Cannot open web pages when accessing certain sites via device IPSEC
- 0 Followed
- 0Collected ,9Browsed
Problem Description
After going through the router IPSEC, the PC cannot open the webpage when accessing customer server sites within other spokes.
Process Analysis
1-Firstly, both the IKE SA and IPSEC SA of IPSEC are normal, indicating that the IPSEC between the sites is functioning properly.
2-The ping between the accessing PC and the accessed customer server is successful, indicating that the routing at the communication points is also normal.
3-Since web pages, whether HTTP or HTTPS, use TCP, when modifying the MTU to accommodate IPSEC encapsulation, the TCP MSS must also be adjusted.
Generally, it should be MTU minus 40 (20 for IP header and 20 for TCP header).
4-After conventionally adjusting the MTU and MSS of IPSEC, it still does not work. At this point, packet capture reveals that the DF bit is set for this server.
Solution
The location where ipsec is invoked uses df-bit clear. The following example shows IPSEC invoked via physical interface in the method of interest flow.
After modification communication can be accessed normally.
int te x/x/x
ipsec apply policy map1
ipsec df-bit clear