This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange problem - some sites working, some not

Hi,

I have a strange problem with my ASG: some websites work and some do not :-).

Finally I nailed it down to a reproducable test case:

wget -O - Microsoft Corporation

works when executed directly on the ASG in the shell, but it does not work (connection hangs for minutes) when running from any PC on the internal network, being it Windows or Linux (tried on 3 different PC's). However, acessing e.g. Google in the same way does work.

I've disabled nearly everything on the ASG except the basic firewall and NAT to rule out possible side effects or misconfigurations of other modules.

As this ASG installation at home is more or less a testbed and I'm about to setup an ASG appliance at the company soon, I'm a little bit worried :-). I've used an IPcop on the same hardware before with no problems....

My configuration is an ASG software installation on a PC, internet connectivity through ADSL (Austrian Telekom - PPTP), services on ASG except Firewall disabled, only one packet filter rule "internal -> external (any)" and the same for NAT.

hope anybody can help - best regards,
__
/homas Bleier

This thread was automatically locked due to age.

Parents

0 BAlfson over 15 years ago

Thomas, you should not be having this problem.

[RANT]
I think it's unreasonable that your company expects you to install your first Astaro customer by yourself. Every time someone in our company installed something new, he watched an installation by an experienced expert and then, on the next installation, he did the install and was watched by the expert. If we didn't have such an expert internally, I've hired an outside expert.

It's not a question of being smart; it's knowing the "tricks" of the particular solution and, more importantly, the "standard" way experts solve specific problems with the tool.
[/RANT]

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 tbleier over 15 years ago in reply to BAlfson
Thomas, you should not be having this problem.

I know :-)

[RANT]
I think it's unreasonable that your company expects you to install your first Astaro customer by yourself. Every time someone in our company installed something new, he watched an installation by an experienced expert and then, on the next installation, he did the install and was watched by the expert.  If we didn't have such an expert internally, I've hired an outside expert.

It's not a question of being smart; it's knowing the "tricks" of the particular solution and, more importantly, the "standard" way experts solve specific problems with the tool.
[/RANT]

Cheers - Bob

Well, since I'm a freelancer hired by the company for doing exactly that sort of thing, I think I'm expected to be the "expert" in this case [:D]. Joking aside - I've done various network stuff since more than 15 years and while networking is not my only focus I think I have quite reasonable experience setting up firewalls. Working with different products in the past I did not expect problems with such a basic setup with ASL - so I thought there is probably some specific thing to know with that product that somebody could tell me...

Anyway, back to the classic debugging...

What I didn't mention in the initial post: I've already ruled out DNS problems - contacting the not-working sites directly by IP did not work either on the internal net...

The packet filter live log does not show any activity when the connection fails. The "LAN -> ANY -> ANY" rule is the only packet filter rule I have, and enabling logging does not give me a clue either - it shows the connection, but still the client does not get any answer.

One more interesting thing forgot to mention in the first post: connections to not working sites like microsoft.com don't fail completely - see below:

C:\Users\thomas.HOME>wget -O - http://www.microsoft.com/
--21:17:10--  http://www.microsoft.com/
           => `-'
Resolving www.microsoft.com... done.
Connecting to www.microsoft.com[207.46.170.10]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /en/us/default.aspx [following]
--21:17:11--  http://www.microsoft.com/en/us/default.aspx
           => `-'
Connecting to www.microsoft.com[207.46.170.10]:80... connected.
HTTP request sent, awaiting response...

the client receives the 302 redirect, and then the connection hangs, with nothing coming back from the server on the second GET request. The same thing directly on the ASG works:

loginuser@fw1:/home/login > wget -O - http://www.microsoft.com
--21:22:18--  http://www.microsoft.com/
           => `-'
Resolving www.microsoft.com... 65.55.21.250
Connecting to www.microsoft.com|65.55.21.250|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /en/us/default.aspx [following]
--21:22:19--  http://www.microsoft.com/en/us/default.aspx
           => `-'
Reusing existing connection to www.microsoft.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 89,906 (88K) [text/html]

0             --.--K/s             ï»¿

Doing the same with Google or most other sites works without problems on the client.

So i have dumped the packets on the ASG, and for me it looks like it's a network problem - see attached pictures. Explanation: as said before I have the internal network on eth0, with my client on IP 10.12.3.10, and the ASG on 10.12.3.1. Then I have eth1 connected to an ASDL modem (Austrian Telekom), with a PPTP connection on ppp0. The ADSL external IP is 91.115.141.34, and 207.46.19.254 is the IP of the microsoft server which I'm testing with. For me it seems as if the second GET request does not get transmitted propertly - but I don't have a clue why...

As said before - the exact same hardware was running IPcop before ASG for years without any problems.

__
/homas
- internal.jpg
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 minti over 15 years ago in reply to tbleier

Sorry sounds stupid, but are U sure to have the right MTU size set?

(I had a similar Problem on a different system and couldn't belive the solution)
Cancel
Vote Up 0 Vote Down

Cancel
0 tbleier over 15 years ago in reply to minti

Sorry sounds stupid, but are U sure to have the right MTU size set?

(I had a similar Problem on a different system and couldn't belive the solution)

Hi -thanks for the hint.

I'm not sure, but I have hoped so - on the internal Ethernet the MTU is set to 1500, and on the PPTP connection to 1492. I also tried a lower value on the PPTP interface (700), as I already thought of that myself, with no effect.

best regards,
__
/homas
Cancel
Vote Up 0 Vote Down

Cancel
0 Jan_Rusche over 14 years ago in reply to tbleier
I know :-)

Well, since I'm a freelancer hired by the company for doing exactly that sort of thing, I think I'm expected to be the "expert" in this case [:D]. Joking aside - I've done various network stuff since more than 15 years and while networking is not my only focus I think I have quite reasonable experience setting up firewalls. Working with different products in the past I did not expect problems with such a basic setup with ASL - so I thought there is probably some specific thing to know with that product that somebody could tell me...

Anyway, back to the classic debugging...

What I didn't mention in the initial post: I've already ruled out DNS problems - contacting the not-working sites directly by IP did not work either on the internal net...

The packet filter live log does not show any activity when the connection fails. The "LAN -> ANY -> ANY" rule is the only packet filter rule I have, and enabling logging does not give me a clue either - it shows the connection, but still the client does not get any answer.

One more interesting thing forgot to mention in the first post: connections to not working sites like microsoft.com don't fail completely - see below:

C:\Users\thomas.HOME>wget -O - http://www.microsoft.com/
--21:17:10--  http://www.microsoft.com/
           => `-'
Resolving www.microsoft.com... done.
Connecting to www.microsoft.com[207.46.170.10]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /en/us/default.aspx [following]
--21:17:11--  http://www.microsoft.com/en/us/default.aspx
           => `-'
Connecting to www.microsoft.com[207.46.170.10]:80... connected.
HTTP request sent, awaiting response...

the client receives the 302 redirect, and then the connection hangs, with nothing coming back from the server on the second GET request. The same thing directly on the ASG works:

loginuser@fw1:/home/login > wget -O - http://www.microsoft.com
--21:22:18--  http://www.microsoft.com/
           => `-'
Resolving www.microsoft.com... 65.55.21.250
Connecting to www.microsoft.com|65.55.21.250|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /en/us/default.aspx [following]
--21:22:19--  http://www.microsoft.com/en/us/default.aspx
           => `-'
Reusing existing connection to www.microsoft.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 89,906 (88K) [text/html]

0             --.--K/s             ï»¿

Doing the same with Google or most other sites works without problems on the client.

So i have dumped the packets on the ASG, and for me it looks like it's a network problem - see attached pictures. Explanation: as said before I have the internal network on eth0, with my client on IP 10.12.3.10, and the ASG on 10.12.3.1. Then I have eth1 connected to an ASDL modem (Austrian Telekom), with a PPTP connection on ppp0. The ADSL external IP is 91.115.141.34, and 207.46.19.254 is the IP of the microsoft server which I'm testing with. For me it seems as if the second GET request does not get transmitted propertly - but I don't have a clue why...

As said before - the exact same hardware was running IPcop before ASG for years without any problems.

__
/homas

Hallo Thomas,

ich habe exakt das gleiche Problem. Hast Du es mittlerweile loesen koennen und wenn ja, wie?
Gruesse
Jan
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Jan_Rusche over 14 years ago in reply to tbleier
I know :-)

Well, since I'm a freelancer hired by the company for doing exactly that sort of thing, I think I'm expected to be the "expert" in this case [:D]. Joking aside - I've done various network stuff since more than 15 years and while networking is not my only focus I think I have quite reasonable experience setting up firewalls. Working with different products in the past I did not expect problems with such a basic setup with ASL - so I thought there is probably some specific thing to know with that product that somebody could tell me...

Anyway, back to the classic debugging...

What I didn't mention in the initial post: I've already ruled out DNS problems - contacting the not-working sites directly by IP did not work either on the internal net...

The packet filter live log does not show any activity when the connection fails. The "LAN -> ANY -> ANY" rule is the only packet filter rule I have, and enabling logging does not give me a clue either - it shows the connection, but still the client does not get any answer.

One more interesting thing forgot to mention in the first post: connections to not working sites like microsoft.com don't fail completely - see below:

C:\Users\thomas.HOME>wget -O - http://www.microsoft.com/
--21:17:10--  http://www.microsoft.com/
           => `-'
Resolving www.microsoft.com... done.
Connecting to www.microsoft.com[207.46.170.10]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /en/us/default.aspx [following]
--21:17:11--  http://www.microsoft.com/en/us/default.aspx
           => `-'
Connecting to www.microsoft.com[207.46.170.10]:80... connected.
HTTP request sent, awaiting response...

the client receives the 302 redirect, and then the connection hangs, with nothing coming back from the server on the second GET request. The same thing directly on the ASG works:

loginuser@fw1:/home/login > wget -O - http://www.microsoft.com
--21:22:18--  http://www.microsoft.com/
           => `-'
Resolving www.microsoft.com... 65.55.21.250
Connecting to www.microsoft.com|65.55.21.250|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /en/us/default.aspx [following]
--21:22:19--  http://www.microsoft.com/en/us/default.aspx
           => `-'
Reusing existing connection to www.microsoft.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 89,906 (88K) [text/html]

0             --.--K/s             ï»¿

Doing the same with Google or most other sites works without problems on the client.

So i have dumped the packets on the ASG, and for me it looks like it's a network problem - see attached pictures. Explanation: as said before I have the internal network on eth0, with my client on IP 10.12.3.10, and the ASG on 10.12.3.1. Then I have eth1 connected to an ASDL modem (Austrian Telekom), with a PPTP connection on ppp0. The ADSL external IP is 91.115.141.34, and 207.46.19.254 is the IP of the microsoft server which I'm testing with. For me it seems as if the second GET request does not get transmitted propertly - but I don't have a clue why...

As said before - the exact same hardware was running IPcop before ASG for years without any problems.

__
/homas

Hallo Thomas,

ich habe exakt das gleiche Problem. Hast Du es mittlerweile loesen koennen und wenn ja, wie?
Gruesse
Jan
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data