Hi Aaron,

Thanks for your reply.

I can resolve the dns names to IP address using nslookup for dell and adobe. It shows the correct address pointing to dell and adobe. I installed wireshark but works well with yahoo and other sites shows packets in wireshark but when open with dell and adobe the browser does the search for these websites and pulls up the bing search page and wireshark doesn't show any packets in the capture ie only get and post request going through which I am getting for pulling the bing searches.

Thanks in advance

Thanks for the reply.

some servers work some not at the same site. I can traceroute to these sites. I tried using IP address on the browser it displays page cannot be found. IE 11.0.14. When i use DNS name on browser it go to bing search page pulling dell links. When i click on dell link it just dies out and give page cannot be found. Tried using 8.8.8.8 as dns server but no luck.

OK:

1) If you can ping a website (e.g www.dell.com) and see the same IP you see on a working server, DNS is OK.

2) If you can telnet to port 80 (telnet www.dell.com 80) and get a black screen (rather than a timeout or 'refused' then you have IP connectivity

3) If those two steps above are OK, you probably have a browser issue such as an incorrect proxy config, malware, or something similar. CHeck your proxy settings, or stick chrome on and see if that is any better.

You can't just browse to an IP and expect it to work - most websites have multiple sites on the same IPs, so the name sent to the server (which you type in the browser) is important.

Aaron

Hi Aaron,

Thanks for your reply.

Its even wierd that I installed chrome. It works with all other websites but not adobe and dell. Now i can tell that its not a browser issue. There's no proxy setting on IE. On one server it works and on another it doesn't work. Automatically detect setting is selected on IE connection tab.

Thanks for your help. Now this is really annoying me as what to check and what not to check?

Thanks in advance

Hi

You say you can't telnet to 80 on those sites?

In that case that's your problem - something is blocking access to the sites, and it's more than likely somethign on your network:

1) Internet firewall

2) Other firewalls - network, or even on the server itself

3) ACLs on routers/switches etc

4) Could even be AV software on the servers.

5) Or anything else 'security' - IPS, etc etc.

Aaron

There's WAN router 2911 on the edge with one connection to MPLS and other to Internet. The default is pointing to Internet. There's no firewall on that site. Only access-list in place to prevent private IPs invalid IPs etc as per best practices. If port 80 is blocked for only those 2 sites and others are working then port 80 is open for internet access.

I even disabled the firewall at the server where there is a problem but not luck over there too.

I am not sure what and where to suspect

Thanks for your help

So is the 2911 connection direct to the internet?

And the 2911 performing NAT?

Can you post up the config?

Also post up what www.dell.com resolves to from your server?

Aaron

Here's the nslookup output from the server where its not working

Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cs60.can.transactcdn.com
Address:  192.16.31.62
Aliases:  www.dell.com
          www1.dell-cidr.akadns.net

on wan router:

ip nat inside source list 2 interface Dialer3 overload
ip nat inside source list 199 interface Dialer1 overload
ip nat inside source static tcp 192.168.40.49 22 interface Dialer3 11439
ip nat inside source static tcp 192.168.40.48 22 interface Dialer3 11440
ip nat inside source static tcp 192.168.40.48 11438 interface Dialer3 11438
ip nat inside source static tcp 192.168.40.48 80 interface Dialer3 80
ip nat inside source static tcp 192.168.40.48 443 interface Dialer3 443
ip nat inside source static tcp 192.168.40.48 3389 interface Dialer3 3389

access-list 2 deny   192.168.40.64
access-list 2 deny   192.168.40.60
access-list 2 deny   192.168.40.61
access-list 2 deny   192.168.40.62
access-list 2 deny   192.168.40.63
access-list 2 remark VPN Source list
access-list 2 permit 192.168.40.0 0.0.0.255
 

access-list 199 permit ip host 192.168.40.60 host a.b.c.d
access-list 199 permit ip host 192.168.40.61 host a.b.c.d
access-list 199 permit ip host 192.168.40.62 host a.b.c.d
access-list 199 permit ip host 192.168.40.63 host a.b.c.d
access-list 199 permit ip host 192.168.40.64 host a.b.c.d
 

default routes:

ip route 0.0.0.0 0.0.0.0 Dialer3

Used for connecting to DMVPN hub

ip route e.f.g.h 255.255.255.255 Dialer1
ip route e.f.g.i 255.255.255.255 Dialer1

2 internet connections dialer 1 and dialer 3

interface Dialer1
 description DTAG SDSL 2MB
 mtu 1492
 ip address TO ISP 255.255.255.0
 ip access-group 120 in
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication pap chap callin
 ppp chap hostname abc
 ppp chap password 7 05020B5E711C1E1C0B
 ppp pap sent-username xyz 7 130C1A405G5C543F43
 no cdp enable
 

I don't know what to look for since the configuration seems pretty much clear.

The issue is that why only 2 websites with port 80 being blocked and that too for just some pcs.

Thanks in advance

Google and yahoo both site have https (port 443) while dell and adobe have http (port 80). try to open other website like cnn.com (port 80) and see if you are able to see the website or not. 

The issue got resolved. We were manually using/pointing to DNS servers. We did obtain automatically by dynamically through DHCP.

Hi Aaron,

Now at least I got to the root cause I think. I can telnet to port 80 for google and yahoo.com but not to adobe and dell. What could be the issue? I might have to check the WAN router setting at remote sites.

Thanks for your help.