Solved

Networking and Spark IM

Posted on 2015-02-19
21
190 Views
Last Modified: 2015-02-26
We recently migrated our Windows servers to a new provider.  So, the IP address changed in our Cisco ASA 5505.  After setting up the Spark IM client in one of our branch offices in SC,  I can't contact the Spark server running on our production server.  At least we can't connect from SC.  We can connect form our OK office and various remote PCs.  I can ping the server from inside the SC network.  Spark is using port 5222.   When I try to log in to Spark from an SC computer I get the error message "Can't connect to the server.  Invalid name or server is not reachable".
0
Comment
Question by:lanterv
  • 12
  • 9
21 Comments
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40620148
can you ping the server?

what does a tracert tell you?  run from OK and SC - post if you need help reading it
0
 

Author Comment

by:lanterv
ID: 40620442
I can tracert from OK but can't copy the results.  I cannot tracert from SC.  I can ping from both networks.
0
 

Author Comment

by:lanterv
ID: 40620612
Packet trace failed.ASDM packet trace resultsASDM2.jpg
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40622332
compare the config for the OK route against the SC route.  
check access rules too compare OK and SC network entries
0
 

Author Comment

by:lanterv
ID: 40622392
Well, one is a Cisco 5505 and the other is a Sonicwall T100.  I didn't change the Sonicwall.  It just worked.  We have been using Openfire Spark for years.  It's just on a new server now.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40622412
does dns at SC reflect the new server IP?

Could you use tracert from a command window from SC and OK.  please cut and paste results here
0
 

Author Comment

by:lanterv
ID: 40622489
From my PC;

Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
  1     3 ms     1 ms     7 ms  192.168.12.1
  2     9 ms     8 ms     9 ms  10.34.32.1
  3    16 ms     8 ms    10 ms  COX-68-12-19-20-static.coxinet.net [68.12.19.20]
  4    11 ms    11 ms    10 ms  COX-68-12-19-10-static.coxinet.net [68.12.19.10]
  5    44 ms    45 ms    32 ms  dalsbprj01-ae1.0.rd.dl.cox.net [68.1.2.109]
  6    27 ms    28 ms    25 ms  68.105.30.22
  7    24 ms    26 ms    21 ms  ae7.cr2.dfw2.us.zip.zayo.com [64.125.20.233]
  8    33 ms    34 ms    33 ms  ae2.cr2.iah1.us.zip.zayo.com [64.125.21.62]
  9    64 ms    60 ms    68 ms  ae14.cr2.dca2.us.zip.zayo.com [64.125.21.53]
 10    64 ms    64 ms    67 ms  ae8.mpr4.bos2.us.zip.zayo.com [64.125.29.33]
 11    68 ms    67 ms    65 ms  ae2.mpr3.bos2.us.zip.zayo.com [64.125.25.41]
 12    64 ms    76 ms    64 ms  64.124.65.194.IPYX-072428-ZYO.above.net [64.124.65.194]
 13    66 ms    64 ms    65 ms  141.ne.business.static.dsci-net.com [76.191.35.141]
 14    69 ms    72 ms    67 ms  166.ne.business.static.dsci-net.com [207.22.0.166]
 15   120 ms   103 ms    80 ms  web003.taxtalent.com [208.118.249.221]

Trace complete.


From inside OK network;

C:\Users\Administrator>tracert 208.118.249.221

Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
  1     7 ms    10 ms    20 ms  10.34.96.1
  2     7 ms     8 ms     7 ms  cox-68-12-9-58-static.coxinet.net [68.12.9.58]
  3    70 ms    58 ms    65 ms  cox-68-12-9-94-static.coxinet.net [68.12.9.94]
  4    31 ms    27 ms    28 ms  dalsbprj01-ae1.0.rd.dl.cox.net [68.1.2.109]
  5    15 ms    12 ms    16 ms  68.105.30.22
  6    20 ms    36 ms    29 ms  ae7.cr2.dfw2.us.zip.zayo.com [64.125.20.233]
  7   114 ms    85 ms    89 ms  ae2.cr2.iah1.us.zip.zayo.com [64.125.21.62]
  8    52 ms    53 ms    51 ms  ae14.cr2.dca2.us.zip.zayo.com [64.125.21.53]
  9    60 ms    60 ms    57 ms  ae8.mpr4.bos2.us.zip.zayo.com [64.125.29.33]
 10    70 ms    57 ms    61 ms  ae2.mpr3.bos2.us.zip.zayo.com [64.125.25.41]
 11    56 ms    54 ms    57 ms  64.124.65.194.ipyx-072428-zyo.above.net [64.124.65.194]
 12    74 ms    58 ms    58 ms  141.ne.business.static.dsci-net.com [76.191.35.141]
 13    62 ms    60 ms    60 ms  166.ne.business.static.dsci-net.com [207.22.0.166]
 14   128 ms   147 ms   135 ms  web003.taxtalent.com [208.118.249.221]

Trace complete.

From inside the SC network;
C:\Users\Allworkx.TAXTALENT>tracert 208.118.249.221
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *     ^C

I'm wondering how the last tracert resolved 208.118.249.221 to web003.taxtalent.com.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40623000
where are your router/firewalls in relation?

And you are able to ping web003 from the SC Network?

Can you ping/tracert from the router/firewall @ SC?
0
 

Author Comment

by:lanterv
ID: 40623450
I can ping from any SC source.  I cannot tracert.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40623809
SC has the ASA?

does it still have the the config from for the old server?

Either replace the IP or recreate the same set of rules for the new server IP.

Since you can ping it but not tracert, maybe this is related?

http://www.experts-exchange.com/Security/Software_Firewalls/Cisco_PIX_Firewall/Q_26451082.html
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:lanterv
ID: 40624961
To be clear;  Web003 is just another public web server that happens to have our IM service on it.  The same was true prior to the move to another provider.  In SC there is a router/switch that is supposed to failover between 2 internet ISPs. Then there is the Cisco ASA5505 then the rest of the network.  I can't see anything that should change on the 5505 just because we change the ip address of the IM service.  The link above is probably correct that tracert is fixed in later versions of software,  but I don't really care about tracert.  I'm trying to find out why traffic to/from a network PC is denied using the Spark IM client on port 5222.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40625903
Right.

We are troubleshooting the TCP/IP Transport layer.  https://technet.microsoft.com/en-us/library/cc786900%28v=ws.10%29.aspx

before you moved your service to another IP it worked from everywhere.  when the IP for the service was changed it no longer works from your SC location.  since you can ping from your SC location, the issue is in the Application layer with other UDP/TCP ports getting to your IM Service.

Incoming/outgoing ports are controlled by the firewalls in your environment.  we are trying to determine where the communication is failing.

Here are some ideas -
Since all your desktops are having issue - is there a GPO controlling the firewalls of your desktops that was set for your old server and is also probably blocking tracert.
The ASA at the SC location includes a rule for allowing IM traffic to old server location, which now does not include the new server IP.  the ASA may also be blocking tracert.
0
 

Author Comment

by:lanterv
ID: 40632265
I installed Wireshark on the server.  It shows traffic for port 5222.  It ends up as port 9090.  But if it comes from SC no response is sent.  I discovered that it doesn't make any difference whether it comes from inside my network or not.  A private PC in Charleston gets the same results as one inside my network.  Now that's strange.
0
 

Author Comment

by:lanterv
ID: 40632266
I installed Wireshark because I'm not getting any response from Media3, our server provider.  What fun!
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40633374
you are seeing IM traffic from SC on your IM server?

Port 9090 looks to be the management port for the server.

What are the results of tracert from web003 server to SC?

This link shows how to enable traceroute on the ASA:
http://www.starcoder.com/wordpress/2011/03/enabling-ping-and-traceroute-on-the-cisco-asa-5505/

We need the route information from web003 to SC - SC to web003 to see where the break in connection is.

You can also use 'telnet web003.taxtalent.com 5222' and wireshark the results from that.
0
 

Author Comment

by:lanterv
ID: 40634094
Tracert from PC in SC (192.168.3.121) inside the network ;

Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:

  1     2 ms    <1 ms     1 ms  192.168.200.2
  2     4 ms     1 ms     1 ms  50-247-32-54-static.hfc.comcastbusiness.net [50.247.32.54]
  3     9 ms     8 ms     8 ms  c-73-180-89-1.hsd1.sc.comcast.net [73.180.89.1]
  4     *        *        *     Request timed out.
  5    13 ms    14 ms     8 ms  te-9-3-ur02.mtpleasant.sc.chrlstn.comcast.net [68.86.130.13]
  6     8 ms     8 ms    11 ms  te-0-7-0-11-ar04.charleston.sc.chrlstn.comcast.net [68.86.144.41]
  7    38 ms    40 ms    33 ms  te-0-5-0-0-ar02.westside.fl.jacksvil.comcast.net [68.87.164.121]
  8    48 ms    43 ms    44 ms  be-33489-cr02.56marietta.ga.ibone.comcast.net [68.86.95.49]
  9    58 ms    59 ms    62 ms  be-10014-cr01.ashburn.va.ibone.comcast.net [68.86.85.33]
 10    69 ms    59 ms    69 ms  be-10001-cr02.ashburn.va.ibone.comcast.net [68.86.85.2]
 11    75 ms    66 ms    67 ms  be-10102-cr01.newyork.ny.ibone.comcast.net [68.86.85.26]
 12   116 ms    67 ms    72 ms  xe-0-1-0-0-pe01.onesummer.ma.ibone.comcast.net [68.86.84.134]
 13    72 ms    69 ms    66 ms  as33748.onesummer.ma.ibone.comcast.net [66.208.233.22]
 14    72 ms    70 ms    68 ms  141.ne.business.static.dsci-net.com [76.191.35.141]
 15    80 ms    73 ms    73 ms  166.ne.business.static.dsci-net.com [207.22.0.166]
 16    79 ms    73 ms    70 ms  web003.taxtalent.com [208.118.249.221]

Trace complete.
0
 

Author Comment

by:lanterv
ID: 40634112
Tracert from Web003 server hosted by Media3;

Tracing route to 50-247-32-49-static.hfc.comcastbusiness.net [50.247.32.49]
over a maximum of 30 hops:

  1    29 ms    34 ms     *     67.217.106.98.static.rev.colospace.com [67.217.106.98]
  2     3 ms     3 ms     3 ms  165.ne.business.static.dsci-net.com [207.22.0.165]
  3     5 ms     9 ms     3 ms  142.ne.business.static.dsci-net.com [76.191.35.142]
  4    16 ms    13 ms     3 ms  xe-2-0-0-0-pe01.onesummer.ma.ibone.comcast.net [66.208.233.21]
  5    20 ms    18 ms    11 ms  te-0-1-0-5-cr01.newyork.ny.ibone.comcast.net [68.86.84.133]
  6    15 ms    16 ms    15 ms  be-10102-cr02.ashburn.va.ibone.comcast.net [68.86.85.25]
  7    16 ms    14 ms    15 ms  be-10001-cr01.ashburn.va.ibone.comcast.net [68.86.85.1]
  8    36 ms    28 ms    28 ms  68.86.85.34
  9    56 ms    67 ms    71 ms  be-7922-ar02.westside.fl.jacksvil.comcast.net [68.86.95.50]
 10    71 ms    62 ms    62 ms  te-0-0-0-2-ar04.charleston.sc.chrlstn.comcast.net [68.87.164.114]
 11    64 ms    63 ms    62 ms  te-9-4-ur02.mtpleasant.sc.chrlstn.comcast.net [68.86.144.42]
 12    63 ms    63 ms    63 ms  te-0-0-0-15-ur04.mtpleasant.sc.chrlstn.comcast.net [68.86.130.14]
 13    61 ms    79 ms    82 ms  te-6-1-acr02.mtpleasant.sc.chrlstn.comcast.net [68.86.131.18]
 14    69 ms    71 ms    70 ms  c-73-180-89-126.hsd1.sc.comcast.net [73.180.89.126]
 15    75 ms    70 ms    69 ms  50-247-32-49-static.hfc.comcastbusiness.net [50.247.32.49]

Trace complete.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 40634149
These are ok results - not great just ok.  Comcast is bouncing you around a bit - you can send these to your Tech Support contact there and they can tweak the routing for you,  they may or may not do this.

Any luck with Telnet and wireshark?
0
 

Author Comment

by:lanterv
ID: 40634347
Media3 finally opened up some ports on the server and that seems to have fixed the problem.  But I still don't understand why we could log in from our Tulsa office and not our Charleston office.
0
 
LVL 13

Accepted Solution

by:
Greg Hejl earned 500 total points
ID: 40634504
The Comcast IP range might have been restricted
0
 

Author Closing Comment

by:lanterv
ID: 40634694
Thanks for you input.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now