We help IT Professionals succeed at work.

One website will not load on all machines on the same network

Adam D
Adam D used Ask the Experts™
on
Hello.

Setup:  Comcast -> ASA5505 -> Switch -> Windows Server 2016 Standard -> Computers
Setup2: Comcast -> Wireless Router -> Computers

With no changes to the ASA5505 in a long time, I have one website that will not load on any wired computer (Windows 7 / Windows 10) with an error of timing out.  Any computer using the wireless connection or outside the building works fine for this one website.  Again, no changes to the setup in a very long time.

Even if I manually change the DNS servers to 8.8.8.8 on a locally wired machine, it still will not load this website.

It will not work on the server either.  The DNS forwarders are 8.8.8.8 and 8.8.4.4

nslookup DOES find a non-authoritative answer (IP) for the website.

Website:  ebshome.org

All other sites appear to be working fine on all machines.

Thoughts?  Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ste5anSenior Developer

Commented:
Well, I would look at the ASA logs first.. then when "Windows Server 2016 Standard" in your chain indicates a proxy, then the logs on that machine.
Adam DIT Solutions Developer

Author

Commented:
Thanks ste5an.  

I started going through the logs to see if I could find the problem then had some other issues to deal with, but I will go back to it.

However; since, as stated, nothing (really! :D) has changed in the configuration of either the server or the firewall in many months and I am the only one that controls it, what could cause this type of problem.  All other sites work fine, no traffic flow problems.  Just this one site "out of the blue."

Something has changed.  Thanks.
ste5anSenior Developer

Commented:
Well, the first thing I would think of is the botnet traffic filter, which gets updated automatically. Then when identity based FW is active, then maybe something changed on your Windows Server.

Last but not least, since when does this happen?

Is your ASA affected by the IOS expired self-signed cert disaster?
Adam DIT Solutions Developer

Author

Commented:
Unfortunately I cannot say when this started, I was just informed of this yesterday.

I don't believe I have the IOS expired problem, but I'll check; however, based on the information in that article it appears all HTTPS traffic would be affected and I only have a problem with this one site.

I am speculating the server doesn't know this site is external and/or doesn't know how to find it?

But, why one site? Why this particular site?  It is "their" site but it has nothing to do with the local domain (ebs.com) and is not hosted at the location (it is a GoDaddy site).

It must be something either with the Firewall or Server since going through the wireless bypasses both and the site works fine outside the network.
Distinguished Expert 2017

Commented:
Is this your own internally hosted domain?
Double check the IP to which the wired is being pointed to and the wireless.


Sounds as though your issues is that the ASA is blocking the wired connection from coming back on itself which is commonly the configuration.
Fractional CTO
Distinguished Expert 2018
Commented:
https://mxtoolbox.com/SuperTool.aspx?action=dns%3aebshome.org&run=toolpage shows DNS is consistent.

Best define what "Website won't load" might mean.

Provide the exact error message.

Tip: To debug this, you'll have to debug your Website access on one of the problem computers.

You'll check DNS. Firewall settings. Fail2Ban/iptables on your site (as this site appears to be running a LAMP Stack). Also check to ensure all your routes are correct.
Adam DIT Solutions Developer

Author

Commented:
Website error
Adam DIT Solutions Developer

Author

Commented:
Here is the error on one of the affected machines.  

The site DOES work outside the network.  The staff are not sure when it last worked, but it had been at least 3 weeks ago.

No internal changes to the server or firewall in that time.

Possible external changes to the site (checking with developer)

It would seem the problem is internal to the network due to the behavior, but if nothing has changed internally that seems to be in contradiction to the obvious. :)

Thanks.
Distinguished Expert 2017

Commented:
Is this an internal site, gas the ASA been recently updated with newer firmware?

Verification of IPs to which the name resolves.

Something changed if thus name us also the name if the AD.
New DC replaced an old one.....
Adam DIT Solutions Developer

Author

Commented:
This is NOT an internal site.  This is a standard website hosted on GoDaddy (external).

A new server (DC) did replace the old server BUT the domain name is NOT the same (internal domain - ebs.com) external website domain:  ebshome.org.

I did think about the DC thinking this was an internal site but they are not connected in anyway.

Maybe there is a DNS setting problem within the new server?  I have "root hints" followed up with Forwarders using 8.8.8.8 and 8.8.4.4

Remember, it is JUST this one site, no other site has a problem.

Talked with the website developer and they do not see any problem nor, of course, are they having any problems.

Thanks.
Distinguished Expert 2017

Commented:
Is this a vps hosting the site with Godddy?
Do you have a VPN defined on the ASA that connects to the vps?

Testing to determine the issue can only be done from inside and the wired system
nslookup www.ebshome.org
nslookup www.ebshome.org  8.8.8.8
Do they point to the same ip?
tracert www.ebshome.org See the path.
Try directly from the ASA telnet www.ebshome.org 80
HEAD http://www.ebshome.org HTTP/1.0
Host:
referrer:

See what you get as a response.
Adam DIT Solutions Developer

Author

Commented:
Thank you everyone for your help.  The problem was on the website side.  In speaking with the developer he added some type of firewall that was blocking our IP address.  Why our particular IP address I don't know, that part doesn't make any sense but after he "whitelisted" the IP everything is now good.

Doesn't really solve the problem, per se, but now that it is working the staff is happy.  :)
Distinguished Expert 2017

Commented:
An earlier comment dealt/mentioned fail2ban an analysis of requests from your single IP might have and seemingly was interpreted as a dos or potentially exceeding the limit of requests per second from the same source.
Adam DIT Solutions Developer

Author

Commented:
Yes that is correct Arnold, which is why I marked David's comment as the solution as he had mentioned the "Fail2Ban/iptables" which led me down the path to having a deeper conversation with the website developer.  Thanks.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Glad you got this figured out.

Reading over your last comments about your IP being blocked by Fail2Ban...

Sounds like you input to many wrong passwords over the Fail2Ban scan time for blocking brute password crack attempts.

The simple solution, so you'll never hit this again.

1) Determine your IP. In Google search, just type - what's my ip.

2) Send this IP to your developer.

3) Direct your developer to add this IP to...

/etc/fail2ban/jail.conf in the ignoreip setting.

So if your IP is say... 136.49.241.94 then your Fail2Ban setting will be...

ignoreip = 127.0.0.1/8 ::1 136.49.241.94

Open in new window


Keep in mind, every time your local IP changes, be sure to have your developer change ignoreip to match your new IP.