Solved

Network Problem!!!!

Posted on 2013-11-07
14
413 Views
Last Modified: 2013-11-18
I have a remote clinic that can't connect to a certain web-based application on the wired network.  However this clinic can connect via the wireless guest network.  I don't see any access-list that explicitly blocks the public IP address of the web-based application.  I can ping the application and traceroute out to the web-based applications network.  

I contacted the Palo Alto firewall team and they stated they don't see the public ip addresses of the web-based app traversing the firewall.

The clinic can access all other web-sites and intranet sites.  

My core switch, which is in the DMZ, forwards outbound internet traffic through a Palo Alto firewall.  Traffic leaves the firewall and goes through another switch which has a connection out to the internet.

Does anyone have any ideals????
0
Comment
Question by:Evolutionzz
  • 7
  • 4
  • 2
  • +1
14 Comments
 

Assisted Solution

by:Malay Upadhyay
Malay Upadhyay earned 72 total points
ID: 39632735
Hi,

Could you please check MTU configured on Core Switch interface with the one configured on Wireless Guest Network interfaces? Also, please do traceroute from the PC to the site, and see where does the packet drops out.
0
 

Author Comment

by:Evolutionzz
ID: 39633164
I did traceroute's and the packets are dropping out in the Web-based applications network.  I will check MTU and get back to you.
0
 

Author Comment

by:Evolutionzz
ID: 39633305
MTU is set at 1500 on the core switch.  No MTU information is available on the INET switch, which is the switch that connects to the internet.  I don't have the rights to check the Palo Alto settings.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 286 total points
ID: 39633957
I have a remote clinic that can't connect to a certain web-based application on the wired network.
It would be good to know what "remote" means here.  
- connected via VPN or MPLS link
- accessing strictly via internet like anyone else
so, I'm not sure what "wired" network means here.  Do you mean the LAN or something beyond the LAN?
How can a "remote" site get access to a local wireless network.  Is it just across the street or....?
0
 

Author Comment

by:Evolutionzz
ID: 39633984
Its an MPLS connection back to the main hub.  Wired means Lan.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 142 total points
ID: 39635037
Web based application network run internally (intranet) or externally (internet)

compare the hubs between the public and local lan. Identify the last router the lan gets to before it drops. On the public lan, identify the router after the one you saw last from the traceroute on the lan. This router most likely has an access-list that blocks the wired lan or does not have the wired lan in the list of permitted subnets
0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 286 total points
ID: 39635205
How can a "remote" site get access to a local wireless network.  Is it just across the street or....?
0
 

Author Comment

by:Evolutionzz
ID: 39635208
All the remote sites wireless APs connect back to the WLC at the hub via MPLS.  All sites broadcast the same ssid's.
0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 286 total points
ID: 39635299
So the wireless access points connect via the MPLS *separate* from the remote LAN(s)?
0
 

Author Comment

by:Evolutionzz
ID: 39635732
The wireless has nothing to do with the underlying issue.   The issue is I can't connect to a web-based application via the Lan.  Don't focus so much on the wireless.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 142 total points
ID: 39635833
Save yourself some time and identify where the traffic drops and start your troubleshooting there. Otherwise, everything else would be guess work.

Have you traced the routes?
0
 

Author Comment

by:Evolutionzz
ID: 39635874
Yes ,  I've traced out and pinged to the web-base applications public IP Address which means I have routes out and back.  The problem must be that the firewall is allowing ICMP but not HTTPS to this site.
0
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 286 total points
ID: 39636313
Oh, I interpreted the question as saying:
I have a remote clinic that can't connect to a certain web-based application on the wired network but can connect to that certain web-based application via the wireless guest network.
I guess that's not an interpretation you intended (?).

It would help a lot to know the system layout.  It's not very clear how things are connected/connecting.
0
 

Author Closing Comment

by:Evolutionzz
ID: 39656929
The issue was in the Palo Alto.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ACS 5.4 "management" proc stuck in Restarting 2 76
Sonicwall blocks a site 49 91
fans of one ProLiant randomly(?) speeding up to 100%!? 15 124
local DNS vendor. 4 67
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question