Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
2
Replies

Site Only Works Going Through WSA

s1nsp4wn
Level 1
Level 1

‎04-17-2019 10:25 AM - edited ‎04-17-2019 10:28 AM

I'm having a super strange problem:

We recently changed our public address space.  After doing so, there's a particular address users accessed over SSL that stopped working.  We check whitelisting and NAT up and down on our end as well as the server side and we're good there.  We started using WSA AFTER this problem started and for whatever reason, users are able to access that service when they go through the WSA.

Can anyone tell me what I can look for that would explain why a site would work through the WSA, but NOT when bypassing it?  Literally the only changes between when this worked and when it stopped are new public addies, nat updates, and we now receive the full bgp routing table at our edge.  

Even stranger, when we don't go through the WSA, we never get a syn/ack from the site.  When we try telnetting 443 to the site, tcp handshake fully completes.  WTH?!

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎04-17-2019 04:26 PM

At this stage we may be not in  a postion to comment or come to conclusion what cause the issue.

 

1. Can you check whatisip.com using WSA / with out WSA.

2. Check is this site works ok( outside your network to confirm site have not restriction)

3. If the site works with out any issue outside your network.

4. suggest to capture with WSA / with out WSA and post the capture file to analyse.

 

Some time required to understand deeper network side, small piece of information missing. that is very important to resolve the issue.

 

if possible post the network topo.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

s1nsp4wn
Level 1
Level 1
In response to balaji.bandi

‎04-18-2019 07:56 AM

1. The public ip is correct and shows what it should.

2 & 3. Site whitelists particular subnets.  As such, only my site can reach it, but I only get response from telnet 443 when going through WSA.  I'm awaiting more info from users as to whether or not they accessed this site through a browser or just an ssh/telnet session.

4. I can't post the capture online, but I can tell you when I go through the WSA, 3 way tcp handshake completes and my computer sends a TLS Client hello.  Never get a TLS Server hello.  When I do not go through WSA, I never get a SYN/ACK from the address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents