Advertisement

07.02.2008 at 07:41AM PDT, ID: 23533712
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.6

HTTP through VPN not working (TCP/IP problem)

Asked by Office-Shadow in TCP/IP, Linux Networking, Hypertext Transfer Protocol (HTTP)

Tags:

Hi,

Our company has a VPN link between two offices (UK - 10.1.0.0/16) and Pakistan (10.9.0.0/16).

Until recently our VPN link has been working perfectly with 2x WatchGuard III firewalls. We recently upgraded the UK firewall to a brand new WatchGuard x550e and we are now experiencing some very strange problems.

The VPN connects fine, and most services work okay between the two sites. For example SSH connections are fine and also a few third party bits of software that connect over the link.

HTTP requests from Pakistan to Linux/Apache2 servers here in the UK office though don't work. The port (80) is open and is accessible both via Internet Explorer and Telnet. Internet Explorer and Firefox both report that a connection is successful but then just seem to stay loading the web page for ever without actually getting anything.


Below are the two traces I have done. The first one is a successful attempt at loading a web page on the 10.1.50.23 (UK) webserver from a local IP address  10.1.60.5 (UK).


  0.000000    10.1.60.5 -> 10.1.50.23   TCP 49596 > www [SYN] Seq=0 Len=0 MSS=1460 WS=3 TSV=192472190 TSER=0
  0.000715   10.1.50.23 -> 10.1.60.5    TCP www > 49596 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=2652190460 TSER=192472190 WS=2
  0.000822    10.1.60.5 -> 10.1.50.23   TCP 49596 > www [ACK] Seq=1 Ack=1 Win=524280 Len=0 TSV=192472190 TSER=2652190460
  0.002071    10.1.60.5 -> 10.1.50.23   HTTP GET / HTTP/1.1
  0.002092   10.1.50.23 -> 10.1.60.5    TCP www > 49596 [ACK] Seq=1 Ack=411 Win=6864 Len=0 TSV=2652190461 TSER=192472190
  0.004031   10.1.50.23 -> 10.1.60.5    HTTP HTTP/1.1 200 OK (text/html)
  0.004038   10.1.50.23 -> 10.1.60.5    HTTP Continuation or non-HTTP traffic
  0.004083   10.1.50.23 -> 10.1.60.5    TCP www > 49596 [FIN, ACK] Seq=1513 Ack=411 Win=6864 Len=0 TSV=2652190461 TSER=192472190
  0.006069    10.1.60.5 -> 10.1.50.23   TCP 49596 > www [ACK] Seq=411 Ack=1513 Win=524280 Len=0 TSV=192472190 TSER=2652190461
  0.006319    10.1.60.5 -> 10.1.50.23   TCP 49596 > www [FIN, ACK] Seq=411 Ack=1513 Win=524280 Len=0 TSV=192472190 TSER=2652190461
  0.006328   10.1.50.23 -> 10.1.60.5    TCP www > 49596 [ACK] Seq=1514 Ack=412 Win=6864 Len=0 TSV=2652190461 TSER=192472190
  0.007443    10.1.60.5 -> 10.1.50.23   TCP 49596 > www [FIN, ACK] Seq=411 Ack=1514 Win=524280 Len=0 TSV=192472190 TSER=2652190461

This is what happens when a remote address (10.9.50.245 (Pakistan)) attempts to access the same web page over the VPN. This attempt fails and both Internet Exploder and Firefox just sit there forever saying Loading web page.

 13.624737  10.9.50.245 -> 10.1.50.23   TCP 1281 > www [FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0
 13.624766   10.1.50.23 -> 10.9.50.245  TCP www > 1281 [RST] Seq=0 Len=0
 13.828125  10.9.50.245 -> 10.1.50.23   TCP 1290 > www [SYN] Seq=0 Len=0 MSS=1392
 13.828145   10.1.50.23 -> 10.9.50.245  TCP www > 1290 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
 14.177055  10.9.50.245 -> 10.1.50.23   TCP 1290 > www [ACK] Seq=1 Ack=1 Win=65535 Len=0
 14.188173  10.9.50.245 -> 10.1.50.23   HTTP GET / HTTP/1.1
 14.188193   10.1.50.23 -> 10.9.50.245  TCP www > 1290 [ACK] Seq=1 Ack=361 Win=6432 Len=0
 14.190087   10.1.50.23 -> 10.9.50.245  HTTP HTTP/1.1 200 OK (text/html)
 14.190093   10.1.50.23 -> 10.9.50.245  HTTP Continuation or non-HTTP traffic
 14.190370   10.1.50.23 -> 10.9.50.245  TCP www > 1290 [FIN, ACK] Seq=1513 Ack=361 Win=6432 Len=0
 14.684647  10.9.50.245 -> 10.1.50.23   TCP [TCP Dup ACK 18#1] 1290 > www [ACK] Seq=361 Ack=1 Win=65535 Len=0 SLE=1393 SRE=1513
 14.687020  10.9.50.245 -> 10.1.50.23   TCP [TCP Dup ACK 18#2] 1290 > www [ACK] Seq=361 Ack=1 Win=65535 Len=0 SLE=1393 SRE=1514
 17.189781   10.1.50.23 -> 10.9.50.245  HTTP [TCP Retransmission] HTTP/1.1 200 OK (text/html)
 23.190247   10.1.50.23 -> 10.9.50.245  HTTP [TCP Retransmission] HTTP/1.1 200 OK (text/html)
 35.181213   10.1.50.23 -> 10.9.50.245  HTTP [TCP Retransmission] HTTP/1.1 200 OK (text/html)
 59.182766   10.1.50.23 -> 10.9.50.245  HTTP [TCP Retransmission] HTTP/1.1 200 OK (text/html)
107.186369   10.1.50.23 -> 10.9.50.245  HTTP [TCP Retransmission] HTTP/1.1 200 OK (text/html)
203.184432   10.1.50.23 -> 10.9.50.245  HTTP [TCP Retransmission] HTTP/1.1 200 OK (text/html)


Can anyone give an insight in to why this might be happening? If we switch back to the original firewall here everything works without a problem. One point that might be worth mentioning is that the latency between the two sites ranges from 300ms to 600ms.

Thank you.

Paul

Start Free Trial
[+][-]07.02.2008 at 08:22AM PDT, ID: 21917310

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.02.2008 at 10:07AM PDT, ID: 21918497

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.03.2008 at 01:01AM PDT, ID: 21923507

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.03.2008 at 02:54AM PDT, ID: 21923906

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.03.2008 at 05:03AM PDT, ID: 21924587

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.04.2008 at 02:34AM PDT, ID: 21931954

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.04.2008 at 02:36AM PDT, ID: 21931966

View this solution now by starting your 14-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: TCP/IP, Linux Networking, Hypertext Transfer Protocol (HTTP)
Tags: TCP/IP
Sign Up Now!
Solution Provided By: Office-Shadow
Participating Experts: 2
Solution Grade: A
 
 
 
Loading Advertisement...
20081112-EE-VQP-43 / EE_QW_2_20070628