Solved

Can't see a certain web site or receive pings

Posted on 2010-11-20
24
600 Views
Last Modified: 2012-05-10
I have  been trying to torubleshoot this for some hours now and am at wits end.

There is a particular website that I can't see from my home.  
Every other web site works fine.
The web site works fine from other networks.

To troubleshoot this:
Tested any other web site. - OK
The web site owner has confirmed that their website is operating OK and it tests fine from anywhere (except my house!)
I have tried three different browsers (Firefox, Opera and IE) on two different computers with two different OS's - Windows XP and Suse Linux.
Reset my ADSL modem.

Not only can I not access their web server, but I can't telnet to port 25, or even ssh to the router.  Pings don't reply either.

For further diagnosis I connected my laptop to a wireless broadband modem and http, telnet, and ping all worked as expected.
So I connected to the Fortigate 80C router with ssh.  From there I ran
diag sniffer packet any "host <my staticip>"
and ran ping tests.  The results showed packets entering and leaving the router's public interface, yet my pc doesn't get the reply.

It seems that any traffic responses from this site don't reach me.
If I can solve the ping issue, I belive the rest will resolve as well.  Given that it appears that the router is returning the pings, and I can ping other hosts OK,  where to from here?  

If there are no worthwhile ideas, I'll reboot the remote router.
0
Comment
Question by:blokeman
  • 13
  • 4
  • 4
  • +1
24 Comments
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 400 total points
ID: 34179282
Have you tried pinging all some of the routers along the route?  For example, since you were able to ping through the wireless router, do a tracert to see what routers are near the site and ping those.  

There are a few reasons why this could fail including someone along the way dropping packets.  Your ISP could be the culprit.  
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 400 total points
ID: 34179289
1. Can you ping your computer from the remote router?  
2. What do you get when you do a tracert?
0
 
LVL 2

Expert Comment

by:elong0003
ID: 34180689
When on the problem network, if you ping the server do you get the same IP address reply as you would from a working network? Have you checked your hosts file (%systemroot\system32\drivers\etc\hosts)?
0
 

Author Comment

by:blokeman
ID: 34183234
When pining the server from the problem network and a working network both return the same IP, so DNS is good.

Traceroute returns the following:
 1  home.gateway (172.22.0.254)  0.265 ms   0.267 ms   0.267 ms
 2  Lo0.amnet.l1-45sgt-se800-01.wa.amnet.net.au (203.161.65.253)  31.722 ms   32.154 ms   33.927 ms
 3  vl70.ten7-3.cr01.wa.amnet.net.au (203.161.65.41)  33.913 ms   34.488 ms   35.641 ms
 4  te3-2.br02.wa.amcom.net.au (203.161.65.65)  37.850 ms   39.549 ms   38.491 ms
 5  bbnet.ix.waia.asn.au (198.32.212.51)  41.507 ms   41.834 ms   41.502 ms
 6  l40qv1-per-pe01.iipb.com.au (122.199.4.22)  43.703 ms   44.276 ms   45.936 ms
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

The server is hosted by iipb so maybe they are blocking traceroute on their network, hence all the asterixs.

I also just tested from the remote server and it can ping my home router ??
Is this weird or what?
0
 
LVL 2

Expert Comment

by:elong0003
ID: 34183238
It is not a VPN then?
0
 

Author Comment

by:blokeman
ID: 34183240
Just tried pinging the last host in my traceroute and it works fine.
0
 

Author Comment

by:blokeman
ID: 34183272
Let me clarify my last comment:
Just tried pinging the last host l40qv1-per-pe01.iipb.com.au (122.199.4.22) in my traceroute and it works fine, but still can't ping the destination server from my network.

At this point I am going to contact the ISP IIPB to seek their assistance.  Tomorrow  I may even backup my own routers config and then reset it to factory defaults to see if that makes a difference - I don't think it will but I am short of ideas now.

No this is not VPN communication, just plain old telnet (for testing), ping , http, ssh.  As none of these work it has to be a routing issue or some firewall policy somewhere.  Maybe I am blacklisted somewhere along the way, by some threat management system.

Hopefully the ISP can shed some light on what is going on.  We'll see in the morning.
I have never experienced this before so feel free to throw any other ideas into the mix that could be useful even in discussion with the ISP.  At this point I'd like them to monitor the ping traffic from my network.
0
 
LVL 2

Expert Comment

by:elong0003
ID: 34183299
ADo you have the option to flush arp from your routers? Also, is there a CLI on the router which you could ping that host from?
0
 

Author Comment

by:blokeman
ID: 34186508
The remote router has been rebooted, so that should clear the ARP cache.
The remote router can ping my router.

I have been in touch with the web server ISP and my ISP.  Both have said that they can ping both the web server and my static ip.  !!??

This is really frustrating me ... :- (

I am going to connect to the remote router via my backup wireless broadband modem and disable all firewall policies (of which there are not many), bar all hosts and any service defaults and see what happens.
0
 
LVL 2

Assisted Solution

by:elong0003
elong0003 earned 100 total points
ID: 34191864
Can your router ping the remote router and the host in question?
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 400 total points
ID: 34199269
"and ran ping tests.  The results showed packets entering and leaving the router's public interface, yet my pc doesn't get the reply."

I assume this means that the remote router shows the packet coming in and the packet going out.  This suggests that the packet is dying along the way.  I would consider doing a tracert from the remote router back to your home router.  This could be a TTL issue, you might want to check these counts to see if they are reasonable.  However, this could also be a firewall issue.  If it is a firewall issue, it seems strange that it singles out your own IP.  Dropping the firewall on the remote side temporarily should quickly let you know if it is your problem or one of the ISP's problem.

If you are making it to the iipb.com.au network, they may be dropping packets from your network.  You can try sending them an email telling them what IP address you are sending from and verify that it is not blocked.

The person at your ISP is giving you the brush off.  Just because they can ping you and the destination host doesn't mean anything to you.  For what it is worth, I would try a next level tech and have them verify that your IP address is not the problem.  It's ridiculous for them to say "well, it's not a problem for me" and leave you stuck.

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:blokeman
ID: 34238753
Thanks for hanging in there guys, been busy over the weekend, but now back on to this...
I have since learnt that my traceroute which I performed above, and shown again here:

 1  home.gateway (172.22.0.254)  0.265 ms   0.267 ms   0.267 ms
 2  Lo0.amnet.l1-45sgt-se800-01.wa.amnet.net.au (203.161.65.253)  31.722 ms   32.154 ms   33.927 ms
 3  vl70.ten7-3.cr01.wa.amnet.net.au (203.161.65.41)  33.913 ms   34.488 ms   35.641 ms
 4  te3-2.br02.wa.amcom.net.au (203.161.65.65)  37.850 ms   39.549 ms   38.491 ms
 5  bbnet.ix.waia.asn.au (198.32.212.51)  41.507 ms   41.834 ms   41.502 ms
 6  l40qv1-per-pe01.iipb.com.au (122.199.4.22)  43.703 ms   44.276 ms   45.936 ms
 7  * * *
is stopping one hop short of the destination (#7), ie the remote gateway router.
So does this mean that without question, the remote router is the problem?  Or does it possibly point to the web server ISP iipb.com.au?

I am leaning to point the finger at the remote ISP because my packet traces on the remote Fortigate router show the following:

diag sniffer packet any  "host my.static.ip"
 
interfaces=[any]
 
filters=[host my.static.ip]
 
19.908208 my.static.ip -> web.server.ip: icmp: echo request
 
19.908330 web.server.ip -> my.static.ip: icmp: echo reply

I have re-contacted the web server's ISP and requested that they trace my ping replies to see where they drop.  Stay tuned...
0
 

Author Comment

by:blokeman
ID: 34238762
" I would consider doing a tracert from the remote router back to your home router." - Good call rfportilla, I'll try this now...
0
 

Author Comment

by:blokeman
ID: 34239155
TRACEROUTE FROM REMOTE ROUTER TO MY STATIC IP.
 
FG-80C # execute traceroute 116.212.218.187
 
traceroute to 116.212.218.187 (116.212.218.187), 32 hops max, 72 byte packets
 
 1  116.212.218.187  0 ms  0 ms  0 ms

This is the complete output...I am not quite sure how to interpret this.  So I tested a traceroute to google.com.au

FG-80C # execute traceroute www.google.com.au
 
traceroute to www.google.com.au (66.102.11.104), 32 hops max, 72 byte packets
 
 1  202.65.64.1 <202-65-64-1-wireless.bbnet.com.au>  2 ms  4 ms  2 ms
 
 2  122.199.4.20 <l40qv1-per-br01.iipb.com.au>  7 ms  3 ms  6 ms
 
 3  198.32.212.12  5 ms  21 ms  3 ms
 
 4  66.249.95.210  3 ms  3 ms  7 ms
 
 5  66.249.95.208  56 ms  58 ms  53 ms
 
 6  64.233.174.246  67 ms  55 ms  58 ms
 
 7  66.102.11.104 <syd01s01-in-f104.1e100.net>  54 ms  52 ms  54 ms


Interestingly the traceroute to Google shows the first hop as  202.65.64.1, whereas when my ISP  tracerouted to the remote web server their second last hop is 122.199.4.22.  From the remote router I tracerouted to both these and each is one hop away, so there may be two default gateway route options for the remote router, which is currently using 202.65.64.1.  I'll confirm with the remote ISP which is the optimal default route to use.
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 400 total points
ID: 34243107
I will assume that 116.212.218.187 is your home IP address?  If so, then the remote router is the problem and you need to check the rules to see why it's not allowing it to pass through.  Obviously you can get to Google so some IP's are allowed while others are not.

Regarding the router path, routers change the paths all of the time dynamically.  Double checking the suggested GW is not a bad idea, but I don't think it will solve this problem.  



0
 

Author Comment

by:blokeman
ID: 34332307
Sorry for leaving this a bit long.  Will be on to it again in the next day or so.
0
 

Author Comment

by:blokeman
ID: 34468114
Please don't close just yet.  This is still a problem and I'll be contacting Fortigate support to assist with a resolution within 36hrs.
0
 

Author Comment

by:blokeman
ID: 34477215
Troubleticket has been raised with Fortinet.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34477227
great!  looking forward to the outcome...
0
 

Author Comment

by:blokeman
ID: 34481233
I logged this 15hrs ago and haven't heard from Fortinet.  Will chase up with them tomorrow.
0
 

Accepted Solution

by:
blokeman earned 0 total points
ID: 34505271
OK - problem solved.  

The problem was a misconfiguration in one of "Virtual IP addresses", which is like port forwarding.  It had my (remote) ip 116.212.218.187 as the External IP, when it should have been 0.0.0.0.  It would be nice if the FortiOS could detect that an invalid interface was used for that entry like it does for other sections.

The external IP should be the one of the Fortigate's External IP Address(es) that will be used to listen to connections.  It was my mistake because I understood the Virtual IP to incorporate filtering and though that it would have prevented other hosts from trying to SSH to the server.  But this filtering can only be done with the firewall rules.

After removing this IP, all services were once again operational. :-)
0
 
LVL 33

Expert Comment

by:digitap
ID: 34505278
wow...that's quite the solution.  glad you persevered through it and figured it out.  good job!
0
 

Author Closing Comment

by:blokeman
ID: 34533047
Final solution was found by Fortinet support.  Points allocated for valuable guidance for checks and testing.
Cheers and beers
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now