would have been caught on the 3 way handshake if the other end was filtering. You either had not received the SYN-ACK (Filtering device just dropped the SYN packet) or after your Intial SYN packet was sent, an immediate reset would have been sent back by the filtering device.