Topic: Cannot access external web site

[crazybob]

I have client that has a server that is running SME 7.5.1 in server-gateway mode. A couple of days ago, my client could no longer access a website. I am able to ping and access the website from my location. I went to his location and I am able to ping and access the website if I hook a laptop directly to the cable modem. If I connect to the server in terminal mode, I cannot ping the IP or domain name. I have tried to clear the squid cache, but it does not seem to have any effect. I have tried disabling the http proxy, and no effect. They are able to access things like google, yahoo, and many other websites.
What else should I be looking at. I can access the server remotely.
TIA

Bob

[mmccarn]

Does traceroute or tracepath show anything interesting for the IP in question (perhaps there is a routing or PMTU problem somewhere)?

Could the server in question be blocking access from your client's SME (perhaps due to a workstation with a malware problem)?

Is the disk full (I see odd behavior when a SME runs out of disk space)?

If you can't find a cause, you might be able to work around the problem by configuring the failing SME to use an upstream proxy that can 'see' the troublesome server.

[Stefano]

Bob
try this: from the root shell

Code: [Select]

dig  unaccessiblesite

then try the same from an external machine

are the results the same?

did the external site changed its ip address recently?

[crazybob]

Tried and got this result

Code: [Select]

; <<>> DiG 9.2.4 <<>> xxx.com
;; global options:  printcmd
;; connection timed out; no servers could be reached
When I tried it from my server, got following response

Code: [Select]

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.5 <<>> xxx.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58632
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xxx.com.                        IN      A

;; ANSWER SECTION:
xxx.com.         13834   IN      A       1.2.3.4

;; Query time: 0 msec
;; SERVER: 192.168.3.1#53(192.168.3.1)
;; WHEN: Fri Feb  8 08:37:39 2013
;; MSG SIZE  rcvd: 48

I applied the ISPs dns address through the admin console, and now dig shows

Code: [Select]

; <<>> DiG 9.2.4 <<>> xxx.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38886
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xxx.com.                        IN      A

;; ANSWER SECTION:
xxx.com.         14385   IN      A       1.2.3.4

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Feb  8 10:55:33 2013
;; MSG SIZE  rcvd: 48

Still cannot ping or access the website though.
Do not know if the site address has changed recently

(names and IPs changed to protect the innocent) 

[CharlieBrady]

(names and IPs changed ...)

That prevents anyone else from trying to help you diagnose the problem.

[crazybob]

Sorry Charlie, did not know that would be an issue.

here is the result of dig

Code: [Select]

; <<>> DiG 9.2.4 <<>> acmepoolgr.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7414
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;acmepoolgr.com.                        IN      A

;; ANSWER SECTION:
acmepoolgr.com.         14400   IN      A       69.94.108.207

;; Query time: 88 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Feb  9 12:26:29 2013
;; MSG SIZE  rcvd: 48


[CharlieBrady]

I have client that has a server that is running SME 7.5.1 in server-gateway mode. A couple of days ago, my client could no longer access a website.

What happens when they try? What do you see in the squid logs?

[purvis]

Are they trying to access their own website from the LAN(inside) side?
What ip address does a LAN user get when they access a website like www.myipaddress.com? Is it the correct WAN ip address the DNS service is pointing to for the domain name(www.website.com)?
From the WAN side, ping www.website.com. Does the response give the correct wan ip address.

[crazybob]

The website is hosted somewhere else.
If I connect to the server in terminal and ping www.64.94.108.107.com, I get replies from 64.15.205.100.   No.

If I ping www.acmepoolgr.com. I get the ip, but no responses.

Bug submitted http://bugs.contribs.org/show_bug.cgi?id=7336

[CharlieBrady]

If I connect to the server in terminal and ping www.64.94.108.107.com...

Why did you do that? Seems both a funny domain name, and a non-sequitur.

[crazybob]

Trying what purvis suggested

[purvis]

ok if you ping google.com  from a windows computer like:

Code: [Select]


ping google.com
Reply from 74.125.227.66: bytes=32 time=40ms TTL=52
Reply from 74.125.227.66: bytes=32 time=21ms TTL=52
Reply from 74.125.227.66: bytes=32 time=23ms TTL=52

Ping statistics for 74.125.227.66:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 21ms, Maximum = 40ms, Average = 28ms


You should see the ip address that server is located at, not google.com
Now, have a person located at the server location visit the web page  www.myipaddress.com.
Depending on a match or not of the ip addresses, you can start there for your problems.
Always try the easy thing first in trouble shooting and try to always do the testing yourself rather than relying on another's word. Many times others are wrong.

[CharlieBrady]

ping isn't really a useful way to diagnose website access issues. Lack of ping response means nothing, and DNS lookup issues can be addressed more directly with other tools.

Providing clear and detailed descriptions of what "cannot access" means is essential.

[purvis]

Ping is the most easiest thing to do by all people.
If you have any kind of internet problem. It is the first tool used all technicians.
Even if a user's router or other equipment's ability to return a ping  is turned off. A technician can and will ping the modem.

After discovering how much a ping's return is to so be much valuable.
I have all equipment set to return a ping.
Ping is a tool that is also most common on all equipment made.

When i was car mechanic before going to college. There were two car's towed in the shop.
They were simply out of gas and the gauge needle even said that, but nobody checked the need.
On one car, i did not even check the gauge needle before i disconnected the gas line from the carburetor and found no gas flowing thru the line.

I had a call on from a person who works for us telling me that her printer had broken or at least was not printing.
I spent 20 minutes at least on the phone and remotely, before i found out she at least did not turn the printer off and back, which did solve the problem.

A technician came out the other day to fix a 10,000 envelope printer we just purchased because the user said it was having problem in the first stage of using it.
Well all it required was a factory reset and putting the ip address back into it.
The technician spent 3 hours there working on the problem tell he did what i had suggested on a new piece of equipment. Then he told me he access the equipment
with a usb connection and had run programs on it prior to delivering it us. He said that is the first thing he is taught to do with all new equipment years ago. Rest the
equipment. Then after setting the ip address in the equipment, guess what was the first thing i did.
Yes I pinged it to see if was connected and I pinged the same ip address when it was detected to makes sure another piece of equipment did not have the same ip address.

Ping should be one of the first tool for anybody to use and the first tool learned to use on any equipment that has networked connectivity.

If somebody is worried about the "Ping of Death" being done to them. You should be be honored somebody thinks so much of you the want to cause you that much harm.
In today's world. I do not see trying to hide a ping from the WAN much of a security issue.

[CharlieBrady]

Ping is the most easiest thing to do by all people.

Yes it's easy. In this case, it's useless. It doesn't provide any useful diagnostic information.