Re: unable to reach a specific website from an internal web link with

abtt-39 · ‎08-26-2024

Hello,

For a few days, since my internal link with a firewall and a proxy, I can no longer go to this institutional site:

https://portail.dgfip.finances.gouv.fr/

I tested from other links, an external wifi, and I even tested by connecting directly to the ISP router of the main link ( To bypass the firewall)....and it works.

On my internal computer, I deactivated the proxy (an ASA rule allows me to surf without it), but it doesn't work either (just for this site)

On the firewall (ASA 5516-X v9.16(4)47) over the last few days nothing has changed

If I do a little wireshark capture from the internal network:

it runs in a loop until it timeouts

Same test but from a PC off the network, via wifi :

So, I think my problem comes from my firewall (certificate...?)

Knowing that nothing particular has been changed on the ASA or during the previous weeks and that it was still working last week

ccieexpert · ‎08-26-2024

hello

what feature are you running for the proxy ? WCCP or a proxy on the computer ?

can you attach the wireshark capture the full one until it times out ..

have you tried different browsers firefox, edge, chrome ? also try a incognito window

amojarra · ‎08-28-2024

Hello @abtt-39

Hope you are doing well

[1] May I ask what is the Error you see while trying to access the site ? is it like 504 or access denied or Certificate issue ...

[2] from WSA's perspective, are you Decrypting the traffic? if so is it possible to set the traffic to Bypass or Passthrough and try?

[3] Can you please take PCAP from WSA filter for both client IP and server IP. in this case you can see the traffic from Client to WSA and WSA to upstream.

[4] kindly check the Acceslogs as well to make sure you are hitting correct policy, to do that you can filter with client IP address, CLI> grep> choose number associated with AccesLogs > type Client's IP as the filter > Tail the logs > try to access the page.

[5] that would be nice to check the HAR file from browser as well (development tools)

[6] on the other hand , can you please confirm that you have the same Error while trying with Firefox?

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

abtt-39 · ‎08-28-2024

Hello,

1 = ERR_TIMED_OUT ( chrome) same with EDGE and firefox.

2 = we have a proxy web but not WSA. I can bypass the web proxy on my computer, but even then, I cannot reach the website, same time out error.

For the other points, I will try as soon as I can.

abtt-39 · ‎08-28-2024

Hello

n fact, it seems that the problem is on the website host side. We are not the only ones to have reported the problem.
In the meantime, for the users concerned (4 people), I created for each a network object with their respective IP. I also created another object containing another unused public IP.
Then I activated static nat on the network object IP with address translation to the new IP.
Then an acl allowing http/https surfing in source: IPnetwork obect to destination any in http/https.
By testing on people's PCs, I see that their internet exit address (via what'y my IP) is now the one ending in *.251 (and not the one in *.250).
However, what I have trouble understanding is that I put static nat. I am not a firewall specialist but in static, I thought that an internal IP uses a public IP. But there are 4 users and it seems to work?

amojarra · ‎09-01-2024

Thanks for the updates @abtt-39

could be some blocking due to your other IP address from webserver side,

Im happy that the issue has been narrowed down to the resolution

unable to reach a specific website from an internal web link with an A