cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
536
Views
0
Helpful
13
Replies

some sites don't work at remote locations

Vishnu Reddy
Level 1
Level 1

Hi all,

This problem seems to be little bit weird to me. Some servers at remote sites but not all the servers are not opening couple of websites. We tried pointing it to correct DNS servers(including external DNS), tried to empty the cache from the web browser, tried forwarding DNS servers. Nothing seems to work. Only www.dell.com and www.adobe.com websites are not working. We have 10 remote sites and on some servers its working and some its not working even though the DNS server configuration on each of them is identical. At the central site we don't have any issues. We are connected through MPLS and using one central DNS server from central site and one locally hosted dns server. I suspect the problem may be with that particular server but its weird that this problem is occuring at some of the remote sites on some servers as well.

Looking forwarding to get some troubleshooting tips to get to the root of this problem.

Thanks in advance....!

13 Replies 13

Aaron Harrison
VIP Alumni
VIP Alumni

Hi

If you can ping it and see the correct IP address, then your DNS is probably working. You may have another connectivity issue.

I'd suggest you take a packet capture on the affected server. If you are using direct connection to the net (i.e. not proxying) just capture ports 53/80/443 and then post it up.

You can use MS message analyser or wireshark for the capture..

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Hi Aaron,

Thanks for your reply.

I can resolve the dns names to IP address using nslookup for dell and adobe. It shows the correct address pointing to dell and adobe. I installed wireshark but works well with yahoo and other sites shows packets in wireshark but when open with dell and adobe the browser does the search for these websites and pulls up the bing search page and wireshark doesn't show any packets in the capture ie only get and post request going through which I am getting for pulling the bing searches.

Thanks in advance

Hello

At the sites that these URL's are not resolving its all the devices being affected?
What OS platform are these servers running?
Can these servers connect to the two urls by IP instead of the FQDN?
Do you have any static entries in the local hosts file or on the nics which could be negating these web sites?

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks for the reply.

some servers work some not at the same site. I can traceroute to these sites. I tried using IP address on the browser it displays page cannot be found. IE 11.0.14. When i use DNS name on browser it go to bing search page pulling dell links. When i click on dell link it just dies out and give page cannot be found. Tried using 8.8.8.8 as dns server but no luck.

 

OK:

1) If you can ping a website (e.g www.dell.com) and see the same IP you see on a working server, DNS is OK.

2) If you can telnet to port 80 (telnet www.dell.com 80) and get a black screen (rather than a timeout or 'refused' then you have IP connectivity

3) If those two steps above are OK, you probably have a browser issue such as an incorrect proxy config, malware, or something similar. CHeck your proxy settings, or stick chrome on and see if that is any better.

You can't just browse to an IP and expect it to work - most websites have multiple sites on the same IPs, so the name sent to the server (which you type in the browser) is important.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Hi Aaron,

Thanks for your reply.

Its even wierd that I installed chrome. It works with all other websites but not adobe and dell. Now i can tell that its not a browser issue. There's no proxy setting on IE. On one server it works and on another it doesn't work. Automatically detect setting is selected on IE connection tab.

Thanks for your help. Now this is really annoying me as what to check and what not to check?

Thanks in advance

Hi

You say you can't telnet to 80 on those sites?

In that case that's your problem - something is blocking access to the sites, and it's more than likely somethign on your network:

1) Internet firewall

2) Other firewalls - network, or even on the server itself

3) ACLs on routers/switches etc

4) Could even be AV software on the servers.

5) Or anything else 'security' - IPS, etc etc.

 

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

There's WAN router 2911 on the edge with one connection to MPLS and other to Internet. The default is pointing to Internet. There's no firewall on that site. Only access-list in place to prevent private IPs invalid IPs etc as per best practices. If port 80 is blocked for only those 2 sites and others are working then port 80 is open for internet access.

I even disabled the firewall at the server where there is a problem but not luck over there too.

I am not sure what and where to suspect

Thanks for your help

So is the 2911 connection direct to the internet?

And the 2911 performing NAT?

Can you post up the config?

Also post up what www.dell.com resolves to from your server?

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Here's the nslookup output from the server where its not working

Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cs60.can.transactcdn.com
Address:  192.16.31.62
Aliases:  www.dell.com
          www1.dell-cidr.akadns.net

 

on wan router:

ip nat inside source list 2 interface Dialer3 overload
ip nat inside source list 199 interface Dialer1 overload
ip nat inside source static tcp 192.168.40.49 22 interface Dialer3 11439
ip nat inside source static tcp 192.168.40.48 22 interface Dialer3 11440
ip nat inside source static tcp 192.168.40.48 11438 interface Dialer3 11438
ip nat inside source static tcp 192.168.40.48 80 interface Dialer3 80
ip nat inside source static tcp 192.168.40.48 443 interface Dialer3 443
ip nat inside source static tcp 192.168.40.48 3389 interface Dialer3 3389

access-list 2 deny   192.168.40.64
access-list 2 deny   192.168.40.60
access-list 2 deny   192.168.40.61
access-list 2 deny   192.168.40.62
access-list 2 deny   192.168.40.63
access-list 2 remark VPN Source list
access-list 2 permit 192.168.40.0 0.0.0.255
 

access-list 199 permit ip host 192.168.40.60 host a.b.c.d
access-list 199 permit ip host 192.168.40.61 host a.b.c.d
access-list 199 permit ip host 192.168.40.62 host a.b.c.d
access-list 199 permit ip host 192.168.40.63 host a.b.c.d
access-list 199 permit ip host 192.168.40.64 host a.b.c.d
 

default routes:

ip route 0.0.0.0 0.0.0.0 Dialer3

 

Used for connecting to DMVPN hub

ip route e.f.g.h 255.255.255.255 Dialer1
ip route e.f.g.i 255.255.255.255 Dialer1

2 internet connections dialer 1 and dialer 3

interface Dialer1
 description DTAG SDSL 2MB
 mtu 1492
 ip address TO ISP 255.255.255.0
 ip access-group 120 in
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication pap chap callin
 ppp chap hostname abc
 ppp chap password 7 05020B5E711C1E1C0B
 ppp pap sent-username xyz 7 130C1A405G5C543F43
 no cdp enable
 

I don't know what to look for since the configuration seems pretty much clear.

The issue is that why only 2 websites with port 80 being blocked and that too for just some pcs.

Thanks in advance

 

Google and yahoo both site have https (port 443) while dell and adobe have http (port 80). try to open other website like cnn.com (port 80) and see if you are able to see the website or not. 

 

 

The issue got resolved. We were manually using/pointing to DNS servers. We did obtain automatically by dynamically through DHCP.

Hi Aaron,

Now at least I got to the root cause I think. I can telnet to port 80 for google and yahoo.com but not to adobe and dell. What could be the issue? I might have to check the WAN router setting at remote sites.

Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: