Ethereal-users: [Ethereal-users] www.house.gov not reachable. NAT related? Sonicwall?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeff Johnson <jdj@xxxxxxx>
Date: Tue, 11 Nov 2003 13:20:22 -0500
This is one of the most unusual network problems I've ever run into.. Ths ISP most likely won't be any help, so this is the only place I can turn to. I tried to document as best as possible. Thanks in advance for checking this out:
---------
I have a specific site (probably more than one, but only this one that I know about) which I generally can not get to with a web browser from our network.
Destination Site:
     www.house.gov   143.231.86.196
Our Configuration:
     Router: Netopia 4652 DSL
     Firewall: SonicWall SOHO 3 firmware 6.5.0.4  ROM 6.2.0.0
     Network Switch: 3COM BaseLine 48PT (48-10/100 & 2-1GB)
Basic Firewall Config:
     DHCP & NAT Enabled (all client computers)
     One-to-one NAT Enabled for Server (provides different external IP mapped to static private IP)
Screen Shots and Ethereal (tcpdump) captures are available for download at:
     http://209.190.254.37/packets/

Problem description/symptoms:
>From a web browser, users often can not get to http://www.house.gov (timeout) using Safari or Internet Explorer (or telnet port 80). When this occurs, it occurs with either all clients behind NAT or the single computer (our server) behind one-to-one NAT. The is not intermittent, it will remain in an unreachable state until intervention.

I've had success resolving this temporarily for the client computers by changing the NAT (external) IP address (in sonicwall). At first I thought the original address was blocked by www.house.gov, but then the problem came back a week later. I changed the NAT IP address again and it started working, I then immediately changed it back to the previously non-working IP and it still worked. To further test this, I attached a laptop between the router and firewall and tested http connections to www.house.gov using all external IP addresses (all worked fine). When this problem occurs on the client computers (all behind a single NAT address), it does not necessarily effect our server which is behind one-to-one NAT (and vice-versa) For example, in it's current state (today), our server (1-1 nat) can not access www.house.gov but all client computers which share a single external NAT address do have access.

Here's where it gets interesting....
I attached a laptop running Ethereal between the router and firewall. In the current state, all client computers sharing a single external NAT address are able to access http://www.house.gov. The single server behind 1-1 NAT (different external IP) can not access www.house.gov. I captured a good connection from a client computer and I captured the failed connection.
The good connection looks exactly as you would expect.
**** The failed connection starts off with a normal packet to www.house.gov, but the reply packet is different. Ethereal decodes the reply packet as a 'continuation'.  For the next 60 seconds (until timeout), the source and destination bounce back and forth between the identical original request and the continuation packet recvd from the web server. ****
Yesterday, the problem was the opposite, it effected all client computers, but not the 1-1NAT.

There must be a logical answer, but I don't know what it is... More information:
- I've eliminated any DNS issues (although that theory is not supported by packet capture) and also eliminated the web browser by doing similar testing with identical results through Terminal using:
	telnet 143.231.86.196 80
- Somehow, it must be related to the SonicWall since the problem has been corrected by resetting the NAT IP and when I attach a laptop using the same NAT IP directly to the router is does work (unless it's ARP related?)
- I have performed a factory reset on the Sonicwall and restored all settings from scratch (not export/import). There are no advanced settings in the Sonicwall (static routes, VPN, etc) it's a simple config with just some 'allow' rules setup.
- I tried adjusting the MTU settings in the Sonicwall to fragment at a lower threshold, this didn't help and shouldn't really by an issues since I have the problem when telneting to port 80 (should not exceed MTU)
- I have hard-set the speed of the WAN and LAN ports in the SonicWall
- I have rebooted the Netopia router.
- Maybe it's not related to the Sonicwall, because when I look at a failed connection the outbound packet looks fine but the inbound packet from www.house.gov is what looks different (continuation). Maybe it's related to NAT.

You can download screen shots of the captures or if you prefer you could download tcpdump files saved from Ethereal from this location:
http://209.190.254.37/packets/

I'm looking for any advice.
Maybe someone knows what would cause the 'continuation'?

Thanks
Jeff Johnson