This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange problem - some sites working, some not

Hi,

I have a strange problem with my ASG: some websites work and some do not :-).

Finally I nailed it down to a reproducable test case:

wget -O - Microsoft Corporation

works when executed directly on the ASG in the shell, but it does not work (connection hangs for minutes) when running from any PC on the internal network, being it Windows or Linux (tried on 3 different PC's). However, acessing e.g. Google in the same way does work.

I've disabled nearly everything on the ASG except the basic firewall and NAT to rule out possible side effects or misconfigurations of other modules.

As this ASG installation at home is more or less a testbed and I'm about to setup an ASG appliance at the company soon, I'm a little bit worried :-). I've used an IPcop on the same hardware before with no problems....

My configuration is an ASG software installation on a PC, internet connectivity through ADSL (Austrian Telekom - PPTP), services on ASG except Firewall disabled, only one packet filter rule "internal -> external (any)" and the same for NAT.

hope anybody can help - best regards,
__
/homas Bleier

This thread was automatically locked due to age.

Parents

0 BAlfson over 15 years ago

Since this is a new install, Astaro support should be very interested in the situation. With the Serial number of the device, you should be able to open a ticket with Astaro so that they can look at your box.

Some questions though... You say "some websites work and some do not" - but the only manifestations you've described are linux-level. Please show the line from the full 'Content Filter (HTTP)' log where a connection from a client seemed to hang. In what mode are you running the HTTP/S Proxy? Are you scanning HTTPS? If you aren't running the proxy, please log the outbound packet filter rules for Web Surfing and DNS, then retry your experiment and show the lines from the full (not Live) PF log around your accesses.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 15 years ago

Since this is a new install, Astaro support should be very interested in the situation. With the Serial number of the device, you should be able to open a ticket with Astaro so that they can look at your box.

Some questions though... You say "some websites work and some do not" - but the only manifestations you've described are linux-level. Please show the line from the full 'Content Filter (HTTP)' log where a connection from a client seemed to hang. In what mode are you running the HTTP/S Proxy? Are you scanning HTTPS? If you aren't running the proxy, please log the outbound packet filter rules for Web Surfing and DNS, then retry your experiment and show the lines from the full (not Live) PF log around your accesses.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 tbleier over 15 years ago in reply to BAlfson

Since this is a new install, Astaro support should be very interested in the situation. With the Serial number of the device, you should be able to open a ticket with Astaro so that they can look at your box.

Since I'm using an Astaro Appliance now, I've done that already...

Some questions though... You say "some websites work and some do not" - but the only manifestations you've described are linux-level. Please show the line from the full 'Content Filter (HTTP)' log where a connection from a client seemed to hang. In what mode are you running the HTTP/S Proxy? Are you scanning HTTPS? If you aren't running the proxy, please log the outbound packet filter rules for Web Surfing and DNS, then retry your experiment and show the lines from the full (not Live) PF log around your accesses.

Cheers - Bob

What do you mean with "linux-level"? The website which I'm testing with is Microsoft Corporation, and my main machine where the wget is not working is running Windows 7 x64, but I've also tested on Windows Server 2008 R2, Windows XP and Linux (CentOS 5 to be more precise) machines.

The HTTP(/S) proxy is disabled, this was one of the first things I disable when trying to find the problem. Currently all services are disable (see screenshot below), the only thing enabled and configured is the firewall with one any->any->any rule.

I've enabled logging in this any/any/any rule, and retried the HTTP GET.

Here's the GET (on a Windows 7 x64 box):

C:\Users\thomas.HOME>wget -O - http://www.microsoft.com/

--20:48:38--  http://www.microsoft.com/

           => `-'

Resolving www.microsoft.com... done.

Connecting to www.microsoft.com[65.55.21.250]:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: /en/us/default.aspx [following]

--20:48:38--  http://www.microsoft.com/en/us/default.aspx

           => `-'

Connecting to www.microsoft.com[65.55.21.250]:80... connected.

HTTP request sent, awaiting response...

Read error (No such file or directory) in headers.

Retrying.



--20:50:48--  http://www.microsoft.com/en/us/default.aspx

  (try: 2) => `-'

^C

and here's the packet filter log


2010:05:25-20:47:07 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth1" dstmac="00:1a:8c:10:f3:71" srcmac="00:90[:D]0:26:9a:57" srcip="10.0.0.138" dstip="10.0.0.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="1723" dstport="36043" tcpflags="ACK RST" 

2010:05:25-20:48:34 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="212.183.102.249" dstip="212.183.80.20" proto="6" length="64" tos="0x00" prec="0x00" ttl="42" srcport="50555" dstport="135" tcpflags="SYN" 

2010:05:25-20:48:58 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="173.77.112.195" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="109" srcport="4757" dstport="2952" tcpflags="SYN" 

2010:05:25-20:48:59 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="69.124.251.148" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="107" srcport="60037" dstport="2952" tcpflags="SYN" 

2010:05:25-20:49:01 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="173.77.112.195" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="109" srcport="4757" dstport="2952" tcpflags="SYN" 

2010:05:25-20:49:02 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="69.124.251.148" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="107" srcport="60037" dstport="2952" tcpflags="SYN" 

2010:05:25-20:49:05 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="69.124.251.148" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="107" srcport="60055" dstport="2952" tcpflags="SYN" 

2010:05:25-20:49:07 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="173.77.112.195" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="109" srcport="4757" dstport="2952" tcpflags="SYN" 

2010:05:25-20:49:07 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="69.124.251.148" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="107" srcport="60037" dstport="2952" tcpflags="SYN" 

2010:05:25-20:49:08 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="69.124.251.148" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="107" srcport="60055" dstport="2952" tcpflags="SYN" 

2010:05:25-20:49:14 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="69.124.251.148" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="107" srcport="60055" dstport="2952" tcpflags="SYN" 

2010:05:25-20:51:23 fw1 ulogd[3269]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" seq="0" initf="eth0" outitf="ppp0" dstmac="00:1a:8c:10:f3:70" srcmac="00:25:00:3f:aa:38" srcip="10.12.3.12" dstip="65.55.21.250" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="64742" dstport="80" tcpflags="SYN" 

2010:05:25-20:51:24 fw1 ulogd[3269]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" seq="0" initf="eth0" outitf="ppp0" dstmac="00:1a:8c:10:f3:70" srcmac="00:25:00:3f:aa:38" srcip="10.12.3.12" dstip="65.55.21.250" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="64744" dstport="80" tcpflags="SYN" 

2010:05:25-20:52:24 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="77.103.4.177" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="117" srcport="2333" dstport="2952" tcpflags="SYN" 

2010:05:25-20:52:27 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="77.103.4.177" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="117" srcport="2333" dstport="2952" tcpflags="SYN" 

2010:05:25-20:52:30 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="77.103.4.177" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="117" srcport="2334" dstport="2952" tcpflags="SYN" 

2010:05:25-20:52:33 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="77.103.4.177" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="117" srcport="2334" dstport="2952" tcpflags="SYN" 

2010:05:25-20:52:38 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="77.103.4.177" dstip="212.183.80.20" proto="6" length="48" tos="0x00" prec="0x00" ttl="117" srcport="2334" dstport="2952" tcpflags="SYN" 

2010:05:25-20:52:42 fw1 ulogd[3269]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" seq="0" initf="eth0" outitf="ppp0" dstmac="00:1a:8c:10:f3:70" srcmac="00:25:00:3f:aa:38" srcip="10.12.3.12" dstip="74.125.77.102" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="64708" dstport="80" tcpflags="ACK FIN" 

2010:05:25-20:52:44 fw1 ulogd[3269]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="ppp0" srcip="78.89.133.14" dstip="212.183.80.20" proto="17" length="124" tos="0x00" prec="0x00" ttl="112" srcport="43924" dstport="2952"

Didn't find an suspicious things in there, though...

BTW, a few more things:

I've upated to the new firmware 7.505 today, but the problem exists without any noticeable differences
Apart from the sites that are not working at all (Microsoft, and I also can't install iPhone apps, for example) other websites or internet performace in general seems much slower than before (with IPcop on the same hardware - with the ASG Software is tried before)