LDS.org not working inside firewall

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
rickk
Member
Posts: 125
Joined: Fri Aug 19, 2011 10:13 am
Location: Ridgefield, WA, USA

Re: LDS.org not working inside firewall

Postby rickk » Tue Jan 20, 2015 10:57 am

It is interesting that foxnews and www.lds.org both go to the same comcast server (they are both akamai), but the foxnews route completes and lds.org stalls...

Rick

yarrgh
Church Employee
Church Employee
Posts: 69
Joined: Mon Dec 23, 2013 1:54 pm

Re: LDS.org not working inside firewall

Postby yarrgh » Tue Jan 20, 2015 3:27 pm

rickk wrote:Tracing route to e5298.g.akamaiedge.net [23.203.225.116]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.108.1
2 * * * Request timed out.
3 7 ms 9 ms 9 ms xe-0-2-3-0-sur03.vancouver.wa.bverton.comcast.net [68.85.150.33]

...

9 28 ms 27 ms 27 ms 50-248-117-126-static.hfc.comcastbusiness.net [50.248.117.126]
10 * * * Request timed out.

...

30 * * * Request timed out.


Sounds like the request stops at one of comcast's servers/routers (50-248-117-126-static.hfc.comcastbusiness.net [50.248.117.126]). For some reason it never finishes being routed to lds.org from that server/router like it should. That trace route should be enough to call comcast to tell them that the request stops/gets stuck there and doesn't actually reach lds.org's server. This may be above the level 1 support at comcast and will have to be escalated to a higher level.

rickk
Member
Posts: 125
Joined: Fri Aug 19, 2011 10:13 am
Location: Ridgefield, WA, USA

Re: LDS.org not working inside firewall

Postby rickk » Tue Jan 20, 2015 3:55 pm

There still must be some interaction between something on the firewall and comcast. Since we have one building that works fine and another that doesn't (both with the same firewall and both using comcast), it isn't as simple as all requests to comcast getting lost. I am still in the camp with russelhltn that this is a combination of multiple things and not just comcast failing to route requests to www.lds.org. Otherwise all buildings with comcast would fail the same and requests outside of the firewall should also fail. I will try to run to both of our comcast buildings this evening and get tracert info inside and outside the firewall.

Rick

yarrgh
Church Employee
Church Employee
Posts: 69
Joined: Mon Dec 23, 2013 1:54 pm

Re: LDS.org not working inside firewall

Postby yarrgh » Tue Jan 20, 2015 4:40 pm

Try running a trace route from the building that is working with comcast. Chances are the trace route may be going through different routers and end up getting to the destination (lds.org). For some reason that site is not routing the way it should and it gets stuck on one of their routers (or along the next hop).

It may be a combination between the firewall and the router but I don't think so. The fact is that the traffic is handed off from the firewall to comcast and it cannot control which routers comcast sends the traffic to. All the firewall does is hand the computers the DNS server to the computer to look up domains.

I think it is more likely a problem with the DNS servers and Comcast together. When your computer tries looking up lds.org, your computer sends the request for 8.34.34.92 to the firewall, which checks to make sure the look up is done using an approved church DNS server. If it is, it forwards the request to the modem, etc.

The firewall has very little to do with the actual look up and sending traffic to lds.org. The firewall mostly filters based on incomming traffic. If it isn't a blocked port and doesn't violate a rule and as long as a computer behind it initiated the communication, it allows it past. If your firewall has been upgraded, the 192.168.108.32-254 IP addresses do not get routed through the VPN. This eliminates any suspicion that the VPN has anything to do with the bad routing as well.

Based on this knowledge, this is why I believe it to be on Comcasts end or a combination between Comcast and the DNS servers. To be more specific between akamai and Comcast. The reason I say this is because if you put lds.org's IP address in the computer's hosts file (216.49.176.33) suddenly your computer can get to lds.org without any issues. The reason this works is because this bypasses the DNS server (which resolves to akamai) because your computer already knows the direct IP address to lds.org and it connects directly to it. This is a workaround and not a fix. This will only allow the computer you did it on to get to lds.org. This is not recommended because if the IP address to lds.org ever changed, you could no longer get to it.

With everything I've said, I remain firm that the issue lies Somewhere between akamai and Comcast. Something about the way it gets routed, it fails along the way for some buildings with Comcast. Each connection to Comcast does not get routed the same way. Some buildings may route fine while others get routed a different way where it may be failing.

rickk
Member
Posts: 125
Joined: Fri Aug 19, 2011 10:13 am
Location: Ridgefield, WA, USA

Re: LDS.org not working inside firewall

Postby rickk » Wed Jan 21, 2015 12:17 pm

Today www.lds.org is working again. Trace route is not staying on comcast from seattle but is routing on another network. I ran the same trace on foxnews and it is going along the comcast network to San Jose. So it definitely seems like the San Jose comcast server is part of the problem. I was not able to run the buildings yesterday and compare inside and outside the firewall. That seems like it will be critical info to see the routes when the problem is happening inside the firewall but not outside.

Tracing route to e5298.g.akamaiedge.net [23.40.197.9]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.108.1
2 * * * Request timed out.
3 16 ms 9 ms 9 ms xe-0-2-3-0-sur03.vancouver.wa.bverton.comcast.net [68.85.150.33]
4 11 ms 13 ms 8 ms ae-2-0-sur04.vancouver.wa.bverton.comcast.net [68.87.222.166]
5 10 ms 9 ms 9 ms ae-51-0-ar03.troutdale.or.bverton.comcast.net [68.87.222.161]
6 14 ms 13 ms 16 ms he-2-3-0-0-11-cr01.seattle.wa.ibone.comcast.net [68.86.95.17]
7 12 ms 13 ms 13 ms he-0-11-0-0-pe04.seattle.wa.ibone.comcast.net [68.86.86.138]
8 12 ms 13 ms 13 ms ae-19.r04.sttlwa01.us.bb.gin.ntt.net [129.250.66.57]
9 13 ms 19 ms 17 ms ae-6.r21.sttlwa01.us.bb.gin.ntt.net [129.250.5.44]
10 14 ms 13 ms 13 ms ae-0.r20.sttlwa01.us.bb.gin.ntt.net [129.250.2.53]
11 122 ms 36 ms 31 ms ae-3.r21.snjsca04.us.bb.gin.ntt.net [129.250.3.124]
12 30 ms 28 ms 30 ms ae-2.r01.snjsca04.us.bb.gin.ntt.net [129.250.4.153]
13 27 ms 28 ms 29 ms a23-40-197-9.deploy.static.akamaitechnologies.com [23.40.197.9]

Trace complete.

yarrgh
Church Employee
Church Employee
Posts: 69
Joined: Mon Dec 23, 2013 1:54 pm

Re: LDS.org not working inside firewall

Postby yarrgh » Wed Jan 21, 2015 3:03 pm

That is good to hear. Sounds like this could be an intermittent issue as long as that route through San Jose continues to be a problem. There isn't a lot we can do until the issue comes back. If and when it does, and you can get a trace route to prove it, contact Comcast so that they can look into that route and fix it so doesn't continue to happen.

User avatar
Biggles
Senior Member
Posts: 1189
Joined: Tue May 27, 2008 4:14 am
Location: Watford, England

Re: LDS.org not working inside firewall

Postby Biggles » Mon Jan 26, 2015 5:07 am

I experienced the problem of not being able to connect to lds.org this last Sunday. First time this has occurred, for me.

A few observations, as I wasn't in a position to do in depth analysis. Bookmarks for direct access to various tools worked correctly. Using TM, noticed that the Firewall (Red triangle on List View) hadn't been communicating for several hours, so did a remote restart. TM communication resumed OK., but still unable to access lds.org directly. I was using the latest version of Chrome. We are using the multi zone upgrade to the Firewall recently released, on an Cisco 881W, with wireless access enabled. The Clerk computer is connected, via LAN, to the Firewall.

This Sunday was also our Ward conference and there were slightly higher number of people attending, but nothing out of the ordinary.

I will check this out Tuesday evening, to see if the situation still exists!

rickk
Member
Posts: 125
Joined: Fri Aug 19, 2011 10:13 am
Location: Ridgefield, WA, USA

Re: LDS.org not working inside firewall

Postby rickk » Mon Jan 26, 2015 9:49 am

Biggles - since it says you are in the UK , I presume that means you do not have comcast for your internet provider? If not, that seems to break the pattern that yarrgh was noting.

Things were working fine for us on Sunday, but the route was different than the one that was stalling. We were going through New York this time. Many of the sites that are not served by akamai (like tech.lds.org and tm.lds.org) continue to work for us even when www.lds.org does not. Thus it isn't surprising that many of those bookmarks still worked.

User avatar
Biggles
Senior Member
Posts: 1189
Joined: Tue May 27, 2008 4:14 am
Location: Watford, England

Re: LDS.org not working inside firewall

Postby Biggles » Wed Jan 28, 2015 4:58 am

Follow up to my previous post. In the meetinghouse www.lds.org was working normally last night, for me. Possibly one of those Church overload scenarios, on a Sunday. I was trying to access the site around 14:00 UTC time. Which I think equates to around 07:00 (Salt Lake) 09:00 (New York) time. But then maybe not. :confused:

craiggsmith
Senior Member
Posts: 766
Joined: Sun Sep 12, 2010 2:14 pm
Location: South Jordan, Utah

Re: LDS.org not working inside firewall

Postby craiggsmith » Sun Feb 22, 2015 9:43 am

Any resolution or progress on this issue? We've started experiencing it from one of our buildings, and it does use Comcast. But we have another that uses Comcast as well and it hasn't had a problem. The only difference is the one that doesn't have a problem has an older firewall and the one that does has a newer one without the external antennas. But I also experienced it from home today, and I have Comcast, but eventually it started working. I'll try these traces.

It seems that it would be much better if someone from Church HQ that has networking expertise contacted Comcast rather than one of us.
Craig
STS
South Jordan, UT


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest