Partner Institution cannot access web site via dns name. And, ethereal shows tcp previous segment lost on NGX firewall.

mobot
mobot used Ask the Experts™
on
I have a couple of problems here.
First I have a partner institution that cannot access a website we share using http by the dns name www.slrlc.org.  They can access it by the ip address 4.36.133.71.  They can ping the site by dns name www.slrlc.org and ip address 4.36.133.71  Firefox returns the message "invalid ip address", IE 6 returns "page not found".  Everyone else seems to be able to access the site by DNS name without a hitch.  I'm puzzled by the fact they can ping it by name but not access the website by name.

We're using Check Point's NGX for the firewall.  The log shows both the http and ping packets being accepted.

Second, I've run fw monitor on the firewall console and piped the output to a file, which I opened up with Ethereal.  I see a lot of lines that read "TCP previous segment lost" and "TCP retransmission" for all the upper layer protocols, http, smtp, etc.  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Principal Systems Administrator
Commented:
first problem DNS lookup

Sounds like you may have a bad DNS lookup cached on the system or DNS is incorectly configured.

On the affected system;
run ipconfig /flushdns

and

nslookup www.slrlc.org (Post the results)

Second "TCP previous segment lost" and "TCP retransmission"
This indicates a bad connection somewhere in your network or on your ISP (more than likley ISP).  What is happening is the packets are getting droped and resent so all your data is getting there in the end, just a little slower that's all.

Check all lines you can to makesure you have no bad wires, contact your ISP to brint the potential problem to there atention.

Good luck
I would be leaning towards the partner institutions network filtering the traffic to your site, as it is accessible from my location:

"The St. Louis Research Libraries Consortium (SLRLC) is pleased to offer this Web-based interface to its catalog of resources."

Doesn't look like there's very much to troubleshoot at your end.


As far as the second problem goes, it looks like network collisions, but I am unfamiliar with Check Points firewall so I could be wrong.
I would suspect incorrect IDS rules or proxy setting on client side.
They should try a "telnet www.slrlc.org  80" to test a manual session.
Commented:
"I'm puzzled by the fact they can ping it by name but not access the website by name."  meaning the browers are having a problem, could be a proxy problem.  Results, if found, should be http 200.

Difference for name vs IP;  with name you have to first do request for IP from name, get reverse record based on name.  With IP it is direct to reverse record.

If any DNS or cache has bad info for starting with DNS name, rather than IP Address, then result will be page not found or domain not found [invalid IP Address which can also be someone else cached with a duplicate IP Address, check Windows DNS, etc..].

Bad hosts file will do this too.

You need to check the various files on partner computer system.  Could be they have a lame name server or are blocking certain IP ranges, whatever.  If it's their web server only, they may have a block from apache or iis, whichever they use.

And then it depends on who is using Linux and who is using Windows.

"I see a lot of lines that read "TCP previous segment lost" and "TCP retransmission" for all the upper layer protocols, http, smtp, etc."  fell into blackhoels or just ttl timed out?

Check NGX for rules and timing.
I heared of existing bugs in some proxy causing sites using "frontpage" content to fail. This is why i ask to do manual session. I also suggest creating "by hand" a small html file and see if it open correctly.

Author

Commented:
Thanks for the suggestions, but we're still struggling with this one.  I swapped out our firewall last night, with a spare I have setup. Didn't make a difference, they still can't access the site by name, but they can ping by name.  This convinces me it's not the firewall and the problem is on their end.

That being said, I'd like ask about the tcp issues on our firewall. I ran a packet capture, opened it up in Ethereal. And, I see just a ton of the following lines.
tcp zerowindowviolation
tcp zerowindowprobe
tcp retransmission continuation
tcp previous segment lost
tcp out-of-order continuation

googling suggests these conditions are due to network congestion. can i get some feedback from the experts on what other factors may play a part in these conditions?  i'm gonna put a laptop with Ethereal on it  between the internet router and demarc point and run a capture.

Author

Commented:
DNS issue at the partner site. Now resolved. Thanks to all who replied.
Erik BjersPrincipal Systems Administrator

Commented:
Glad you were able to resolve

Commented:
"You need to check the various files on partner computer system."

Doh!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial