[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: RE: [Sidewinder] web access problem
From: sidewinder () adeptech ! com
Date: 2005-02-03 19:51:20
Message-ID: 4.2.0.58.20050203093408.017d5148 () mailsd1 ! spawar ! navy ! mil
[Download RAW message or body]
All three sites are in the .mil domain. Also, I tried disabling
application defense but w/ no luck. I even tried disabling the built-in
HTTPS and created
my own port 443 plug and still no luck.
Here's something interesting... when I setup a Linux box on the
outside I was unable to access the site. I was seeing the same thing in
tcpdump...
lots of fragmented packets w/ missing 2nd 12byte fragments. When I set
the MTU from 1500 to 1000, I was able to surf the site. Setting the MTU
to 1000 got rid of fragmentation. Somewhere along the path, someone
is dropping fragmented packets. Pinging the site with a large packet like
"ping -l 1480 207.133.6.46"
will result in fragmentation and ping will be unsucessful (this was done
outside the fw). "ping -l 1460 207.133.6.46"
was successful.
Maybe we're having a PMTUD problem, but I'm allowing ICMP inbound to our
test site.
r, jimmy
At 12:53 AM 2/3/2005 +0000, you wrote:
>I was able to gain access, but I'm part of a .mil domain. The site requires
>CAC authentication for full access, although it states that limited access
>will be granted to non-CAC users. Normally the .mil domain is restricted to
>.mil/.gov registered IP addresses...SCC may have access because of their
>ties to the military...
>
>Jack
>
>Jack Jones
>56ACOMS/SCON
>Systems Engineer - SAIC
>
>
>-----Original Message-----
>From: sidewinder-bounces@adeptech.com
>[mailto:sidewinder-bounces@adeptech.com] On Behalf Of
>sidewinder@adeptech.com
>Sent: Wednesday, February 02, 2005 12:00 PM
>To: sidewinder@adeptech.com
>Subject: RE: [Sidewinder] web access problem
>
>
>Interesting.
>I'm having strange problems through my firewall too, going to the site:
>http://www.nan.usace.army.mil/
>
>It appears that for every GET request packet getting sent, they are
>returning 3 or 4 duplicate ACKs back to the proxy. This is sometimes
>allowing the page to get through, sometimes not.
>
>The .mil domain makes me wonder if there are some similarities. Any ideas?
>
>-----Original Message-----
>From: sidewinder-bounces@adeptech.com
>[mailto:sidewinder-bounces@adeptech.com] On Behalf Of
>sidewinder@adeptech.com
>Sent: Wednesday, February 02, 2005 3:41 PM
>To: sidewinder@adeptech.com
>Subject: [Sidewinder] web access problem
>
>Is anyone having a problem accessing the below website. Secure Computing
>said they're
>able to hit the website from behind their firewall, but three of our sites
>behind different G2 firewalls
>can't access it. Below are tcpdumps from my capture and Secure Computing's
>capture. The 2nd half of
>the fragmented packets is not getting back to our firewall. Just wondering
>if anyone is seeing
>the same thing. I wrote to the webmaster but haven't gotten any feedback.
>
>r, jimmy
>
>
>https://mzd.mech.disa.mil
>
>
>My dump:
>
>04:24:15.649272 mzd.mech.disa.mil.https > test.mil.32100: . 147:1595(1448)
>ack 552 win 35702 <nop,nop,timestamp 912342764 3866> (frag 24695:1480@0+)
>
>04:24:15.650145 mzd.mech.disa.mil.https > test.mil.32100: . 1607:3055(1448)
>ack 552 win 35702 <nop,nop,timestamp 912342766 3866> (frag 24696:1480@0+)
>
>04:24:15.650770 mzd.mech.disa.mil.https > test.mil.32100: . 3067:4515(1448)
>ack 552 win 35702 <nop,nop,timestamp 912342767 3866> (frag 24697:1480@0+)
>
>04:24:15.651270 mzd.mech.disa.mil.https > test.mil.32100: . 4527:5975(1448)
>ack 552 win 35702 <nop,nop,timestamp 912342767 3866> (frag 24698:1480@0+)
>
>04:24:15.651272 mzd.mech.disa.mil > test.mil: (frag 24698:12@1480)
>
>The 12 byte fragment is missing for the first three, which means that they
>are not getting to the firewall.
>
>
>Secure Computing dump:
>
>13:51:21.783252 207.133.6.46.443 > 216.250.182.121.32478: . 1:1449(1448)
>ack 390 win 42734 <nop,nop,timestamp 735418699 208893> (frag 33239:1480@0+)
>
>13:51:21.783255 207.133.6.46 > 216.250.182.121: (frag 33239:12@1480)
>
>13:51:21.793009 207.133.6.46.443 > 216.250.182.121.32478: . 1461:2909(1448)
>ack 390 win 42734 <nop,nop,timestamp 735418701 208893> (frag 33240:1480@0+)
>
>13:51:21.793012 207.133.6.46 > 216.250.182.121: (frag 33240:12@1480)
>
>It goes 1480 byte fragment, then 12 byte fragment.
>_______________________________________________
>Sidewinder mailing list
>Sidewinder@adeptech.com http://mail.adeptech.com/mailman/listinfo/sidewinder
>
>_______________________________________________
>Sidewinder mailing list
>Sidewinder@adeptech.com http://mail.adeptech.com/mailman/listinfo/sidewinder
>_______________________________________________
>Sidewinder mailing list
>Sidewinder@adeptech.com
>http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic