lanterv
asked on
Networking and Spark IM
We recently migrated our Windows servers to a new provider. So, the IP address changed in our Cisco ASA 5505. After setting up the Spark IM client in one of our branch offices in SC, I can't contact the Spark server running on our production server. At least we can't connect from SC. We can connect form our OK office and various remote PCs. I can ping the server from inside the SC network. Spark is using port 5222. When I try to log in to Spark from an SC computer I get the error message "Can't connect to the server. Invalid name or server is not reachable".
ASKER
I can tracert from OK but can't copy the results. I cannot tracert from SC. I can ping from both networks.
ASKER
Packet trace failed.ASDM2.jpg
compare the config for the OK route against the SC route.
check access rules too compare OK and SC network entries
check access rules too compare OK and SC network entries
ASKER
Well, one is a Cisco 5505 and the other is a Sonicwall T100. I didn't change the Sonicwall. It just worked. We have been using Openfire Spark for years. It's just on a new server now.
does dns at SC reflect the new server IP?
Could you use tracert from a command window from SC and OK. please cut and paste results here
Could you use tracert from a command window from SC and OK. please cut and paste results here
ASKER
From my PC;
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
1 3 ms 1 ms 7 ms 192.168.12.1
2 9 ms 8 ms 9 ms 10.34.32.1
3 16 ms 8 ms 10 ms COX-68-12-19-20-static.cox inet.net [68.12.19.20]
4 11 ms 11 ms 10 ms COX-68-12-19-10-static.cox inet.net [68.12.19.10]
5 44 ms 45 ms 32 ms dalsbprj01-ae1.0.rd.dl.cox .net [68.1.2.109]
6 27 ms 28 ms 25 ms 68.105.30.22
7 24 ms 26 ms 21 ms ae7.cr2.dfw2.us.zip.zayo.c om [64.125.20.233]
8 33 ms 34 ms 33 ms ae2.cr2.iah1.us.zip.zayo.c om [64.125.21.62]
9 64 ms 60 ms 68 ms ae14.cr2.dca2.us.zip.zayo. com [64.125.21.53]
10 64 ms 64 ms 67 ms ae8.mpr4.bos2.us.zip.zayo. com [64.125.29.33]
11 68 ms 67 ms 65 ms ae2.mpr3.bos2.us.zip.zayo. com [64.125.25.41]
12 64 ms 76 ms 64 ms 64.124.65.194.IPYX-072428- ZYO.above. net [64.124.65.194]
13 66 ms 64 ms 65 ms 141.ne.business.static.dsc i-net.com [76.191.35.141]
14 69 ms 72 ms 67 ms 166.ne.business.static.dsc i-net.com [207.22.0.166]
15 120 ms 103 ms 80 ms web003.taxtalent.com [208.118.249.221]
Trace complete.
From inside OK network;
C:\Users\Administrator>tra cert 208.118.249.221
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
1 7 ms 10 ms 20 ms 10.34.96.1
2 7 ms 8 ms 7 ms cox-68-12-9-58-static.coxi net.net [68.12.9.58]
3 70 ms 58 ms 65 ms cox-68-12-9-94-static.coxi net.net [68.12.9.94]
4 31 ms 27 ms 28 ms dalsbprj01-ae1.0.rd.dl.cox .net [68.1.2.109]
5 15 ms 12 ms 16 ms 68.105.30.22
6 20 ms 36 ms 29 ms ae7.cr2.dfw2.us.zip.zayo.c om [64.125.20.233]
7 114 ms 85 ms 89 ms ae2.cr2.iah1.us.zip.zayo.c om [64.125.21.62]
8 52 ms 53 ms 51 ms ae14.cr2.dca2.us.zip.zayo. com [64.125.21.53]
9 60 ms 60 ms 57 ms ae8.mpr4.bos2.us.zip.zayo. com [64.125.29.33]
10 70 ms 57 ms 61 ms ae2.mpr3.bos2.us.zip.zayo. com [64.125.25.41]
11 56 ms 54 ms 57 ms 64.124.65.194.ipyx-072428- zyo.above. net [64.124.65.194]
12 74 ms 58 ms 58 ms 141.ne.business.static.dsc i-net.com [76.191.35.141]
13 62 ms 60 ms 60 ms 166.ne.business.static.dsc i-net.com [207.22.0.166]
14 128 ms 147 ms 135 ms web003.taxtalent.com [208.118.249.221]
Trace complete.
From inside the SC network;
C:\Users\Allworkx.TAXTALEN T>tracert 208.118.249.221
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * ^C
I'm wondering how the last tracert resolved 208.118.249.221 to web003.taxtalent.com.
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
1 3 ms 1 ms 7 ms 192.168.12.1
2 9 ms 8 ms 9 ms 10.34.32.1
3 16 ms 8 ms 10 ms COX-68-12-19-20-static.cox
4 11 ms 11 ms 10 ms COX-68-12-19-10-static.cox
5 44 ms 45 ms 32 ms dalsbprj01-ae1.0.rd.dl.cox
6 27 ms 28 ms 25 ms 68.105.30.22
7 24 ms 26 ms 21 ms ae7.cr2.dfw2.us.zip.zayo.c
8 33 ms 34 ms 33 ms ae2.cr2.iah1.us.zip.zayo.c
9 64 ms 60 ms 68 ms ae14.cr2.dca2.us.zip.zayo.
10 64 ms 64 ms 67 ms ae8.mpr4.bos2.us.zip.zayo.
11 68 ms 67 ms 65 ms ae2.mpr3.bos2.us.zip.zayo.
12 64 ms 76 ms 64 ms 64.124.65.194.IPYX-072428-
13 66 ms 64 ms 65 ms 141.ne.business.static.dsc
14 69 ms 72 ms 67 ms 166.ne.business.static.dsc
15 120 ms 103 ms 80 ms web003.taxtalent.com [208.118.249.221]
Trace complete.
From inside OK network;
C:\Users\Administrator>tra
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
1 7 ms 10 ms 20 ms 10.34.96.1
2 7 ms 8 ms 7 ms cox-68-12-9-58-static.coxi
3 70 ms 58 ms 65 ms cox-68-12-9-94-static.coxi
4 31 ms 27 ms 28 ms dalsbprj01-ae1.0.rd.dl.cox
5 15 ms 12 ms 16 ms 68.105.30.22
6 20 ms 36 ms 29 ms ae7.cr2.dfw2.us.zip.zayo.c
7 114 ms 85 ms 89 ms ae2.cr2.iah1.us.zip.zayo.c
8 52 ms 53 ms 51 ms ae14.cr2.dca2.us.zip.zayo.
9 60 ms 60 ms 57 ms ae8.mpr4.bos2.us.zip.zayo.
10 70 ms 57 ms 61 ms ae2.mpr3.bos2.us.zip.zayo.
11 56 ms 54 ms 57 ms 64.124.65.194.ipyx-072428-
12 74 ms 58 ms 58 ms 141.ne.business.static.dsc
13 62 ms 60 ms 60 ms 166.ne.business.static.dsc
14 128 ms 147 ms 135 ms web003.taxtalent.com [208.118.249.221]
Trace complete.
From inside the SC network;
C:\Users\Allworkx.TAXTALEN
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * ^C
I'm wondering how the last tracert resolved 208.118.249.221 to web003.taxtalent.com.
where are your router/firewalls in relation?
And you are able to ping web003 from the SC Network?
Can you ping/tracert from the router/firewall @ SC?
And you are able to ping web003 from the SC Network?
Can you ping/tracert from the router/firewall @ SC?
ASKER
I can ping from any SC source. I cannot tracert.
SC has the ASA?
does it still have the the config from for the old server?
Either replace the IP or recreate the same set of rules for the new server IP.
Since you can ping it but not tracert, maybe this is related?
https://www.experts-exchange.com/questions/26451082/ASA-5505-Allows-Pings-but-NOT-Trace-Route.html
does it still have the the config from for the old server?
Either replace the IP or recreate the same set of rules for the new server IP.
Since you can ping it but not tracert, maybe this is related?
https://www.experts-exchange.com/questions/26451082/ASA-5505-Allows-Pings-but-NOT-Trace-Route.html
ASKER
To be clear; Web003 is just another public web server that happens to have our IM service on it. The same was true prior to the move to another provider. In SC there is a router/switch that is supposed to failover between 2 internet ISPs. Then there is the Cisco ASA5505 then the rest of the network. I can't see anything that should change on the 5505 just because we change the ip address of the IM service. The link above is probably correct that tracert is fixed in later versions of software, but I don't really care about tracert. I'm trying to find out why traffic to/from a network PC is denied using the Spark IM client on port 5222.
Right.
We are troubleshooting the TCP/IP Transport layer. https://technet.microsoft.com/en-us/library/cc786900%28v=ws.10%29.aspx
before you moved your service to another IP it worked from everywhere. when the IP for the service was changed it no longer works from your SC location. since you can ping from your SC location, the issue is in the Application layer with other UDP/TCP ports getting to your IM Service.
Incoming/outgoing ports are controlled by the firewalls in your environment. we are trying to determine where the communication is failing.
Here are some ideas -
Since all your desktops are having issue - is there a GPO controlling the firewalls of your desktops that was set for your old server and is also probably blocking tracert.
The ASA at the SC location includes a rule for allowing IM traffic to old server location, which now does not include the new server IP. the ASA may also be blocking tracert.
We are troubleshooting the TCP/IP Transport layer. https://technet.microsoft.com/en-us/library/cc786900%28v=ws.10%29.aspx
before you moved your service to another IP it worked from everywhere. when the IP for the service was changed it no longer works from your SC location. since you can ping from your SC location, the issue is in the Application layer with other UDP/TCP ports getting to your IM Service.
Incoming/outgoing ports are controlled by the firewalls in your environment. we are trying to determine where the communication is failing.
Here are some ideas -
Since all your desktops are having issue - is there a GPO controlling the firewalls of your desktops that was set for your old server and is also probably blocking tracert.
The ASA at the SC location includes a rule for allowing IM traffic to old server location, which now does not include the new server IP. the ASA may also be blocking tracert.
ASKER
I installed Wireshark on the server. It shows traffic for port 5222. It ends up as port 9090. But if it comes from SC no response is sent. I discovered that it doesn't make any difference whether it comes from inside my network or not. A private PC in Charleston gets the same results as one inside my network. Now that's strange.
ASKER
I installed Wireshark because I'm not getting any response from Media3, our server provider. What fun!
you are seeing IM traffic from SC on your IM server?
Port 9090 looks to be the management port for the server.
What are the results of tracert from web003 server to SC?
This link shows how to enable traceroute on the ASA:
http://www.starcoder.com/wordpress/2011/03/enabling-ping-and-traceroute-on-the-cisco-asa-5505/
We need the route information from web003 to SC - SC to web003 to see where the break in connection is.
You can also use 'telnet web003.taxtalent.com 5222' and wireshark the results from that.
Port 9090 looks to be the management port for the server.
What are the results of tracert from web003 server to SC?
This link shows how to enable traceroute on the ASA:
http://www.starcoder.com/wordpress/2011/03/enabling-ping-and-traceroute-on-the-cisco-asa-5505/
We need the route information from web003 to SC - SC to web003 to see where the break in connection is.
You can also use 'telnet web003.taxtalent.com 5222' and wireshark the results from that.
ASKER
Tracert from PC in SC (192.168.3.121) inside the network ;
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
1 2 ms <1 ms 1 ms 192.168.200.2
2 4 ms 1 ms 1 ms 50-247-32-54-static.hfc.co mcastbusin ess.net [50.247.32.54]
3 9 ms 8 ms 8 ms c-73-180-89-1.hsd1.sc.comc ast.net [73.180.89.1]
4 * * * Request timed out.
5 13 ms 14 ms 8 ms te-9-3-ur02.mtpleasant.sc. chrlstn.co mcast.net [68.86.130.13]
6 8 ms 8 ms 11 ms te-0-7-0-11-ar04.charlesto n.sc.chrls tn.comcast .net [68.86.144.41]
7 38 ms 40 ms 33 ms te-0-5-0-0-ar02.westside.f l.jacksvil .comcast.n et [68.87.164.121]
8 48 ms 43 ms 44 ms be-33489-cr02.56marietta.g a.ibone.co mcast.net [68.86.95.49]
9 58 ms 59 ms 62 ms be-10014-cr01.ashburn.va.i bone.comca st.net [68.86.85.33]
10 69 ms 59 ms 69 ms be-10001-cr02.ashburn.va.i bone.comca st.net [68.86.85.2]
11 75 ms 66 ms 67 ms be-10102-cr01.newyork.ny.i bone.comca st.net [68.86.85.26]
12 116 ms 67 ms 72 ms xe-0-1-0-0-pe01.onesummer. ma.ibone.c omcast.net [68.86.84.134]
13 72 ms 69 ms 66 ms as33748.onesummer.ma.ibone .comcast.n et [66.208.233.22]
14 72 ms 70 ms 68 ms 141.ne.business.static.dsc i-net.com [76.191.35.141]
15 80 ms 73 ms 73 ms 166.ne.business.static.dsc i-net.com [207.22.0.166]
16 79 ms 73 ms 70 ms web003.taxtalent.com [208.118.249.221]
Trace complete.
Tracing route to web003.taxtalent.com [208.118.249.221]
over a maximum of 30 hops:
1 2 ms <1 ms 1 ms 192.168.200.2
2 4 ms 1 ms 1 ms 50-247-32-54-static.hfc.co
3 9 ms 8 ms 8 ms c-73-180-89-1.hsd1.sc.comc
4 * * * Request timed out.
5 13 ms 14 ms 8 ms te-9-3-ur02.mtpleasant.sc.
6 8 ms 8 ms 11 ms te-0-7-0-11-ar04.charlesto
7 38 ms 40 ms 33 ms te-0-5-0-0-ar02.westside.f
8 48 ms 43 ms 44 ms be-33489-cr02.56marietta.g
9 58 ms 59 ms 62 ms be-10014-cr01.ashburn.va.i
10 69 ms 59 ms 69 ms be-10001-cr02.ashburn.va.i
11 75 ms 66 ms 67 ms be-10102-cr01.newyork.ny.i
12 116 ms 67 ms 72 ms xe-0-1-0-0-pe01.onesummer.
13 72 ms 69 ms 66 ms as33748.onesummer.ma.ibone
14 72 ms 70 ms 68 ms 141.ne.business.static.dsc
15 80 ms 73 ms 73 ms 166.ne.business.static.dsc
16 79 ms 73 ms 70 ms web003.taxtalent.com [208.118.249.221]
Trace complete.
ASKER
Tracert from Web003 server hosted by Media3;
Tracing route to 50-247-32-49-static.hfc.co mcastbusin ess.net [50.247.32.49]
over a maximum of 30 hops:
1 29 ms 34 ms * 67.217.106.98.static.rev.c olospace.c om [67.217.106.98]
2 3 ms 3 ms 3 ms 165.ne.business.static.dsc i-net.com [207.22.0.165]
3 5 ms 9 ms 3 ms 142.ne.business.static.dsc i-net.com [76.191.35.142]
4 16 ms 13 ms 3 ms xe-2-0-0-0-pe01.onesummer. ma.ibone.c omcast.net [66.208.233.21]
5 20 ms 18 ms 11 ms te-0-1-0-5-cr01.newyork.ny .ibone.com cast.net [68.86.84.133]
6 15 ms 16 ms 15 ms be-10102-cr02.ashburn.va.i bone.comca st.net [68.86.85.25]
7 16 ms 14 ms 15 ms be-10001-cr01.ashburn.va.i bone.comca st.net [68.86.85.1]
8 36 ms 28 ms 28 ms 68.86.85.34
9 56 ms 67 ms 71 ms be-7922-ar02.westside.fl.j acksvil.co mcast.net [68.86.95.50]
10 71 ms 62 ms 62 ms te-0-0-0-2-ar04.charleston .sc.chrlst n.comcast. net [68.87.164.114]
11 64 ms 63 ms 62 ms te-9-4-ur02.mtpleasant.sc. chrlstn.co mcast.net [68.86.144.42]
12 63 ms 63 ms 63 ms te-0-0-0-15-ur04.mtpleasan t.sc.chrls tn.comcast .net [68.86.130.14]
13 61 ms 79 ms 82 ms te-6-1-acr02.mtpleasant.sc .chrlstn.c omcast.net [68.86.131.18]
14 69 ms 71 ms 70 ms c-73-180-89-126.hsd1.sc.co mcast.net [73.180.89.126]
15 75 ms 70 ms 69 ms 50-247-32-49-static.hfc.co mcastbusin ess.net [50.247.32.49]
Trace complete.
Tracing route to 50-247-32-49-static.hfc.co
over a maximum of 30 hops:
1 29 ms 34 ms * 67.217.106.98.static.rev.c
2 3 ms 3 ms 3 ms 165.ne.business.static.dsc
3 5 ms 9 ms 3 ms 142.ne.business.static.dsc
4 16 ms 13 ms 3 ms xe-2-0-0-0-pe01.onesummer.
5 20 ms 18 ms 11 ms te-0-1-0-5-cr01.newyork.ny
6 15 ms 16 ms 15 ms be-10102-cr02.ashburn.va.i
7 16 ms 14 ms 15 ms be-10001-cr01.ashburn.va.i
8 36 ms 28 ms 28 ms 68.86.85.34
9 56 ms 67 ms 71 ms be-7922-ar02.westside.fl.j
10 71 ms 62 ms 62 ms te-0-0-0-2-ar04.charleston
11 64 ms 63 ms 62 ms te-9-4-ur02.mtpleasant.sc.
12 63 ms 63 ms 63 ms te-0-0-0-15-ur04.mtpleasan
13 61 ms 79 ms 82 ms te-6-1-acr02.mtpleasant.sc
14 69 ms 71 ms 70 ms c-73-180-89-126.hsd1.sc.co
15 75 ms 70 ms 69 ms 50-247-32-49-static.hfc.co
Trace complete.
These are ok results - not great just ok. Comcast is bouncing you around a bit - you can send these to your Tech Support contact there and they can tweak the routing for you, they may or may not do this.
Any luck with Telnet and wireshark?
Any luck with Telnet and wireshark?
ASKER
Media3 finally opened up some ports on the server and that seems to have fixed the problem. But I still don't understand why we could log in from our Tulsa office and not our Charleston office.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for you input.
what does a tracert tell you? run from OK and SC - post if you need help reading it