All HTTP requests time out, unless connected remotely via VPN.
November 17, 2009 7:58 PM
All HTTP requests time out, unless connected remotely via VPN. HTTPS (in my trusted sites) and FTP work fine. Somehow OpenDNS factors into this.
I've seen this, but it's not exactly what is happening to me as far as I can tell. I consider myself a power user and somewhat technical, but realistically I know just enough computer-y stuff to make myself dangerous to myself, so take the rest with that in mind.
Within the network (when I am actually at work connected via ethernet or wireless), I get the same results. IS guys are slow to respond assuming I have some malware (although i've run malwarebytes about 5 times with consistent results - no infections). I consider myself a smart user , so I am not convinced this is foul play by some dumb virus and I don't visit nefarious sites (on the work lappy that is). I can only get HTTP to not timeout if I am connected remotely with the VPN (Cisco 5.0.01.0600, but this also happened under 4.8) running.
There are many things that i've tried or that were tweaked that I feel I need to include in this that I am afraid I might provide a lot of unimportant information. Please bear with.
Background: So, this is my work lappy (Dell Latitude D610) running WinXP fully patched. A week ago, I upgraded the Cisco VPN client from 4.8 to 5.0. The same day, I was given an AT & T GT Ultra 3G card. Every time I plugged the card in (having tried several drivers), Windows would BSOD. I decided to give up trying to get the card to work after several days. I uninstalled the drivers. I started experiencing this issue where HTTP requests would time out, somewhere between the first install of the card drivers, and giving up on the card. This included intranet and internet sites. My home page is an HTTPS site, so I didn't notice it immediately as it connects just fine, and a lot of my work sites are HTTPS (Not too mention, I've had a lot of remote connectivity over the past week or so, so it wasnt consistently occurring). Also, I started getting certificate errors when my Outlook (2007) would try to connect to the exchange server over a remote vpn connection (from home only). When I would look at the certificate, it referenced opendns.com. I use openDNS at home and have configured their name servers into my router.
So I did a system restore to a point before the card was installed. Well, since the VPN client was installed the same day as the card, I had to reinstall it as well. No Luck with HTTP unless I was over VPN. So I started searching the OpenDNS KB since the outlook exchange certificate errors were consistently occurring over the VPN connection, and found this. So I added my work domains to the exceptions, and everything was hunky dory again (until I got into work today and could not access much of anything). IS guy tried reinstalling XP SP3 today, didn't help. I tried uninstalling and reinstalling the VPN client today, didn't help.
Got home tonight, tried to connect to HTTP sites, no luck. Fired up the VPN, and here I am.
So, to recap, everything seems to work fine with VPN connection from home, behind OpenDNS. HTTP does not work if VPN is not running, or if I am within the physical network. If any of this makes sense, what piece(s) represent the wrench in the gears?
I've seen this, but it's not exactly what is happening to me as far as I can tell. I consider myself a power user and somewhat technical, but realistically I know just enough computer-y stuff to make myself dangerous to myself, so take the rest with that in mind.
Within the network (when I am actually at work connected via ethernet or wireless), I get the same results. IS guys are slow to respond assuming I have some malware (although i've run malwarebytes about 5 times with consistent results - no infections). I consider myself a smart user , so I am not convinced this is foul play by some dumb virus and I don't visit nefarious sites (on the work lappy that is). I can only get HTTP to not timeout if I am connected remotely with the VPN (Cisco 5.0.01.0600, but this also happened under 4.8) running.
There are many things that i've tried or that were tweaked that I feel I need to include in this that I am afraid I might provide a lot of unimportant information. Please bear with.
Background: So, this is my work lappy (Dell Latitude D610) running WinXP fully patched. A week ago, I upgraded the Cisco VPN client from 4.8 to 5.0. The same day, I was given an AT & T GT Ultra 3G card. Every time I plugged the card in (having tried several drivers), Windows would BSOD. I decided to give up trying to get the card to work after several days. I uninstalled the drivers. I started experiencing this issue where HTTP requests would time out, somewhere between the first install of the card drivers, and giving up on the card. This included intranet and internet sites. My home page is an HTTPS site, so I didn't notice it immediately as it connects just fine, and a lot of my work sites are HTTPS (Not too mention, I've had a lot of remote connectivity over the past week or so, so it wasnt consistently occurring). Also, I started getting certificate errors when my Outlook (2007) would try to connect to the exchange server over a remote vpn connection (from home only). When I would look at the certificate, it referenced opendns.com. I use openDNS at home and have configured their name servers into my router.
So I did a system restore to a point before the card was installed. Well, since the VPN client was installed the same day as the card, I had to reinstall it as well. No Luck with HTTP unless I was over VPN. So I started searching the OpenDNS KB since the outlook exchange certificate errors were consistently occurring over the VPN connection, and found this. So I added my work domains to the exceptions, and everything was hunky dory again (until I got into work today and could not access much of anything). IS guy tried reinstalling XP SP3 today, didn't help. I tried uninstalling and reinstalling the VPN client today, didn't help.
Got home tonight, tried to connect to HTTP sites, no luck. Fired up the VPN, and here I am.
So, to recap, everything seems to work fine with VPN connection from home, behind OpenDNS. HTTP does not work if VPN is not running, or if I am within the physical network. If any of this makes sense, what piece(s) represent the wrench in the gears?
flabdablet: Trend Micro OfficeScan. It is a recent change as well, although several weeks ago.
posted by tdischino at 8:27 PM on November 17, 2009
posted by tdischino at 8:27 PM on November 17, 2009
odinsdream:
C:\Documents and Settings\ad98080>telnet www.esqsoft.globalservers.com 80
Connecting To www.esqsoft.globalservers.com...Could not open connection to the host, on port 80: Connect failed
Climber: Proxy Server option is not checked in IE8 settings. I also run Chrome on this laptop, and the behavior is consistent across browsers.
I noticed that, once I disconnect from the VPN, I get residual (cached?) access over HTTP for about 10 minutes or so, then it goes back to timing out until I reconnect to the vpn. Wouldn't this "cooling off" period indicate something with the DNS? Isn't that normal behavior for DNS related changes to take a few minutes to update or propagate?
posted by tdischino at 10:22 PM on November 17, 2009
C:\Documents and Settings\ad98080>telnet www.esqsoft.globalservers.com 80
Connecting To www.esqsoft.globalservers.com...Could not open connection to the host, on port 80: Connect failed
Climber: Proxy Server option is not checked in IE8 settings. I also run Chrome on this laptop, and the behavior is consistent across browsers.
I noticed that, once I disconnect from the VPN, I get residual (cached?) access over HTTP for about 10 minutes or so, then it goes back to timing out until I reconnect to the vpn. Wouldn't this "cooling off" period indicate something with the DNS? Isn't that normal behavior for DNS related changes to take a few minutes to update or propagate?
posted by tdischino at 10:22 PM on November 17, 2009
Are you behind a cheap Linksys/Dlink router? They have trouble with state tables exploding.
posted by effugas at 10:34 PM on November 17, 2009
posted by effugas at 10:34 PM on November 17, 2009
Can you explicitly set a proxy in one of your web browsers? If you have one at work, see if you can get out to the net using that proxy.
I mention this because the only time I've seen similar behaviour to what you have is for a virus infection. Even then, it didn't block all sites -- just the ones offering AV software. Using a proxy allowed me to visit all websites.
Can you install Microsoft Security Essentials? It's free and I've had some good results so far disinfecting PCs at work. It's better than Kaspersky, for example.
posted by BrokenEnglish at 4:13 AM on November 18, 2009
I mention this because the only time I've seen similar behaviour to what you have is for a virus infection. Even then, it didn't block all sites -- just the ones offering AV software. Using a proxy allowed me to visit all websites.
Can you install Microsoft Security Essentials? It's free and I've had some good results so far disinfecting PCs at work. It's better than Kaspersky, for example.
posted by BrokenEnglish at 4:13 AM on November 18, 2009
And another thing: try a ping from the command line, both when you can and cannot connect to websites(ie, when running/not running VPN).
ping www.google.com
ping www.yahoo.com
etc. What does it say? "Request timed out" and "Host unavailable" (etc) might indicate DNS problems. (Or could indicate that your IS guys block ICMP at the firewall -- you might want to try requiring them to take your problem seriously because they will run these tests themselves...)
Also try nslookup:
C:\Users\Me>nslookup
Default Server: server.somewhere.local
Address: 172.17.2.1
> host www.google.com
Server: www-tmmdi.l.google.com
Addresses: 216.239.59.99
216.239.59.104
216.239.59.147
216.239.59.103
Aliases: www.google.com
www.l.google.com
Just tap in a few hostnames and see if it looks them up (ie, returns a list of IP addresses). If not, then you do indeed have issues with DNS.
posted by BrokenEnglish at 4:30 AM on November 18, 2009
ping www.google.com
ping www.yahoo.com
etc. What does it say? "Request timed out" and "Host unavailable" (etc) might indicate DNS problems. (Or could indicate that your IS guys block ICMP at the firewall -- you might want to try requiring them to take your problem seriously because they will run these tests themselves...)
Also try nslookup:
C:\Users\Me>nslookup
Default Server: server.somewhere.local
Address: 172.17.2.1
> host www.google.com
Server: www-tmmdi.l.google.com
Addresses: 216.239.59.99
216.239.59.104
216.239.59.147
216.239.59.103
Aliases: www.google.com
www.l.google.com
Just tap in a few hostnames and see if it looks them up (ie, returns a list of IP addresses). If not, then you do indeed have issues with DNS.
posted by BrokenEnglish at 4:30 AM on November 18, 2009
Oops, type the hostname into nslookup ("www.google.com") not "host www.google.com" as I typo'd.
posted by BrokenEnglish at 4:32 AM on November 18, 2009
posted by BrokenEnglish at 4:32 AM on November 18, 2009
Wouldn't this "cooling off" period indicate something with the DNS?
I don't know if this is helpful or not (your question has me stumped) but one way to test this is to try getting to a site by ip address. If you can get there via ip but not the domain name that will point to a dns issue.
posted by weesha at 4:36 AM on November 18, 2009
I don't know if this is helpful or not (your question has me stumped) but one way to test this is to try getting to a site by ip address. If you can get there via ip but not the domain name that will point to a dns issue.
posted by weesha at 4:36 AM on November 18, 2009
BrokenEnglish:
C:\Documents and Settings\ad98080>ping google.com
Pinging google.com [74.125.53.100] with 32 bytes of data:
Reply from 74.125.53.100: bytes=32 time=90ms TTL=50
Reply from 74.125.53.100: bytes=32 time=59ms TTL=50
Reply from 74.125.53.100: bytes=32 time=257ms TTL=50
Reply from 74.125.53.100: bytes=32 time=54ms TTL=50
Ping statistics for 74.125.53.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 54ms, Maximum = 257ms, Average = 115ms
C:\Documents and Settings\ad98080>nslookup
Default Server: tonyland (this is my linksys router at home)
Address: 192.168.1.1
> host www.google.com
Server: google.navigation.opendns.com
Addresses: 208.67.219.231, 208.67.219.230
Aliases: www.google.com
DNS request timed out.
timeout was 2 seconds.
*** Request to www.google.com timed-out
>
Does this confirm a DNS issue?
posted by tdischino at 6:30 AM on November 18, 2009
C:\Documents and Settings\ad98080>ping google.com
Pinging google.com [74.125.53.100] with 32 bytes of data:
Reply from 74.125.53.100: bytes=32 time=90ms TTL=50
Reply from 74.125.53.100: bytes=32 time=59ms TTL=50
Reply from 74.125.53.100: bytes=32 time=257ms TTL=50
Reply from 74.125.53.100: bytes=32 time=54ms TTL=50
Ping statistics for 74.125.53.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 54ms, Maximum = 257ms, Average = 115ms
C:\Documents and Settings\ad98080>nslookup
Default Server: tonyland (this is my linksys router at home)
Address: 192.168.1.1
> host www.google.com
Server: google.navigation.opendns.com
Addresses: 208.67.219.231, 208.67.219.230
Aliases: www.google.com
DNS request timed out.
timeout was 2 seconds.
*** Request to www.google.com timed-out
>
Does this confirm a DNS issue?
posted by tdischino at 6:30 AM on November 18, 2009
doh, I just saw what you said about the typo. I tried it again:
> www.google.com
Server: tonyland
Address: 192.168.1.1
Non-authoritative answer:
Name: google.navigation.opendns.com
Addresses: 208.67.219.231, 208.67.219.230
Aliases: www.google.com
it didn't time out this time.
posted by tdischino at 6:32 AM on November 18, 2009
> www.google.com
Server: tonyland
Address: 192.168.1.1
Non-authoritative answer:
Name: google.navigation.opendns.com
Addresses: 208.67.219.231, 208.67.219.230
Aliases: www.google.com
it didn't time out this time.
posted by tdischino at 6:32 AM on November 18, 2009
results from Windows XP connectivity diagnostic wizard:
HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity
info FTP (Passive): Successfully connected to ftp.microsoft.com.
info HTTPS: Successfully connected to www.microsoft.com.
warn HTTP: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established
error Could not make an HTTP connection.
posted by tdischino at 7:02 AM on November 18, 2009
HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity
info FTP (Passive): Successfully connected to ftp.microsoft.com.
info HTTPS: Successfully connected to www.microsoft.com.
warn HTTP: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established
error Could not make an HTTP connection.
posted by tdischino at 7:02 AM on November 18, 2009
The only thing which might have affected that result is if you had already resolved www.google.com and it had cached that info, when you were connected via VPN. Typing
ipconfig /flushdns
will clear the cache.
If you can try the proxy thing, that would be a good next step. Most workplaces have them but do "transparent redirection" so you might not know you were using it. If you set it explicitly, it might make a difference. You'd need to get the numbers from IS.
BTW, to come back to the virus thing (and thinking about a problem one of my users had a while ago) some viruses and malware will reset the DNS servers you use to one of their own. This allows them to redirect requests to your bank (for example) to their own phishing server. Typing
ipconfig /all
will tell you your DNS server IP addresses:
Connection-specific DNS Suffix . : somewhere.local
Description . . . . . . . . . . . : Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller
Physical Address. . . . . . . . . : 91-16-1A-0F-18-10
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.17.2.150(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : 18 November 2009 14:41:10
Lease Expires . . . . . . . . . . : 17 January 2010 14:41:09
Default Gateway . . . . . . . . . : 172.17.2.1
DHCP Server . . . . . . . . . . . : 172.17.2.1
DNS Servers . . . . . . . . . . . : 172.17.2.1 <> 172.17.2.2 <> Primary WINS Server . . . . . . . : 172.17.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled
I mention this because the DNS server they will redirect you to might work for www.google.com but will then give you a bogus IP address for www.mybankname.com.
That's as much as I can tell you without having access to your PC.>>
posted by BrokenEnglish at 7:32 AM on November 18, 2009
ipconfig /flushdns
will clear the cache.
If you can try the proxy thing, that would be a good next step. Most workplaces have them but do "transparent redirection" so you might not know you were using it. If you set it explicitly, it might make a difference. You'd need to get the numbers from IS.
BTW, to come back to the virus thing (and thinking about a problem one of my users had a while ago) some viruses and malware will reset the DNS servers you use to one of their own. This allows them to redirect requests to your bank (for example) to their own phishing server. Typing
ipconfig /all
will tell you your DNS server IP addresses:
Connection-specific DNS Suffix . : somewhere.local
Description . . . . . . . . . . . : Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller
Physical Address. . . . . . . . . : 91-16-1A-0F-18-10
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.17.2.150(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : 18 November 2009 14:41:10
Lease Expires . . . . . . . . . . : 17 January 2010 14:41:09
Default Gateway . . . . . . . . . : 172.17.2.1
DHCP Server . . . . . . . . . . . : 172.17.2.1
DNS Servers . . . . . . . . . . . : 172.17.2.1 <> 172.17.2.2 <> Primary WINS Server . . . . . . . : 172.17.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled
I mention this because the DNS server they will redirect you to might work for www.google.com but will then give you a bogus IP address for www.mybankname.com.
That's as much as I can tell you without having access to your PC.>>
posted by BrokenEnglish at 7:32 AM on November 18, 2009
so I am back in the office, and sure enough, no luck with HTTP. So, I fired up the VPN client (not expecting it to work, because I didnt think it could connect from within the network), and I have HTTP connectivity now. This is definitely tied to the VPN client somehow, as I only get HTTP connectivity when it is running. I see below that the DNS servers for my Ethernet connection are different than the DNS servers for my ethernet connection when in the office. Is that normal?
Ethernet adapter Local Area Connection 9:
Connection-specific DNS Suffix . : xxxxxxx.com
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-12-3F-13-46-BA
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.83.14.34
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 10.83.12.253
DHCP Server . . . . . . . . . . . : 10.83.12.40
DNS Servers . . . . . . . . . . . : 10.83.12.33
10.83.12.32
Primary WINS Server . . . . . . . : 10.83.12.40
Secondary WINS Server . . . . . . : 10.83.12.34
Lease Obtained. . . . . . . . . . : Wednesday, November 18, 2009 8:31:01 AM
Lease Expires . . . . . . . . . . : Thursday, November 26, 2009 8:31:01 AM
Ethernet adapter Local Area Connection 11:
Connection-specific DNS Suffix . : xxxxxx.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.24.40.224
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 172.24.6.35
172.24.8.35
Primary WINS Server . . . . . . . : 172.24.7.67
Secondary WINS Server . . . . . . : 172.24.6.35
posted by tdischino at 9:05 AM on November 18, 2009
Ethernet adapter Local Area Connection 9:
Connection-specific DNS Suffix . : xxxxxxx.com
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-12-3F-13-46-BA
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.83.14.34
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 10.83.12.253
DHCP Server . . . . . . . . . . . : 10.83.12.40
DNS Servers . . . . . . . . . . . : 10.83.12.33
10.83.12.32
Primary WINS Server . . . . . . . : 10.83.12.40
Secondary WINS Server . . . . . . : 10.83.12.34
Lease Obtained. . . . . . . . . . : Wednesday, November 18, 2009 8:31:01 AM
Lease Expires . . . . . . . . . . : Thursday, November 26, 2009 8:31:01 AM
Ethernet adapter Local Area Connection 11:
Connection-specific DNS Suffix . : xxxxxx.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.24.40.224
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 172.24.6.35
172.24.8.35
Primary WINS Server . . . . . . . : 172.24.7.67
Secondary WINS Server . . . . . . : 172.24.6.35
posted by tdischino at 9:05 AM on November 18, 2009
I have no experience with the Cisco VPN, but OpenVPN has options to allow me to push (as the administrator) new DNS info to the clients when they connect. They get their old settings back when they disconnect. Looks like you have a similar thing.
Is your usual (non-VPN) ethernet connection still set to use DHCP to set itself up? I'm guessing that you would use something like this. Maybe the card you tried to install changed the ethernet settings to a static IP, which works at one location but not another?
Like I said, there's only so much I can tell remotely but your hunch about DNS seems to be right. If your IS people won't help, can you get to the ethernet adaptor settings to check out where the IP address, gateway and DNS servers are pulled from? (Control Panel -> Network Settings or something like that.)
posted by BrokenEnglish at 9:50 AM on November 18, 2009
Is your usual (non-VPN) ethernet connection still set to use DHCP to set itself up? I'm guessing that you would use something like this. Maybe the card you tried to install changed the ethernet settings to a static IP, which works at one location but not another?
Like I said, there's only so much I can tell remotely but your hunch about DNS seems to be right. If your IS people won't help, can you get to the ethernet adaptor settings to check out where the IP address, gateway and DNS servers are pulled from? (Control Panel -> Network Settings or something like that.)
posted by BrokenEnglish at 9:50 AM on November 18, 2009
Are you sure your VPN client isn't set up to do exactly this? Some of them have an option or preference specifically designed to force the host to route all network traffic via the VPN. This allows lazy sysadmins to avoid needing to maintain separate subnets for physically secure in-house work computers and VPN-connected remotes. If that's how your workplace is set up, corporate IT is not going to be happy to see what is effectively a workplace computer having Internet access that bypasses the corporate firewalls.
posted by flabdablet at 11:02 AM on November 19, 2009
posted by flabdablet at 11:02 AM on November 19, 2009
@flab:
No it isn't setup to do this (at least the IS guy said it wasn't supposed to.
Follow up: Still not resolved. The air card install that occurred around the time this started has been resolved by recreating my XP profile... something in my profile was causing that problem. However, the HTTP issue continues across all user profiles (local admin or not). Until the IS guy can get me a new lappy, I just run the VPN constantly.
posted by tdischino at 6:04 PM on December 18, 2009
No it isn't setup to do this (at least the IS guy said it wasn't supposed to.
Follow up: Still not resolved. The air card install that occurred around the time this started has been resolved by recreating my XP profile... something in my profile was causing that problem. However, the HTTP issue continues across all user profiles (local admin or not). Until the IS guy can get me a new lappy, I just run the VPN constantly.
posted by tdischino at 6:04 PM on December 18, 2009
OK, let's take it step by step. Could you issue the following command from home and from work, with VPN off and on (four trials altogether) and post the results:
I'd also be curious to see whether uninstalling (as opposed to merely disabling) Trend Micro antivirus makes any difference to these results.
posted by flabdablet at 2:33 AM on December 19, 2009
nslookup google.com
I'd also be curious to see whether uninstalling (as opposed to merely disabling) Trend Micro antivirus makes any difference to these results.
posted by flabdablet at 2:33 AM on December 19, 2009
This thread is closed to new comments.
posted by flabdablet at 8:17 PM on November 17, 2009