Can't see a certain web site or receive pings

I have  been trying to torubleshoot this for some hours now and am at wits end.

There is a particular website that I can't see from my home.  
Every other web site works fine.
The web site works fine from other networks.

To troubleshoot this:
Tested any other web site. - OK
The web site owner has confirmed that their website is operating OK and it tests fine from anywhere (except my house!)
I have tried three different browsers (Firefox, Opera and IE) on two different computers with two different OS's - Windows XP and Suse Linux.
Reset my ADSL modem.

Not only can I not access their web server, but I can't telnet to port 25, or even ssh to the router.  Pings don't reply either.

For further diagnosis I connected my laptop to a wireless broadband modem and http, telnet, and ping all worked as expected.
So I connected to the Fortigate 80C router with ssh.  From there I ran
diag sniffer packet any "host <my staticip>"
and ran ping tests.  The results showed packets entering and leaving the router's public interface, yet my pc doesn't get the reply.

It seems that any traffic responses from this site don't reach me.
If I can solve the ping issue, I belive the rest will resolve as well.  Given that it appears that the router is returning the pings, and I can ping other hosts OK,  where to from here?  

If there are no worthwhile ideas, I'll reboot the remote router.
blokemanAsked:
Who is Participating?
 
blokemanConnect With a Mentor Author Commented:
OK - problem solved.  

The problem was a misconfiguration in one of "Virtual IP addresses", which is like port forwarding.  It had my (remote) ip 116.212.218.187 as the External IP, when it should have been 0.0.0.0.  It would be nice if the FortiOS could detect that an invalid interface was used for that entry like it does for other sections.

The external IP should be the one of the Fortigate's External IP Address(es) that will be used to listen to connections.  It was my mistake because I understood the Virtual IP to incorporate filtering and though that it would have prevented other hosts from trying to SSH to the server.  But this filtering can only be done with the firewall rules.

After removing this IP, all services were once again operational. :-)
0
 
rfportillaConnect With a Mentor Commented:
Have you tried pinging all some of the routers along the route?  For example, since you were able to ping through the wireless router, do a tracert to see what routers are near the site and ping those.  

There are a few reasons why this could fail including someone along the way dropping packets.  Your ISP could be the culprit.  
0
 
rfportillaConnect With a Mentor Commented:
1. Can you ping your computer from the remote router?  
2. What do you get when you do a tracert?
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
elong0003Commented:
When on the problem network, if you ping the server do you get the same IP address reply as you would from a working network? Have you checked your hosts file (%systemroot\system32\drivers\etc\hosts)?
0
 
blokemanAuthor Commented:
When pining the server from the problem network and a working network both return the same IP, so DNS is good.

Traceroute returns the following:
 1  home.gateway (172.22.0.254)  0.265 ms   0.267 ms   0.267 ms
 2  Lo0.amnet.l1-45sgt-se800-01.wa.amnet.net.au (203.161.65.253)  31.722 ms   32.154 ms   33.927 ms
 3  vl70.ten7-3.cr01.wa.amnet.net.au (203.161.65.41)  33.913 ms   34.488 ms   35.641 ms
 4  te3-2.br02.wa.amcom.net.au (203.161.65.65)  37.850 ms   39.549 ms   38.491 ms
 5  bbnet.ix.waia.asn.au (198.32.212.51)  41.507 ms   41.834 ms   41.502 ms
 6  l40qv1-per-pe01.iipb.com.au (122.199.4.22)  43.703 ms   44.276 ms   45.936 ms
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

The server is hosted by iipb so maybe they are blocking traceroute on their network, hence all the asterixs.

I also just tested from the remote server and it can ping my home router ??
Is this weird or what?
0
 
elong0003Commented:
It is not a VPN then?
0
 
blokemanAuthor Commented:
Just tried pinging the last host in my traceroute and it works fine.
0
 
blokemanAuthor Commented:
Let me clarify my last comment:
Just tried pinging the last host l40qv1-per-pe01.iipb.com.au (122.199.4.22) in my traceroute and it works fine, but still can't ping the destination server from my network.

At this point I am going to contact the ISP IIPB to seek their assistance.  Tomorrow  I may even backup my own routers config and then reset it to factory defaults to see if that makes a difference - I don't think it will but I am short of ideas now.

No this is not VPN communication, just plain old telnet (for testing), ping , http, ssh.  As none of these work it has to be a routing issue or some firewall policy somewhere.  Maybe I am blacklisted somewhere along the way, by some threat management system.

Hopefully the ISP can shed some light on what is going on.  We'll see in the morning.
I have never experienced this before so feel free to throw any other ideas into the mix that could be useful even in discussion with the ISP.  At this point I'd like them to monitor the ping traffic from my network.
0
 
elong0003Commented:
ADo you have the option to flush arp from your routers? Also, is there a CLI on the router which you could ping that host from?
0
 
blokemanAuthor Commented:
The remote router has been rebooted, so that should clear the ARP cache.
The remote router can ping my router.

I have been in touch with the web server ISP and my ISP.  Both have said that they can ping both the web server and my static ip.  !!??

This is really frustrating me ... :- (

I am going to connect to the remote router via my backup wireless broadband modem and disable all firewall policies (of which there are not many), bar all hosts and any service defaults and see what happens.
0
 
elong0003Connect With a Mentor Commented:
Can your router ping the remote router and the host in question?
0
 
rfportillaConnect With a Mentor Commented:
"and ran ping tests.  The results showed packets entering and leaving the router's public interface, yet my pc doesn't get the reply."

I assume this means that the remote router shows the packet coming in and the packet going out.  This suggests that the packet is dying along the way.  I would consider doing a tracert from the remote router back to your home router.  This could be a TTL issue, you might want to check these counts to see if they are reasonable.  However, this could also be a firewall issue.  If it is a firewall issue, it seems strange that it singles out your own IP.  Dropping the firewall on the remote side temporarily should quickly let you know if it is your problem or one of the ISP's problem.

If you are making it to the iipb.com.au network, they may be dropping packets from your network.  You can try sending them an email telling them what IP address you are sending from and verify that it is not blocked.

The person at your ISP is giving you the brush off.  Just because they can ping you and the destination host doesn't mean anything to you.  For what it is worth, I would try a next level tech and have them verify that your IP address is not the problem.  It's ridiculous for them to say "well, it's not a problem for me" and leave you stuck.

0
 
blokemanAuthor Commented:
Thanks for hanging in there guys, been busy over the weekend, but now back on to this...
I have since learnt that my traceroute which I performed above, and shown again here:

 1  home.gateway (172.22.0.254)  0.265 ms   0.267 ms   0.267 ms
 2  Lo0.amnet.l1-45sgt-se800-01.wa.amnet.net.au (203.161.65.253)  31.722 ms   32.154 ms   33.927 ms
 3  vl70.ten7-3.cr01.wa.amnet.net.au (203.161.65.41)  33.913 ms   34.488 ms   35.641 ms
 4  te3-2.br02.wa.amcom.net.au (203.161.65.65)  37.850 ms   39.549 ms   38.491 ms
 5  bbnet.ix.waia.asn.au (198.32.212.51)  41.507 ms   41.834 ms   41.502 ms
 6  l40qv1-per-pe01.iipb.com.au (122.199.4.22)  43.703 ms   44.276 ms   45.936 ms
 7  * * *
is stopping one hop short of the destination (#7), ie the remote gateway router.
So does this mean that without question, the remote router is the problem?  Or does it possibly point to the web server ISP iipb.com.au?

I am leaning to point the finger at the remote ISP because my packet traces on the remote Fortigate router show the following:

diag sniffer packet any  "host my.static.ip"
 
interfaces=[any]
 
filters=[host my.static.ip]
 
19.908208 my.static.ip -> web.server.ip: icmp: echo request
 
19.908330 web.server.ip -> my.static.ip: icmp: echo reply

I have re-contacted the web server's ISP and requested that they trace my ping replies to see where they drop.  Stay tuned...
0
 
blokemanAuthor Commented:
" I would consider doing a tracert from the remote router back to your home router." - Good call rfportilla, I'll try this now...
0
 
blokemanAuthor Commented:
TRACEROUTE FROM REMOTE ROUTER TO MY STATIC IP.
 
FG-80C # execute traceroute 116.212.218.187
 
traceroute to 116.212.218.187 (116.212.218.187), 32 hops max, 72 byte packets
 
 1  116.212.218.187  0 ms  0 ms  0 ms

This is the complete output...I am not quite sure how to interpret this.  So I tested a traceroute to google.com.au

FG-80C # execute traceroute www.google.com.au
 
traceroute to www.google.com.au (66.102.11.104), 32 hops max, 72 byte packets
 
 1  202.65.64.1 <202-65-64-1-wireless.bbnet.com.au>  2 ms  4 ms  2 ms
 
 2  122.199.4.20 <l40qv1-per-br01.iipb.com.au>  7 ms  3 ms  6 ms
 
 3  198.32.212.12  5 ms  21 ms  3 ms
 
 4  66.249.95.210  3 ms  3 ms  7 ms
 
 5  66.249.95.208  56 ms  58 ms  53 ms
 
 6  64.233.174.246  67 ms  55 ms  58 ms
 
 7  66.102.11.104 <syd01s01-in-f104.1e100.net>  54 ms  52 ms  54 ms


Interestingly the traceroute to Google shows the first hop as  202.65.64.1, whereas when my ISP  tracerouted to the remote web server their second last hop is 122.199.4.22.  From the remote router I tracerouted to both these and each is one hop away, so there may be two default gateway route options for the remote router, which is currently using 202.65.64.1.  I'll confirm with the remote ISP which is the optimal default route to use.
0
 
rfportillaConnect With a Mentor Commented:
I will assume that 116.212.218.187 is your home IP address?  If so, then the remote router is the problem and you need to check the rules to see why it's not allowing it to pass through.  Obviously you can get to Google so some IP's are allowed while others are not.

Regarding the router path, routers change the paths all of the time dynamically.  Double checking the suggested GW is not a bad idea, but I don't think it will solve this problem.  



0
 
blokemanAuthor Commented:
Sorry for leaving this a bit long.  Will be on to it again in the next day or so.
0
 
blokemanAuthor Commented:
Please don't close just yet.  This is still a problem and I'll be contacting Fortigate support to assist with a resolution within 36hrs.
0
 
blokemanAuthor Commented:
Troubleticket has been raised with Fortinet.
0
 
digitapCommented:
great!  looking forward to the outcome...
0
 
blokemanAuthor Commented:
I logged this 15hrs ago and haven't heard from Fortinet.  Will chase up with them tomorrow.
0
 
digitapCommented:
wow...that's quite the solution.  glad you persevered through it and figured it out.  good job!
0
 
blokemanAuthor Commented:
Final solution was found by Fortinet support.  Points allocated for valuable guidance for checks and testing.
Cheers and beers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.