Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Nokia not connecting to certain sites.

To: "Fw-1-Mailinglist \(E-mail\) \(E-mail\)" <[email protected]>
Subject: [FW1] Nokia not connecting to certain sites.
From: "Gareth Long" <[email protected]>
Date: Fri, 22 Jun 2001 10:01:12 +0100
Importance: Normal
Reply-to: <[email protected]>
Sender: [email protected]

Guru's,

The problem:

Around 5% of WWW sites they visit timeout. Internet Explorer just times out


The following sites are an example. (www.gmx.de www.unicef.org
www.spray.se )  All these sites work fine from anywhere else on the
internet.

I have ran a test on a PC server which sits on a DMZ.  It is configured not
to use any proxy and the Checkpoint rules is Any destination on Any service.

If I run a traceroute to the website I get to the destination.  If I try and
connect via Port 80 I connect but then times out.  (to test this theory I
used a made up port nothing happened and where as port 80 does display
"connected".)

I have tried the following:..

Alternative DNS servers hosted by another ISP.
We can telnet to port 80 from the IPSO and connect.  We get HTTP header
request information.
We can telnet to only www.unicef.org and get http header request
information.  We can connect to other sites but get nothing back from the
test workstation.
We have done TCP dumps below one to site that works and one for the site
that does not work.

IP INFO: 213.133.214.7 - Static NAT for machine being used as a test
	  213.133.214.2 - External interface on Firewall









This site works
---------

gatekeeper[admin]# tcpdump -i eth-s3p1c0 host 167.206.197.220
(www.didata.com)
tcpdump: listening on eth-s3p1c0
08:43:40.559239 213.133.214.7.2861 > 167.206.197.220.80: S:(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
08:43:40.659463 167.206.197.220.80 > 213.133.214.7.2861: S:(0) ackwin 8280 <mss 1380> (DF)
08:43:40.659728 213.133.214.7.2861 > 167.206.197.220.80: . ack 1 win 0
08:43:40.660343 213.133.214.7.2861 > 167.206.197.220.80: . ack 1 win 16560
(DF)
08:43:40.661287 213.133.214.7.2861 > 167.206.197.220.80: P 1:307(306) ack 1
win
16560 (DF)
08:43:40.784691 167.206.197.220.80 > 213.133.214.7.2861: P 1:193(192) ack
307 wi
n 7974 (DF)
08:43:40.948835 213.133.214.7.2861 > 167.206.197.220.80: . ack 193 win 16368
(DF
)
08:43:41.056441 167.206.197.220.80 > 213.133.214.7.2861: P 193:335(142) ack
307
win 7974 (DF)
08:43:41.078657 213.133.214.7.2861 > 167.206.197.220.80: P 307:621(314) ack
335
win 16226 (DF)
08:43:41.080990 213.133.214.7.2863 > 167.206.197.220.80: S:(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
08:43:41.202712 167.206.197.220.80 > 213.133.214.7.2861: P 335:495(160) ack
621
win 7660 (DF)
08:43:41.202946 167.206.197.220.80 > 213.133.214.7.2863: S:(0) ackwin 8280 <mss 1380> (DF)
08:43:41.203213 213.133.214.7.2863 > 167.206.197.220.80: . ack 1 win 0
08:43:41.203701 213.133.214.7.2863 > 167.206.197.220.80: . ack 1 win 16560
(DF)
08:43:41.205200 213.133.214.7.2863 > 167.206.197.220.80: P 1:315(314) ack 1
win
16560 (DF)
08:43:41.225716 167.206.197.220.80 > 213.133.214.7.2861: P 1875:1896(21) ack
621
 win 7660 (DF)
08:43:41.226315 213.133.214.7.2861 > 167.206.197.220.80: . ack 495 win 16066
(DF
)

------
This site does not work.


Browsing from Mailmarshall server - Static NAT'ed to 213.133.214.7 to
www.unicef.org

gatekeeper[admin]# tcpdump -i eth-s3p1c0 host 209.177.2.82
tcpdump: listening on eth-s3p1c0

08:31:16.296915 213.133.214.7.2605 > 209.177.2.82.80: S:(0)
 win 16384 <mss 1460,nop,nop,sackOK> (DF)
08:31:16.410828 209.177.2.82.80 > 213.133.214.7.2605: S:(0)
 ackwin 8760 <mss 1460> (DF)
08:31:16.411056 213.133.214.7.2605 > 209.177.2.82.80: . ack 1 win 0
08:31:16.411473 213.133.214.7.2605 > 209.177.2.82.80: . ack 1 win 17520 (DF)
08:31:16.411823 213.133.214.7.2605 > 209.177.2.82.80: P 1:252(251) ack 1 win
175
20 (DF)
08:31:16.541583 209.177.2.82.80 > 213.133.214.7.2605: . ack 252 win 8760
(DF)
08:31:45.580178 213.133.214.2.31647 > 209.177.2.82.80: R:(0
) win 0 (DF)

We have noticed that this packet does talk back to the external interface on
the firewall.  This does not happen on the site that does work..STRANGE


Any Idea's

Thanks

Gareth






begin 666 Gareth Long (E-mail).vcf
`
end



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Firewall-1 on Redhat 6.2
Next by Date: RE: [FW1] what occurs first NAT or RULEBASE
Previous by thread: FW: [FW1] authentication with Windows 2000?
Next by thread: [FW1] FW-1 4.1 SP-3 problem: Licensed host count doubles after first po licy install following reboot
Index(es):
- Date
- Thread