?
Solved

Entire windows domain cannot access specific websites (e.g. www.ebay.co.uk)

Posted on 2012-09-09
48
Medium Priority
?
313 Views
Last Modified: 2014-04-26
Very strange one...

An entrie windows domain cannot access several websites (including Experts-Exchange).  One of the sites that they can't access is www.ebay.co.uk.  Even stranger is the fact that when laptops are removed from the building and put onto a home network they work just fine.

This issues is affecting laptops, PCs & servers of all different OS's.

Default Gateway on the network is a Cisco 1841 router which has been restarted.

Really strange because some sites work fine (bbc.co.uk, metoffice.gov.uk, microsoft.com, etc)

Any ideas?
0
Comment
Question by:andrewprouse
  • 19
  • 11
  • 6
  • +3
48 Comments
 
LVL 100

Expert Comment

by:John Hurst
ID: 38380754
Check your firewall settings (and perhaps remove a few restrictions temporarily).  Also perhaps save the configuration of your Cisco, do a hardware reset (factory specs) and set it up again.

That all computers are affected internally and the laptops within work fine elsewhere points to firewall.

... Thinkpads_User
0
 

Author Comment

by:andrewprouse
ID: 38380757
We're using the 1841 as the firewall (just ACLs).  

Having restarted the unit I don't think it's the 1841 causing the issue, the log shows no errors.
0
 
LVL 100

Expert Comment

by:John Hurst
ID: 38380764
You are saying all operating systems, all computers, and all servers are affected internally and those computers that can go outside work on outside systems.

So there must be a common point that is causing this.

(a) Re: the firewall, I would be inclined to try reset, not just restart.
(b) Ask your ISP - maybe they are blocking something.

.... Thinkpads_User
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 6

Expert Comment

by:Jelcin
ID: 38380766
could be a DNS issue... please make sure your dns server has an active forwarder to your ISPs DNS server.
0
 
LVL 100

Expert Comment

by:John Hurst
ID: 38380788
I normally pick up DNS from my ISP (which explains my second question). You can always try 4.2.2.2 as a secondary DNS to see if that helps.  ... Thinkpads_User
0
 

Author Comment

by:andrewprouse
ID: 38380798
dns seems to be working fine (can ping names from the PCs & servers and an IP is returned).

DNS has several forwarders:

8.8.8.8
8.8.4.4
4.2.2.2

...so that shouldn't be the issue.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380806
There is a known issue where DNS may not be able to resolve some top level domains such as  .uk
http://support.microsoft.com/default.aspx?scid=kb;EN-US;968372
You may wish to review the article.
0
 

Author Comment

by:andrewprouse
ID: 38380809
just changed a server to use an external DNS server (4.2.2.2) then flushed the DNS cache and still coudln't access www.ebay.co.uk
0
 
LVL 100

Expert Comment

by:John Hurst
ID: 38380813
I would certainly contact your ISP. The only two points of failure I know of for this issue are firewall and ISP (DNS).   See what they say.

.... Thinkpads_User
0
 
LVL 6

Expert Comment

by:Jelcin
ID: 38380817
so you can resolve those names of the non working sites to ip but cannot access them in a browser? is that correct?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380826
To rule out a problem with the server's DNS set up, try manually configuring a laptop with gateway and _public_ DNS servers and see if it works.  If it does I would look at the link I provided early regarding failure of resolving some top level domains.
0
 

Author Comment

by:andrewprouse
ID: 38380829
Jelcin - yes that is correct

RobWill - I've done that look at my previous post.  Didn't work :(
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380834
Sorry.  I saw where you said "just changed a server to use an external DNS server "  but not where you tried it on a PC/laptop.
0
 

Author Comment

by:andrewprouse
ID: 38380841
ah sorry, haven't really got access to a pc/laptop today (am working remotely).  I would have thought however that experimenting with a server would have the same effect.

really strange one...
0
 

Author Comment

by:andrewprouse
ID: 38380865
...have tried a virtual pc with no luck
0
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 38380869
Open

ebay.com
ebay.com.au
ebay.de
facebook.com

If you see a pattern then they are following some pattern.

BBC, Microsoft is normally unblocked.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380871
The I would suspect the ISP as thinkpads_user said, though it is not common there was another question on EE quite a while back where it was the ISP causing a similar problem.

I doubt it is the router as it would not block only some traffic unless filtering was enabled.
0
 

Author Comment

by:andrewprouse
ID: 38380885
npsingh123 - the only site in that list that opens is facebook.com

I'll have to contact the ISP (BT) on Monday (deep joy).

Any other ideas???
0
 
LVL 100

Expert Comment

by:John Hurst
ID: 38380895
Only that (strange though it would be) would be to rebuild your firewall after you contact the ISP.
.... Thinkpads_User
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380904
Just as a point of interest; of the list provided by npsingh123 to test, only Facebook has IPv6 addresses to which it resolves.  Could it possibly be an IPv4 issue?
0
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 38380908
Bypass the firewall and then see.


Remove the entry cable to your firewall and connect a laptop after your ADSL/WAN device.
0
 

Author Comment

by:andrewprouse
ID: 38380911
sites that do work include:

bbc.co.uk
metoffice.gov.uk
google.co.uk
microsoft.com
0
 
LVL 6

Expert Comment

by:Jelcin
ID: 38380917
assuming that you can't open the experts-exchange.com site from your companys network...

did you try to play around with nslookup?

E.g. if you try to do a "nslookup experts-exchange.com" what ip do you get? And than do a "nslookup experts-exchange.com 8.8.8.8" what ip do you get? Did you try to enter an ip directly to the browser instead of a domain name?

i get the ip 64.156.132.150 when i nslookup experts-exchange.com
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380923
Again, looking for common denominators.  All sites you have listed seem to work except those that only have IP's starting with 66.x.x.x  So it could be a routing issue with the ISP routing to that subnet..
0
 

Author Comment

by:andrewprouse
ID: 38380924
From virtual machine:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\User1>nslookup experts-exchange.com
Server:  UnKnown
Address:  172.16.17.30

Non-authoritative answer:
Name:    experts-exchange.com
Address:  64.156.132.150


C:\Users\User1>nslookup experts-exchange.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    experts-exchange.com
Address:  64.156.132.150

************************************

Entering IP directly into IE / Firefox doesn't change anything, still can't get to EE.

Interestingly, having left IE for 40-45 mins trying to open ebay.co.uk, I now have a part of the page that is loaded (top menu bar and search box)
0
 

Author Comment

by:andrewprouse
ID: 38380926
one other site that doesn't work is www.flexnetuk.com (IP: 212.67.205.61)
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380929
Do the following work?
vovone.com
funkytime.com
0
 

Author Comment

by:andrewprouse
ID: 38380933
yep...both work (although funkytime.com) is quite slow to load
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380948
Still grasping at straws, how about these, especially the first one?
hsfcu.com
grass.com
nbc.com
america.com  (points to godaddy)
0
 

Author Comment

by:andrewprouse
ID: 38380954
hsfcu.com     YES
grass.com      YES
nbc.com         YES
america.com       YES
godaddy.com       NO

I read something about websites with 'static' in the name being the issue:
http://en.kioskea.net/forum/affich-274-problem-connecting-certain-websites?page=9

But this is talking more about malware and viruses whichi I don't think applies here.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380962
That rules out any theories I have about routing to specific subnets.

Have you done any checks for malware?
0
 

Author Comment

by:andrewprouse
ID: 38380963
we use ESET AV but have also checked with SbyBot & Adaware and anything that has been found (on the test virtual machine) has had no impact when removed / resolved.

I would have thought that any virus/malware would also impace the device when on a home network.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38380979
True, I was back to thinking you were using the server for DNS and it might be infected. But you test on a VM would likely rule that out.
0
 
LVL 6

Expert Comment

by:Jelcin
ID: 38380998
well if ping to that ips gives a response it should not be the routing. Maybe it's something in an upper OSI layer blocking it. Maybe some proxy with an application level filtering...What would be intresting is to try to use an external proxy in your browsers network settings.
Or just try this web based anonymizing proxy. Just type in an url that does not work on your network.

http://anonymouse.org/
0
 

Author Comment

by:andrewprouse
ID: 38381979
Jelcin - now there's interesting.  Through http://anonymouse.org/ I can browse to www.ebay.co.uk

We're back to a routing type issue aren't we.  I'll contact the ISP today, but I doubt they'll have a clue.
0
 
LVL 6

Expert Comment

by:Jelcin
ID: 38382534
yes please contact the ISP and keep us informed about the issue if possible
0
 

Author Comment

by:andrewprouse
ID: 38382670
will do, just waiting for the account details to be sent through to me so that I can call BT.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38385436
There is no doubt in my mind that you have ACL's on the router/firewall that are blocking groups of IPs.

If you can ping them you should be able to use application port 80 to communicate with them.

-To confirm this, take a laptop and plug in on the other side of the firewall to see if you can get those sites. But, remember you have to change that laptop's DNS settings to manual and use outside servers like (8.8.8.8 and 8.8.4.4).. Once beyond the firewall and able to communicate, it confirms your firewall/router ACLs is the culprit.

For IT sec:
Some people have blocked what is called a bogon IP address. When IPv4 addresses were plentiful, there were some bogus IP ranges that people blocked. They also include private IPs. These IP addresses are not being used by network providers like Akamai and other network providers (cloud providers). If blocked via a router edit, you are blocked from various addresses.
0
 

Author Comment

by:andrewprouse
ID: 38385728
ChieflIT - thanks for that I'll investigate. The only device between the core switch and the WAN is a Cisco 1841 which only has a few ACLs to allow services inbound through the router (VPN, SMTP, active sync, etc). I didn't think it was clever enough to filter any other way. Also strange that it's been working fine and config hasn't been changed in ages.

I'll investigate
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38386356
Having investigated the IP's of each site that could and could not be visited I saw no pattern and as an example there were sites that worked and did not work that had an IP address of  66.135.x.x, so I am doubtful it is IP/subnet based filtering unless very granular.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38387320
AH, but all it takes is somewhere in the cloud where the IP is blocked. This would include, AKAMAI, who is a cloud ISP on their own network. Run a tracert to these specific sites. Look where the packets are dropped and then check your IP schema that is blocked via an ACL. Akamai was a "bogon" address. Look up the definition of a bogon address. Most admins once blocked these addresses from communicating with the outside network. All of a sudden businesses started working with Akamai and some legit businesses were blocked. This is because the IP addressing for IPv4 was running low. So, they started using bogon addresses for legit business and cloud providers. If Akamai is blocked, you can loose all communications of businesses on the Akamai cloud.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38387330
If Akamai is blocked, these businesses might be blocked as well:

http://www.akamai.com/html/customers/customer_list.html
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38387418
ACL's on the router is the most likely. However, there is MALWARE that injects DNS poisoning. This is another problem with some malware. They will inject DNS poisoning to sites like Microsoft.com, ESET, malwarebytes, etc... to prevent you from hardening your network.

DNS poisoning can also take the most visited web sites and redirect these sites to bogus sites. They usually do this through a Registry Hack, or a host file edit. Now a DNS server should never check the host file for DNS resolution as a client would. So, this is an unlikely case to mess up your entire network with DNS resolution problems.

Most likely you are blocking a single group of IPs via an ACL that is an ISP cloud provider, like Akamai.
0
 

Author Comment

by:andrewprouse
ID: 38387844
Have talked with BT and they ensure me that the fault is not with them.  They have advised me to swap the router back to the origional BT 2wire unit to rule out potential router issues.

I may well try this, it just means making a 150mile trip to site.

I've attached the Cisco router config incase anyone participating is a Cisco boff and can see a potential issue.

Cheers, Andy
ROUTER-CONF.txt
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38393460
Then ask them if you are getting "Maximum Segment Size Exceeded" errors on the router. This might be MTU size and large frames from a particular web site.

The ACLs don't appear to be blocking these sites. However, they are a bit cumbersome.
0
 

Author Comment

by:andrewprouse
ID: 38403719
Just an update before this question goes inactive:

No luck with BT, I'll be attending site tomorrow (Monday) to change the router.  I'll update EE following this change.

Cheers
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1500 total points
ID: 38403923
Changing the router will do no good with MTU settings. The default size is 1500. Changing this to a lower setting will allow overhead on the packets to go through the router. You can also ask the ISP if they participate in superframes.
0
 

Author Comment

by:andrewprouse
ID: 38418980
Ok...so I factory reset the router and built a new config back up with as few entries as possible which worked....for a day.

The next day some clients were struggling to access the internet and some pings to external servers weren't getting through (or back) which was working fine the previous day (following the factory reset).  

We've put this down to a faulty router and currently have a new one on order.

I really appreciate all of your help, I guess that this was just faulty hardware.

Cheers, Andy
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question