?
Solved

Unable to connect to one particular site

Posted on 2011-10-31
26
Medium Priority
?
339 Views
Last Modified: 2012-05-12
Hi,

Recently I am not able to connect to a particular site.  I am able to ping and trace route www.google.com and www.yahoo.com on the Cisco ASA.  But for this particular website, I am not able to do either.  However, if I plug directly to the external router connected to ISP, then I have no problem connected to the site.  The site itself is not the problem.

What kind steps I can take to see if the site is blocked somehow?  I checked all the access listson the ASA, but I don't see anything that may be blocking the site.

Thanks.
0
Comment
Question by:tflai
  • 13
  • 8
  • 3
  • +1
25 Comments
 
LVL 7

Expert Comment

by:Hellmark
ID: 37060109
My guess, is that it is a DNS issue. Do you have DNS caching enabled? It is possible for ASA to cache DNS info, and if things change and the cache is not updated, old information will be used when trying to goto a site.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 37060153
when you lookup the site's IP address (nslookup www.sitex.com) and then tracert to that IP, where does the trace stop? Does it stop at your FW or does it go to the 'net?

if you try to access the site from somewhere else have you confirmed that its working?
0
 
LVL 4

Author Comment

by:tflai
ID: 37060316
When I did nslookup of the site on my machine, I get the correct IP address.  If I did trace route on ASA, I just got it is not traceable.  When I ping from the ASA, I just got timeout and no successful ping attempts.  I can connect to this site from our external connection.  So site is not the problem.

I am trying to troubleshoot it from ASA logging and packet tracing without too much sucess.  Please let me know if you have some tips or knowledge in these areas.

Thanks.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 4

Author Comment

by:tflai
ID: 37060325
We also have Cisco botnet filter enabled on this ASA firewall.  I have whitelisted the site, but I still cannot connec to this site.

I am using ASDM.  Where can I check DNS caching information?  Or do I need to use CLI?

Thanks.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 37060709
There are viruses that can block sites that you, as a user, can use to update windows security patches, access microsoft web sites, update any Antivirus updates, etc...

There are two ways to do this:
one is through DNS poisoning, and your host file record will be filled with web sites and ficticious IPs.

The second is through a bunch of registry edits.

0
 
LVL 16

Expert Comment

by:JammyPak
ID: 37062680
the correct address when you do nslookup/ping then I don't think it's a DNS problem.

It sounds to me like a routing or firewall rule issue...

by any chance is the public IP of this site in the same IP subnet as your ASA? For example if the subnet mask is not correct on the public interface of the ASA then that would prevent you from accessing some sites
0
 
LVL 4

Author Comment

by:tflai
ID: 37064719
I just found on the ASA log the following message - Deny IP spoof from (x.x.x.x) to (IP address of the site) on interface DMZ.  Any idea on how I can fix the problem?

Thanks.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 37065606
when you tried to ping it from the asa which interface did you use as the source? try it using the internal/LAN and external/WAN interface and check the logs
0
 
LVL 4

Author Comment

by:tflai
ID: 37065691
I found SYN Timeout events whenever I tried to connect to this site.  
0
 
LVL 4

Author Comment

by:tflai
ID: 37066806
I get "Teardown TCP connection for External:x.x.x.x/80 to DMZ:x.x.x.x duration 0:00:30 bytes 0 SYN Timeout" in the ASA log.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 37069456
it almost sounds like the external IP youre trying to hit is configured on the dmz interface of the ASA
are you using the dmz interface? check it's IP settings
0
 
LVL 4

Author Comment

by:tflai
ID: 37070458
The interesting problem is that most of our external web links, Google, Yahoo, MSN, etc are working.  I am thinking of rebooting the ASA to clear the cache and stuff to see if that would fix the problem.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 37070658
if your tracert never hops past the ASA then it definitely seems to be either a routing problem or ACL problem on the ASA itself for that public IP range the website it on

did you check the interface settings on the DMZ interface? not close to this public IP at all?
0
 
LVL 4

Author Comment

by:tflai
ID: 37070717
The DMZ has IP address of 207.x.x.x and the website IP is 198.x.x.x.  So looks like that is not the source of the problem.

Thanks.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 37070907

are there any vpn tunnels on the ASA? just wondering if the ranges or targets assigned to those tunnels overlap.

if you use ASDM to manage the ASA, goto 'Device Setup' then Routing and see if there are any routes relevant to the 207 network

then I would go to the menus: Tools - Packet Tracer, and select your external interface, choose icmp for the protocol, 'echo' for the type, and use one of you internal IPs as the source, and then the IP of the webserver as the destination. It will go through a series or steps and hopefully show where/why it's not connecting.
0
 
LVL 4

Author Comment

by:tflai
ID: 37071911
If I do a nslookup, I will get a slight different IP addresses for the website: x.x.232.x (internally) and x.x.234.x (externally).  Perhaps that is causing the problem?  Do I need to ensure they are the same and how can I do that?  Thanks
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 37072074
well that isn't good...the website would normally have only 1 ip address whether you are internal or external.

if you do this:
nslookup
>server 4.2.2.2
>www.xxxxx.com (or whatever)

what is the IP address you get back? That is the one in the public ('real') world. cna you go to that IP in a browser?

if that works then you need to figure out why you are resolving the name incorrectly internally...
try:
ipconfig /flushdns
check your local (internal) assuming that is what you're using
check your hosts file
0
 
LVL 4

Author Comment

by:tflai
ID: 37073371
Somehow if I manually change the DNS server IP address to the external ISP IP.  the the site will work.
0
 
LVL 4

Author Comment

by:tflai
ID: 37073583
It's strange since I remove all the DNS forwarder IP addresses except the ISP's DNS.  I am still having problem connecting to the site.  Shouldn't it be the same as using ISP's DNS?

Please help.  Thanks.
0
 
LVL 4

Accepted Solution

by:
tflai earned 0 total points
ID: 37086734
I've requested that this question be deleted for the following reason:

Thanks to everyone's reply.  It turned out that the information at the DNS cache for this particular site were not updated.  So I forced a refresh and the problem was resolved.  Thanks.
0
 
LVL 7

Expert Comment

by:Hellmark
ID: 37086735
Thought it sounded like a DNS problem. Can be quite common.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 37093912
seems to me I suggested flushing your DNS cache after helping you discover the internal and external IPs were not in sync...but whatever.
0
 
LVL 4

Author Comment

by:tflai
ID: 37094653
JammyPak, I tried IPConfig /FlushDNS even before your suggestion and that did not work for me at all.  I found a way to manully flush the DNS cache on the DNS server.
0
 
LVL 4

Author Closing Comment

by:tflai
ID: 37123859
I found the actual solution.
0
 
LVL 7

Expert Comment

by:Hellmark
ID: 37100815
While he specifically stated to try ipconfig /dnsflush, the premise that the DNS cache needed to be flushed, irregardless of system, was suggested more than once.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Integration Management Part 2
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question