How do I find out where an https request gets blocked?

Hi all,

We have a nasty problem from one of our servers:
 - HTTPS traffic to a server in a remote datacenter is blocked from a specific server in our datacenter
 - same URL works without a problem from all other servers in the same datacenter
 - PING, TRACEROUTE and MRT all stop somewhere in the remote datacenter

Our datacenter admins say that the problem is on the remote datacenter, while the remote datacenter says that there are no blocking rules for that IP!

We are stack! I need a way to prove both where the problem is, so I can force them to fix it! Is there a tool out there that can trace the HTTPS (or other to a specific port) and let me know on which server it really stops? Server runs on CentOS 5.4, if that can make any difference. No firewall or other networking blocking software is on that server - at least for the moment!

Thank you in advance

Kostas
LVL 1
upcomltdAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
Fiddler http://www.fiddler2.com/fiddler2/ on Windows and Wireshark http://www.wireshark.org/ on all platforms are network analyzers that may be able to help.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
jackiechen858Commented:
How did you know the HTTPS traffic is blocked?  It might be a DNS issue ( one of your server couldn't get the correct IP for the domain).

You can login to the server with problem and another server without problem, do some test and compare the result:

ping thehttpsdomain
nslookup thehpptsdomain
telnet thehttpsdomain 443
traceroute thehttpsdomain

etc.

Post the result if you can.





Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

upcomltdAuthor Commented:
Thank you all for your comments!

We have done all that. the ping does not respond, because it is not enabled on the server - blocked. Traceroute stops after a while, some router in between blocks the ping process..

The nslookup returns the correct information about the server, so there is no DNS problem. We also tried with the IP directly.
Doing telnet on the 443 we are blocked for a long period of time and then get a timeout.

I'm sure somewhere in the route, one of the servers blocks the traffic - possibly only HTTPS. The question is how do I find out which one! Doing telnet on all 443 on all intermediate servers is not a solution - possibly none of them listens to this port.

I was thinking of a way at a very low level to be able to say that the packet arrived till that server, but then bounced back! Is that possible without contacting the admins of all those servers (impossible in reality)?

Thanks in advance

Kostas
Dave BaldwinFixer of ProblemsCommented:
Telnet does not work on ports that don't use a text interface.  Port 443 with SSL/TLS has to negotiate a secure connection first and as far as I know, you can't do that with telnet, at least not by itself.
jackiechen858Commented:


telnet will tell you if you can connect or not.  for example, if I do
telnet www.google.com 443
Trying 173.194.64.147...
Connected to www.l.google.com.
Escape character is '^]'.

It shows I can connect to google's 443 port, so there is no firewall blocking it.

Assume you can do telnet 443 from other server, but not the server has problem; Can you compare the traceroute result from bother server, see if there is a different route?






upcomltdAuthor Commented:
@jackiechen858

Exactly same route. From the one it responds with Connected to ..., from the other one is blocked :-(

Thanks for your efforts.
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
what update in your problem??
jackiechen858Commented:
Do all your server has real INTERNET IP or just private IP? If they have private IP, when they go out to internet, the remote server should see them as same INTERNET ip, so it should treat them as same.

If they have real different internet ip, or you have some private network between the remote data center and local datacenter, so the remote server will see your servers with different source IP, then it might be blocked by some bad network rules.

I remember I met a weird problem, some traffic was blocked by our ISP, turned it it only block "certain IP", like a special/weird ip address ( with some .0. or something) , still legal address, but a wrong wrote rule could block even the admin didn't realize it.


upcomltdAuthor Commented:
@jackiechen858

No, all are real IP addresses, accessible from the internet. From that server (with the problem) we can access every other server we connect to.
jackiechen858Commented:
Does the one server with problem have a "special" IP? can you try to put a different IP there?
upcomltdAuthor Commented:
I'm closing this question as there is no real answer to the question raised. Almost everybody provided ways in that direction, but it seems there is no way to identify the blocking party.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.