[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 452
  • Last Modified:

Networking and Spark IM

We recently migrated our Windows servers to a new provider.  So, the IP address changed in our Cisco ASA 5505.  After setting up the Spark IM client in one of our branch offices in SC,  I can't contact the Spark server running on our production server.  At least we can't connect from SC.  We can connect form our OK office and various remote PCs.  I can ping the server from inside the SC network.  Spark is using port 5222.   When I try to log in to Spark from an SC computer I get the error message "Can't connect to the server.  Invalid name or server is not reachable".
0
lanterv
Asked:
lanterv
  • 12
  • 9
1 Solution
 
Greg HejlPrincipal ConsultantCommented:
can you ping the server?

what does a tracert tell you?  run from OK and SC - post if you need help reading it
0
 
lantervAuthor Commented:
I can tracert from OK but can't copy the results.  I cannot tracert from SC.  I can ping from both networks.
0
 
lantervAuthor Commented:
Packet trace failed.ASDM packet trace resultsASDM2.jpg
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
Greg HejlPrincipal ConsultantCommented:
compare the config for the OK route against the SC route.  
check access rules too compare OK and SC network entries
0
 
lantervAuthor Commented:
Well, one is a Cisco 5505 and the other is a Sonicwall T100.  I didn't change the Sonicwall.  It just worked.  We have been using Openfire Spark for years.  It's just on a new server now.
0
 
Greg HejlPrincipal ConsultantCommented:
does dns at SC reflect the new server IP?

Could you use tracert from a command window from SC and OK.  please cut and paste results here
0
 
lantervAuthor Commented:
From my PC;

Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
  1     3 ms     1 ms     7 ms  192.168.12.1
  2     9 ms     8 ms     9 ms  10.34.32.1
  3    16 ms     8 ms    10 ms  COX-68-12-19-20-static.coxinet.net [68.12.19.20]
  4    11 ms    11 ms    10 ms  COX-68-12-19-10-static.coxinet.net [68.12.19.10]
  5    44 ms    45 ms    32 ms  dalsbprj01-ae1.0.rd.dl.cox.net [68.1.2.109]
  6    27 ms    28 ms    25 ms  68.105.30.22
  7    24 ms    26 ms    21 ms  ae7.cr2.dfw2.us.zip.zayo.com [64.125.20.233]
  8    33 ms    34 ms    33 ms  ae2.cr2.iah1.us.zip.zayo.com [64.125.21.62]
  9    64 ms    60 ms    68 ms  ae14.cr2.dca2.us.zip.zayo.com [64.125.21.53]
 10    64 ms    64 ms    67 ms  ae8.mpr4.bos2.us.zip.zayo.com [64.125.29.33]
 11    68 ms    67 ms    65 ms  ae2.mpr3.bos2.us.zip.zayo.com [64.125.25.41]
 12    64 ms    76 ms    64 ms  64.124.65.194.IPYX-072428-ZYO.above.net [64.124.65.194]
 13    66 ms    64 ms    65 ms  141.ne.business.static.dsci-net.com [76.191.35.141]
 14    69 ms    72 ms    67 ms  166.ne.business.static.dsci-net.com [207.22.0.166]
 15   120 ms   103 ms    80 ms  web003.taxtalent.com [208.118.249.221]

Trace complete.


From inside OK network;

C:\Users\Administrator>tracert 208.118.249.221

Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
  1     7 ms    10 ms    20 ms  10.34.96.1
  2     7 ms     8 ms     7 ms  cox-68-12-9-58-static.coxinet.net [68.12.9.58]
  3    70 ms    58 ms    65 ms  cox-68-12-9-94-static.coxinet.net [68.12.9.94]
  4    31 ms    27 ms    28 ms  dalsbprj01-ae1.0.rd.dl.cox.net [68.1.2.109]
  5    15 ms    12 ms    16 ms  68.105.30.22
  6    20 ms    36 ms    29 ms  ae7.cr2.dfw2.us.zip.zayo.com [64.125.20.233]
  7   114 ms    85 ms    89 ms  ae2.cr2.iah1.us.zip.zayo.com [64.125.21.62]
  8    52 ms    53 ms    51 ms  ae14.cr2.dca2.us.zip.zayo.com [64.125.21.53]
  9    60 ms    60 ms    57 ms  ae8.mpr4.bos2.us.zip.zayo.com [64.125.29.33]
 10    70 ms    57 ms    61 ms  ae2.mpr3.bos2.us.zip.zayo.com [64.125.25.41]
 11    56 ms    54 ms    57 ms  64.124.65.194.ipyx-072428-zyo.above.net [64.124.65.194]
 12    74 ms    58 ms    58 ms  141.ne.business.static.dsci-net.com [76.191.35.141]
 13    62 ms    60 ms    60 ms  166.ne.business.static.dsci-net.com [207.22.0.166]
 14   128 ms   147 ms   135 ms  web003.taxtalent.com [208.118.249.221]

Trace complete.

From inside the SC network;
C:\Users\Allworkx.TAXTALENT>tracert 208.118.249.221
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *     ^C

I'm wondering how the last tracert resolved 208.118.249.221 to web003.taxtalent.com.
0
 
Greg HejlPrincipal ConsultantCommented:
where are your router/firewalls in relation?

And you are able to ping web003 from the SC Network?

Can you ping/tracert from the router/firewall @ SC?
0
 
lantervAuthor Commented:
I can ping from any SC source.  I cannot tracert.
0
 
Greg HejlPrincipal ConsultantCommented:
SC has the ASA?

does it still have the the config from for the old server?

Either replace the IP or recreate the same set of rules for the new server IP.

Since you can ping it but not tracert, maybe this is related?

http://www.experts-exchange.com/Security/Software_Firewalls/Cisco_PIX_Firewall/Q_26451082.html
0
 
lantervAuthor Commented:
To be clear;  Web003 is just another public web server that happens to have our IM service on it.  The same was true prior to the move to another provider.  In SC there is a router/switch that is supposed to failover between 2 internet ISPs. Then there is the Cisco ASA5505 then the rest of the network.  I can't see anything that should change on the 5505 just because we change the ip address of the IM service.  The link above is probably correct that tracert is fixed in later versions of software,  but I don't really care about tracert.  I'm trying to find out why traffic to/from a network PC is denied using the Spark IM client on port 5222.
0
 
Greg HejlPrincipal ConsultantCommented:
Right.

We are troubleshooting the TCP/IP Transport layer.  https://technet.microsoft.com/en-us/library/cc786900%28v=ws.10%29.aspx

before you moved your service to another IP it worked from everywhere.  when the IP for the service was changed it no longer works from your SC location.  since you can ping from your SC location, the issue is in the Application layer with other UDP/TCP ports getting to your IM Service.

Incoming/outgoing ports are controlled by the firewalls in your environment.  we are trying to determine where the communication is failing.

Here are some ideas -
Since all your desktops are having issue - is there a GPO controlling the firewalls of your desktops that was set for your old server and is also probably blocking tracert.
The ASA at the SC location includes a rule for allowing IM traffic to old server location, which now does not include the new server IP.  the ASA may also be blocking tracert.
0
 
lantervAuthor Commented:
I installed Wireshark on the server.  It shows traffic for port 5222.  It ends up as port 9090.  But if it comes from SC no response is sent.  I discovered that it doesn't make any difference whether it comes from inside my network or not.  A private PC in Charleston gets the same results as one inside my network.  Now that's strange.
0
 
lantervAuthor Commented:
I installed Wireshark because I'm not getting any response from Media3, our server provider.  What fun!
0
 
Greg HejlPrincipal ConsultantCommented:
you are seeing IM traffic from SC on your IM server?

Port 9090 looks to be the management port for the server.

What are the results of tracert from web003 server to SC?

This link shows how to enable traceroute on the ASA:
http://www.starcoder.com/wordpress/2011/03/enabling-ping-and-traceroute-on-the-cisco-asa-5505/

We need the route information from web003 to SC - SC to web003 to see where the break in connection is.

You can also use 'telnet web003.taxtalent.com 5222' and wireshark the results from that.
0
 
lantervAuthor Commented:
Tracert from PC in SC (192.168.3.121) inside the network ;

Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:

  1     2 ms    <1 ms     1 ms  192.168.200.2
  2     4 ms     1 ms     1 ms  50-247-32-54-static.hfc.comcastbusiness.net [50.247.32.54]
  3     9 ms     8 ms     8 ms  c-73-180-89-1.hsd1.sc.comcast.net [73.180.89.1]
  4     *        *        *     Request timed out.
  5    13 ms    14 ms     8 ms  te-9-3-ur02.mtpleasant.sc.chrlstn.comcast.net [68.86.130.13]
  6     8 ms     8 ms    11 ms  te-0-7-0-11-ar04.charleston.sc.chrlstn.comcast.net [68.86.144.41]
  7    38 ms    40 ms    33 ms  te-0-5-0-0-ar02.westside.fl.jacksvil.comcast.net [68.87.164.121]
  8    48 ms    43 ms    44 ms  be-33489-cr02.56marietta.ga.ibone.comcast.net [68.86.95.49]
  9    58 ms    59 ms    62 ms  be-10014-cr01.ashburn.va.ibone.comcast.net [68.86.85.33]
 10    69 ms    59 ms    69 ms  be-10001-cr02.ashburn.va.ibone.comcast.net [68.86.85.2]
 11    75 ms    66 ms    67 ms  be-10102-cr01.newyork.ny.ibone.comcast.net [68.86.85.26]
 12   116 ms    67 ms    72 ms  xe-0-1-0-0-pe01.onesummer.ma.ibone.comcast.net [68.86.84.134]
 13    72 ms    69 ms    66 ms  as33748.onesummer.ma.ibone.comcast.net [66.208.233.22]
 14    72 ms    70 ms    68 ms  141.ne.business.static.dsci-net.com [76.191.35.141]
 15    80 ms    73 ms    73 ms  166.ne.business.static.dsci-net.com [207.22.0.166]
 16    79 ms    73 ms    70 ms  web003.taxtalent.com [208.118.249.221]

Trace complete.
0
 
lantervAuthor Commented:
Tracert from Web003 server hosted by Media3;

Tracing route to 50-247-32-49-static.hfc.comcastbusiness.net [50.247.32.49]
over a maximum of 30 hops:

  1    29 ms    34 ms     *     67.217.106.98.static.rev.colospace.com [67.217.106.98]
  2     3 ms     3 ms     3 ms  165.ne.business.static.dsci-net.com [207.22.0.165]
  3     5 ms     9 ms     3 ms  142.ne.business.static.dsci-net.com [76.191.35.142]
  4    16 ms    13 ms     3 ms  xe-2-0-0-0-pe01.onesummer.ma.ibone.comcast.net [66.208.233.21]
  5    20 ms    18 ms    11 ms  te-0-1-0-5-cr01.newyork.ny.ibone.comcast.net [68.86.84.133]
  6    15 ms    16 ms    15 ms  be-10102-cr02.ashburn.va.ibone.comcast.net [68.86.85.25]
  7    16 ms    14 ms    15 ms  be-10001-cr01.ashburn.va.ibone.comcast.net [68.86.85.1]
  8    36 ms    28 ms    28 ms  68.86.85.34
  9    56 ms    67 ms    71 ms  be-7922-ar02.westside.fl.jacksvil.comcast.net [68.86.95.50]
 10    71 ms    62 ms    62 ms  te-0-0-0-2-ar04.charleston.sc.chrlstn.comcast.net [68.87.164.114]
 11    64 ms    63 ms    62 ms  te-9-4-ur02.mtpleasant.sc.chrlstn.comcast.net [68.86.144.42]
 12    63 ms    63 ms    63 ms  te-0-0-0-15-ur04.mtpleasant.sc.chrlstn.comcast.net [68.86.130.14]
 13    61 ms    79 ms    82 ms  te-6-1-acr02.mtpleasant.sc.chrlstn.comcast.net [68.86.131.18]
 14    69 ms    71 ms    70 ms  c-73-180-89-126.hsd1.sc.comcast.net [73.180.89.126]
 15    75 ms    70 ms    69 ms  50-247-32-49-static.hfc.comcastbusiness.net [50.247.32.49]

Trace complete.
0
 
Greg HejlPrincipal ConsultantCommented:
These are ok results - not great just ok.  Comcast is bouncing you around a bit - you can send these to your Tech Support contact there and they can tweak the routing for you,  they may or may not do this.

Any luck with Telnet and wireshark?
0
 
lantervAuthor Commented:
Media3 finally opened up some ports on the server and that seems to have fixed the problem.  But I still don't understand why we could log in from our Tulsa office and not our Charleston office.
0
 
Greg HejlPrincipal ConsultantCommented:
The Comcast IP range might have been restricted
0
 
lantervAuthor Commented:
Thanks for you input.
0

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now