Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 415
  • Last Modified:

Networking and Spark IM

We recently migrated our Windows servers to a new provider.  So, the IP address changed in our Cisco ASA 5505.  After setting up the Spark IM client in one of our branch offices in SC,  I can't contact the Spark server running on our production server.  At least we can't connect from SC.  We can connect form our OK office and various remote PCs.  I can ping the server from inside the SC network.  Spark is using port 5222.   When I try to log in to Spark from an SC computer I get the error message "Can't connect to the server.  Invalid name or server is not reachable".
0
lanterv
Asked:
lanterv
  • 12
  • 9
1 Solution
 
Greg HejlCommented:
can you ping the server?

what does a tracert tell you?  run from OK and SC - post if you need help reading it
0
 
lantervAuthor Commented:
I can tracert from OK but can't copy the results.  I cannot tracert from SC.  I can ping from both networks.
0
 
lantervAuthor Commented:
Packet trace failed.ASDM packet trace resultsASDM2.jpg
0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
Greg HejlCommented:
compare the config for the OK route against the SC route.  
check access rules too compare OK and SC network entries
0
 
lantervAuthor Commented:
Well, one is a Cisco 5505 and the other is a Sonicwall T100.  I didn't change the Sonicwall.  It just worked.  We have been using Openfire Spark for years.  It's just on a new server now.
0
 
Greg HejlCommented:
does dns at SC reflect the new server IP?

Could you use tracert from a command window from SC and OK.  please cut and paste results here
0
 
lantervAuthor Commented:
From my PC;

Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
  1     3 ms     1 ms     7 ms  192.168.12.1
  2     9 ms     8 ms     9 ms  10.34.32.1
  3    16 ms     8 ms    10 ms  COX-68-12-19-20-static.coxinet.net [68.12.19.20]
  4    11 ms    11 ms    10 ms  COX-68-12-19-10-static.coxinet.net [68.12.19.10]
  5    44 ms    45 ms    32 ms  dalsbprj01-ae1.0.rd.dl.cox.net [68.1.2.109]
  6    27 ms    28 ms    25 ms  68.105.30.22
  7    24 ms    26 ms    21 ms  ae7.cr2.dfw2.us.zip.zayo.com [64.125.20.233]
  8    33 ms    34 ms    33 ms  ae2.cr2.iah1.us.zip.zayo.com [64.125.21.62]
  9    64 ms    60 ms    68 ms  ae14.cr2.dca2.us.zip.zayo.com [64.125.21.53]
 10    64 ms    64 ms    67 ms  ae8.mpr4.bos2.us.zip.zayo.com [64.125.29.33]
 11    68 ms    67 ms    65 ms  ae2.mpr3.bos2.us.zip.zayo.com [64.125.25.41]
 12    64 ms    76 ms    64 ms  64.124.65.194.IPYX-072428-ZYO.above.net [64.124.65.194]
 13    66 ms    64 ms    65 ms  141.ne.business.static.dsci-net.com [76.191.35.141]
 14    69 ms    72 ms    67 ms  166.ne.business.static.dsci-net.com [207.22.0.166]
 15   120 ms   103 ms    80 ms  web003.taxtalent.com [208.118.249.221]

Trace complete.


From inside OK network;

C:\Users\Administrator>tracert 208.118.249.221

Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
  1     7 ms    10 ms    20 ms  10.34.96.1
  2     7 ms     8 ms     7 ms  cox-68-12-9-58-static.coxinet.net [68.12.9.58]
  3    70 ms    58 ms    65 ms  cox-68-12-9-94-static.coxinet.net [68.12.9.94]
  4    31 ms    27 ms    28 ms  dalsbprj01-ae1.0.rd.dl.cox.net [68.1.2.109]
  5    15 ms    12 ms    16 ms  68.105.30.22
  6    20 ms    36 ms    29 ms  ae7.cr2.dfw2.us.zip.zayo.com [64.125.20.233]
  7   114 ms    85 ms    89 ms  ae2.cr2.iah1.us.zip.zayo.com [64.125.21.62]
  8    52 ms    53 ms    51 ms  ae14.cr2.dca2.us.zip.zayo.com [64.125.21.53]
  9    60 ms    60 ms    57 ms  ae8.mpr4.bos2.us.zip.zayo.com [64.125.29.33]
 10    70 ms    57 ms    61 ms  ae2.mpr3.bos2.us.zip.zayo.com [64.125.25.41]
 11    56 ms    54 ms    57 ms  64.124.65.194.ipyx-072428-zyo.above.net [64.124.65.194]
 12    74 ms    58 ms    58 ms  141.ne.business.static.dsci-net.com [76.191.35.141]
 13    62 ms    60 ms    60 ms  166.ne.business.static.dsci-net.com [207.22.0.166]
 14   128 ms   147 ms   135 ms  web003.taxtalent.com [208.118.249.221]

Trace complete.

From inside the SC network;
C:\Users\Allworkx.TAXTALENT>tracert 208.118.249.221
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *     ^C

I'm wondering how the last tracert resolved 208.118.249.221 to web003.taxtalent.com.
0
 
Greg HejlCommented:
where are your router/firewalls in relation?

And you are able to ping web003 from the SC Network?

Can you ping/tracert from the router/firewall @ SC?
0
 
lantervAuthor Commented:
I can ping from any SC source.  I cannot tracert.
0
 
Greg HejlCommented:
SC has the ASA?

does it still have the the config from for the old server?

Either replace the IP or recreate the same set of rules for the new server IP.

Since you can ping it but not tracert, maybe this is related?

http://www.experts-exchange.com/Security/Software_Firewalls/Cisco_PIX_Firewall/Q_26451082.html
0
 
lantervAuthor Commented:
To be clear;  Web003 is just another public web server that happens to have our IM service on it.  The same was true prior to the move to another provider.  In SC there is a router/switch that is supposed to failover between 2 internet ISPs. Then there is the Cisco ASA5505 then the rest of the network.  I can't see anything that should change on the 5505 just because we change the ip address of the IM service.  The link above is probably correct that tracert is fixed in later versions of software,  but I don't really care about tracert.  I'm trying to find out why traffic to/from a network PC is denied using the Spark IM client on port 5222.
0
 
Greg HejlCommented:
Right.

We are troubleshooting the TCP/IP Transport layer.  https://technet.microsoft.com/en-us/library/cc786900%28v=ws.10%29.aspx

before you moved your service to another IP it worked from everywhere.  when the IP for the service was changed it no longer works from your SC location.  since you can ping from your SC location, the issue is in the Application layer with other UDP/TCP ports getting to your IM Service.

Incoming/outgoing ports are controlled by the firewalls in your environment.  we are trying to determine where the communication is failing.

Here are some ideas -
Since all your desktops are having issue - is there a GPO controlling the firewalls of your desktops that was set for your old server and is also probably blocking tracert.
The ASA at the SC location includes a rule for allowing IM traffic to old server location, which now does not include the new server IP.  the ASA may also be blocking tracert.
0
 
lantervAuthor Commented:
I installed Wireshark on the server.  It shows traffic for port 5222.  It ends up as port 9090.  But if it comes from SC no response is sent.  I discovered that it doesn't make any difference whether it comes from inside my network or not.  A private PC in Charleston gets the same results as one inside my network.  Now that's strange.
0
 
lantervAuthor Commented:
I installed Wireshark because I'm not getting any response from Media3, our server provider.  What fun!
0
 
Greg HejlCommented:
you are seeing IM traffic from SC on your IM server?

Port 9090 looks to be the management port for the server.

What are the results of tracert from web003 server to SC?

This link shows how to enable traceroute on the ASA:
http://www.starcoder.com/wordpress/2011/03/enabling-ping-and-traceroute-on-the-cisco-asa-5505/

We need the route information from web003 to SC - SC to web003 to see where the break in connection is.

You can also use 'telnet web003.taxtalent.com 5222' and wireshark the results from that.
0
 
lantervAuthor Commented:
Tracert from PC in SC (192.168.3.121) inside the network ;

Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:

  1     2 ms    <1 ms     1 ms  192.168.200.2
  2     4 ms     1 ms     1 ms  50-247-32-54-static.hfc.comcastbusiness.net [50.247.32.54]
  3     9 ms     8 ms     8 ms  c-73-180-89-1.hsd1.sc.comcast.net [73.180.89.1]
  4     *        *        *     Request timed out.
  5    13 ms    14 ms     8 ms  te-9-3-ur02.mtpleasant.sc.chrlstn.comcast.net [68.86.130.13]
  6     8 ms     8 ms    11 ms  te-0-7-0-11-ar04.charleston.sc.chrlstn.comcast.net [68.86.144.41]
  7    38 ms    40 ms    33 ms  te-0-5-0-0-ar02.westside.fl.jacksvil.comcast.net [68.87.164.121]
  8    48 ms    43 ms    44 ms  be-33489-cr02.56marietta.ga.ibone.comcast.net [68.86.95.49]
  9    58 ms    59 ms    62 ms  be-10014-cr01.ashburn.va.ibone.comcast.net [68.86.85.33]
 10    69 ms    59 ms    69 ms  be-10001-cr02.ashburn.va.ibone.comcast.net [68.86.85.2]
 11    75 ms    66 ms    67 ms  be-10102-cr01.newyork.ny.ibone.comcast.net [68.86.85.26]
 12   116 ms    67 ms    72 ms  xe-0-1-0-0-pe01.onesummer.ma.ibone.comcast.net [68.86.84.134]
 13    72 ms    69 ms    66 ms  as33748.onesummer.ma.ibone.comcast.net [66.208.233.22]
 14    72 ms    70 ms    68 ms  141.ne.business.static.dsci-net.com [76.191.35.141]
 15    80 ms    73 ms    73 ms  166.ne.business.static.dsci-net.com [207.22.0.166]
 16    79 ms    73 ms    70 ms  web003.taxtalent.com [208.118.249.221]

Trace complete.
0
 
lantervAuthor Commented:
Tracert from Web003 server hosted by Media3;

Tracing route to 50-247-32-49-static.hfc.comcastbusiness.net [50.247.32.49]
over a maximum of 30 hops:

  1    29 ms    34 ms     *     67.217.106.98.static.rev.colospace.com [67.217.106.98]
  2     3 ms     3 ms     3 ms  165.ne.business.static.dsci-net.com [207.22.0.165]
  3     5 ms     9 ms     3 ms  142.ne.business.static.dsci-net.com [76.191.35.142]
  4    16 ms    13 ms     3 ms  xe-2-0-0-0-pe01.onesummer.ma.ibone.comcast.net [66.208.233.21]
  5    20 ms    18 ms    11 ms  te-0-1-0-5-cr01.newyork.ny.ibone.comcast.net [68.86.84.133]
  6    15 ms    16 ms    15 ms  be-10102-cr02.ashburn.va.ibone.comcast.net [68.86.85.25]
  7    16 ms    14 ms    15 ms  be-10001-cr01.ashburn.va.ibone.comcast.net [68.86.85.1]
  8    36 ms    28 ms    28 ms  68.86.85.34
  9    56 ms    67 ms    71 ms  be-7922-ar02.westside.fl.jacksvil.comcast.net [68.86.95.50]
 10    71 ms    62 ms    62 ms  te-0-0-0-2-ar04.charleston.sc.chrlstn.comcast.net [68.87.164.114]
 11    64 ms    63 ms    62 ms  te-9-4-ur02.mtpleasant.sc.chrlstn.comcast.net [68.86.144.42]
 12    63 ms    63 ms    63 ms  te-0-0-0-15-ur04.mtpleasant.sc.chrlstn.comcast.net [68.86.130.14]
 13    61 ms    79 ms    82 ms  te-6-1-acr02.mtpleasant.sc.chrlstn.comcast.net [68.86.131.18]
 14    69 ms    71 ms    70 ms  c-73-180-89-126.hsd1.sc.comcast.net [73.180.89.126]
 15    75 ms    70 ms    69 ms  50-247-32-49-static.hfc.comcastbusiness.net [50.247.32.49]

Trace complete.
0
 
Greg HejlCommented:
These are ok results - not great just ok.  Comcast is bouncing you around a bit - you can send these to your Tech Support contact there and they can tweak the routing for you,  they may or may not do this.

Any luck with Telnet and wireshark?
0
 
lantervAuthor Commented:
Media3 finally opened up some ports on the server and that seems to have fixed the problem.  But I still don't understand why we could log in from our Tulsa office and not our Charleston office.
0
 
Greg HejlCommented:
The Comcast IP range might have been restricted
0
 
lantervAuthor Commented:
Thanks for you input.
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now