Connectivity issues after IP changes
June 23, 2009 11:42 AM Subscribe
Our office recently changed ISPs, which meant changing our public IPs. Connectivity issues abound. I'm fairly certain the firewall is at fault, but I'm not sure where to go from here.
Background:
We changed ISPs. We now have a new /26 subnet. I've updated all internal servers, and the firewall. (Cisco ASA 5510). All internal office PCs are set to use the firewall as their gateway. The firewall then does dynamic NAT on the internal IPs, translating them to a single public IP.
Problem:
Certain websites we host refuse to load. These sites are hosted at Rackspace. Sometimes I'll get a title, sometimes the progress bar goes a little further, but for the most part, the browser just spins. This doesn't happen with the rest of the internet. Just our hosted sites. I can access the sites just fine from home.
Notes:
Serendipitously, I set up a wireless router on the network yesterday. It gives out its own DHCP and has its own separate public IP. Computers using this router do not experience connectivity issues to our hosted sites.
This makes me think the Cisco firewall is at fault, or misconfigured. I'm wondering if it has some old routing tables which need to be cleared. I have tried 'clear xlate', 'clear local-host', and 'clear route'. The problem still persists.
Any firewall experts out there see an obvious thing I'm missing?
Background:
We changed ISPs. We now have a new /26 subnet. I've updated all internal servers, and the firewall. (Cisco ASA 5510). All internal office PCs are set to use the firewall as their gateway. The firewall then does dynamic NAT on the internal IPs, translating them to a single public IP.
Problem:
Certain websites we host refuse to load. These sites are hosted at Rackspace. Sometimes I'll get a title, sometimes the progress bar goes a little further, but for the most part, the browser just spins. This doesn't happen with the rest of the internet. Just our hosted sites. I can access the sites just fine from home.
Notes:
Serendipitously, I set up a wireless router on the network yesterday. It gives out its own DHCP and has its own separate public IP. Computers using this router do not experience connectivity issues to our hosted sites.
This makes me think the Cisco firewall is at fault, or misconfigured. I'm wondering if it has some old routing tables which need to be cleared. I have tried 'clear xlate', 'clear local-host', and 'clear route'. The problem still persists.
Any firewall experts out there see an obvious thing I'm missing?
I had a similar issue that was fixed by disabling "Detect Non-compliant HTTP Traffic" in the Cisco firewall's application security. Had something to do with websites using malformed chunked encoding, or something.
posted by Mountain Goatse at 12:13 PM on June 23, 2009
posted by Mountain Goatse at 12:13 PM on June 23, 2009
Seconding Mountain Goatse, you need to disable 'inspect http' (in version 7.x and up) or 'fixup http' (in 6.3 and below)
posted by poppo at 1:31 PM on June 23, 2009
posted by poppo at 1:31 PM on June 23, 2009
Response by poster: Thanks for the responses so far. Unfortunately 'clear arp' hasn't helped, and I have no inspects listed in my running config.
posted by lholladay at 1:55 PM on June 23, 2009
posted by lholladay at 1:55 PM on June 23, 2009
Show connections will tell you what state the connection is.
This could be a number of things, but it really sounds more like a DNS issue than anything else, possibly a PMTUD or MSS problem but let's hope not.
What does show log tell you, anything being denied, is logging set up properly?
When you do a show connections what do you see, are the TCP flags correct?
Set up a capture, basically build an acl and then capture based on that ACL, you should be able to tell if you're getting retransmits/etc. Worse comes to worse you can always debug the packet, but be very specific about it.
Was the firewall the gateway before this change or is this new ?
Memail me if you'd like.
posted by iamabot at 10:09 PM on June 23, 2009
This could be a number of things, but it really sounds more like a DNS issue than anything else, possibly a PMTUD or MSS problem but let's hope not.
What does show log tell you, anything being denied, is logging set up properly?
When you do a show connections what do you see, are the TCP flags correct?
Set up a capture, basically build an acl and then capture based on that ACL, you should be able to tell if you're getting retransmits/etc. Worse comes to worse you can always debug the packet, but be very specific about it.
Was the firewall the gateway before this change or is this new ?
Memail me if you'd like.
posted by iamabot at 10:09 PM on June 23, 2009
Finally, make sure your logging is set up right, it's more valuable than anything else you're going to do. Between a good logging level and buffered logging, familiarity with what show connections is telling you and familiarity with capture there's pretty much nothing you can't figure out.
posted by iamabot at 10:11 PM on June 23, 2009
posted by iamabot at 10:11 PM on June 23, 2009
This thread is closed to new comments.
posted by IanMorr at 11:52 AM on June 23, 2009