Community discussions

MikroTik App
  4. RouterOS
  5. General

HTTPS Download stuck after connected on lan side  [SOLVED]

Post Reply
 
webix
newbie
Topic Author
Posts: 33
Joined: Fri May 04, 2018 3:34 pm

HTTPS Download stuck after connected on lan side

Sun Jun 17, 2018 4:31 pm

Hello everyone.

I've been making a lot of searches on internet and here on forum and i can't find a solution or a reason for my problem.

This is my setup:
Mikrotik Router CCR1036-12G-4S with the latest RouterOS version installed.
2 BGP sessions to 2 providers (one is ethernet with VLan and the other is on a GRE tunnel).
My own AS with a /22 ip space.
The Mikrotik config, apart the BGP sessions is the factory default. The BGP routes are all discarded and i have a default route configured to my 1st provider.
No firewall rules are configured.

On the LAN side i have a basic switch and some servers.
On any server, if i try to download or access a HTTP website, it works perfectly well.
My problem is when i try to access a HTTPS website...

Example trying to download a speedtest script:
Code: Select all
~]# wget -O - https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python
--2018-06-17 09:18:04--  https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
And he stucks here indefinetively.
I already tried to setup a change of MSS on mangle with no luck.
I verified all interfaces and all are set to 1500 MTU.

Hope someone can point me to the right direction to solve this out.

Best regards
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11151
Joined: Mon Dec 04, 2017 9:19 pm

Re: HTTPS Download stuck after connected on lan side  [SOLVED]

Sun Jun 24, 2018 12:17 pm

I would first ask whether you have the issue with any https site or just with github.

Next, what can happen is that somewhere on the path between the remote server and you, the MTU is limited, and forwarding of icmp is restricted between this limiting point and the remote server, so the MSS discovery mechanism doesn't work so the packets from the remote server never make it to you. But in this case, it should be the same for both http and https (or any other tcp traffic), plus such things usually happen with smaller ISPs not knowing exactly what they do which should not be this case.

Another possibility would be that some security device between you and the remote server blocks https intentionally or by mistake, but as you talk about BGP and two providers, I guess there is no security device between you and the internet.

So I'd try to sniff the traffic from different https remote servers already at Mikrotik's WAN interface to see what actually happens, and test with one ISP at a time, disabling the link via the other one.
Top
Post Reply

Who is online

Users browsing this forum: Techsystem, wispmikrotik and 27 guests
  4. RouterOS
  5. General