Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nat problem (maybe....) 3

Status
Not open for further replies.

circuitpt

Technical User
Nov 11, 2007
18
Hello, I'm sorry but I think this is going to be a long post....I have a problem accessing some IP addresses in my network and I think it is related to my router (a Cisco 1841).

I can assure everyone I'm at the point where I think nothing makes sense anymore, I am completly desperate and going crazy


I have a simple network in this site, no access lists to block traffic just for NAT, everything is allowed to pass allways,no proxy's, no nothing...but some days ago users complained that they where unable to access some websites. Has always I thought to myself: Not my problem ....Windows problem... spyware, virus, trojan's, etc.... but lets just take a look....just in case.

Lets say users want to access website and that has the public address 1.2.3.4. Users behind the router type the address in Internet explorer but nothing comes up, it stays loading and loading and loading.... well so I thought.. lets telnet to 1.2.3.4 in port 80 and type "GET /" it is something i like doing so it eliminates the fact that the problem could be in the browser.... I did that but nothing was returned.... Just to check I did the same to google (telnet 80) issued "GET /" and everything returned ok.

I don't know why but I decided to telnet to my cisco 1841 and issue a telnet session from the console to 1.2.3.4 at port 80, issued "GET /" surprise....it returns all the content of the website.... I tried it again in the computer behind the router but nothing was returned.... just a blank screen of telnet...

Thinking the problem was in the computer itself I moved to another computer...different operating system, different everything... telnet 1.2.3.4 80 - "GET /"...and nothing came up.... just to check... telnet 80 - "GET /" and it returned all the google webpage content....

For some reason I looked to the first computer... telnet hadn't closed yet and something came up... about 100 bytes of the content of the web page turned up... I waited a bit longer and after 1 minute or so another chunk of web content came up...after a few minutes telnet eventually timed out not having received more that 400 bytes of the webpage.


So where is the problem?


At the ISP? I don't think soo, after all it works when I start the session from the router just not from my computers in my local network.

At the NAT process in the router? Well... tons of other sites work perfectly, google, yahoo, slashdot, etc....

At the webserver (1.2.3.4)? Well.. it would seem so, however I have the exact same problem with lots of sites, banking sites, government sites, even shows this problem!!!

Just when I was thinking things couldn't get any stranger, why went to the first computer and launched telnet once more... but didn't write "GET /" but instead "hET /" .... surprise... this command returns the correct web content, I can see the response from the web server stating I have issued an ilegal command.... So, not just this only happens with some sites, it only happens in computers behind the router, and it only happens if I issue a correct HTTP command.......

What have I done to try and solve this:

- Reviewed all my configuration;
- Removed and re-added everything I didn't knew what was in the configuration;
- Erased all the configuration and configured only the ATM , Dialer and FastEthernet interfaces so I could plug my laptop directly to the router not using any switch and staying completely alone in the network...


Nothing solved my problem, I have another equipment similar to this using the same access technology and it works perfectly, I even copied the configuration from that other router to this one but it didn't solve...

I don't know what to think of this anymore.... Is the router processing my HTTP requests and for some reason doesn't likes some of the requests???

All help is welcome.

Thank you!

PS: I also have this posted at and am very very desperate :)

Tahnk you all again
 
My first thought is MSS/MTU---you mention ATM and dialer, so I assume dsl? If so, do you have

ip tcp adjust-mss 1452

on the dialer interface? Try that. Otherwise, post your config please. And please star me if I'm right...:)

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
no words :)

Problems are all gone!

Just need to ask something... Have you had this problem in the past or is this something just plain obvious???

When I changed de MSS everything started working great... I couldn't be more grateful :)

Thanks a lot, I solved this yesterday practically seconds after you posted it, just didn't have time to come here and thank you earlier!!!

Thanks a lot!
 
If I don't get a star, I will cry...:(lol

You are most welcome. I had read about this some time ago with dsl, and again when I recently recertified my CCNP with the ICND exam---you can look at RFC 2516...


Basically, as Cisco explains it, "Ethernet has a maximum payload size of 1500 octets. The PPPoE header is 6 octets and the PPP protocol ID is 2 octets, so the PPP maximum transmission unit (MTU) must not be greater than 1492"

Also, another great document can be found here, explaining exactly why some pages (that block ICMP) won't load---ICMP messages are necessary when there is a mismatch in negotiated MTU (usually 1500, but in the case of PPPoE, 1492) so that the server at the website can know to lower its MTU. If the ICMP messages are blocked, then it never lowers the MTU, and packets just continue to get dropped. Some pages take forever to load, or need to be refreshed several times to load...


This also explains why some pages (the servers that do not block ICMP) load just fine, but maybe a little slower (to renegotiate MTU). MSS=max segment size and MTU=max transmission unit.

HTH

*AHEM*...(star) :)

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
BTW, yes I did have this problem when I first started with a Cisco 837, and learned from these docs.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
ISCW burts... icnd is noob exam, and you sir are no noob/

CCNP
 
LOL...whoopsie...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Hummmmm where is the triple star button??? I don't even see the single star one :) I'll definitely click it several times with and without modified MTU's and MSS's as soon as I find it :)

Thanks again for all the help
 
Sure---NP

Thanks for preventing me from crying...:)

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
I would star you but can't seem to find out how :)
 
Bottom left

"
Thank burtsbees
for this valuable post!"

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Another question about this... I did tons of debugging, should I have seen some warning about packets/sessions being dropped by the router?

And why did telnet 1.2.3.4 80 then "GET /" from the router worked? I understand now why it didn't worked from the internal network... but didn't the same mss applied to connections coming from inside the router?
 
No---the problem is how packets and segments get fragmented, and how both ends discover this (MTU-Discovery, MSS-Discovery). This will cause pages to not load all the way, but you still have comms to them...

Did you read the links I posted? That should have answered all your questions...

An extended ping would start dropping packets with the NF bit set, and that is how you would know. Debugs would tell you nothing, unless you could do them on the remote server end.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Hello,

Last days have been quite crazy and did not have time to check the links.

But I just read them,

what I understood is that my local computer has an MTU of 1500 and it does not know that in the middle, between him and the web server exists a router that has to encapsulate data with PPPoE and can't comply with the 1500 byte MTU.

Unaware of that my computer negotiates with the web server the MTU he believes that will work and when a packet is sent from the server to me that exceeds the max size it is discarded and an ICMP is sent back to the server warning him that it should resend the packet according to this limitation. However some servers don't receive it so it keeps on failing. It makes sense :) I'll star you again for those links :)

However, how does specifying a different mss in my router changes the way my local computer negotiates the MTU/MSS with the web server?

For my computer, he still has a default MTU/MSS inside my local network, he is unaware of what lies in the router.

If my computers try to send something bigger than allowed I believe the router will drop the packet and send an ICMP back so that the session in my local computer is adjusted and keeps working.

But if my computer does not send anything bigger than allowed and it is the web server that does such a thing then how is this solving the problem?

Thanks for everything, this is now just plain curiosity.

:)




 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top