calling all experts

[blemoine]

here is the problem. i work for a small bank. our website is hosted by hostcentric. everyone can get to it with no problem except for our customers who use Startelco. startelco is a small isp. they buy service from a company called Z-Corum. startelco is claiming that we are blocking their customers from accessing our site. weird thing is they can ping the website with no problem and run a trace route and reach the site with no problem. when you try to use the web browser it times out.

this is also weird. when they come out to install DSL they download a program to change the MTU size from 1500 to 1492. without this change you can't access sites like yahoo.com

any ideas on what the problem could be???????????

 

[Joemonkey]

I bet if you posted the actual website we might be able to find out something. With the info you gave everything is just conjecture.

 

[JackMDS]

:shocked:MTU=1492 for DSL is the correct setting.

However, I would Not discuss Bank Connection for customers, or any info pertaining Banking on a Public Forum.

:sun:

 

[blemoine]

jackmds: i do understand about not discussing bank connections. the homepage is hosted across the country and their is no customer data on this site. the actual internet banking site (that we link to) is hosted by someone else in a different state and it is not a problem.

the question i am really asking is how is possible that they can resolve the site with dns, ping the site, and run a trace route with no problem but not be able to connect to the site with a web browser.

 

[Joemonkey]

Originally posted by: blemoine
jackmds: i do understand about not discussing bank connections. the homepage is hosted across the country and their is no customer data on this site. the actual internet banking site (that we link to) is hosted by someone else in a different state and it is not a problem.

the question i am really asking is how is possible that they can resolve the site with dns, ping the site, and run a trace route with no problem but not be able to connect to the site with a web browser.

I understand what Jack is saying, but unless we know the actual site its hard to check things out. go to www.dnsstuff.com and poke the site in there, see if any red flags come up.

 

[spidey07]

could possibly be DNS or DNS poisening. Make sure their customers are resolving to the correct IP.

 

[blemoine]

they are resolving to the correct ip.

what is dns poisening?

 

[Joemonkey]

Originally posted by: blemoine
they are resolving to the correct ip.

what is dns poisening?

dns poisoning is when someone maliciously changes DNS records for some reason, usually phishing or other data collection/identity theft type things

here is a good link explaining it, and being a small ISP they are probably quite vulnerable to such a thing

 

[blemoine]

they are resolving the correct ip address for the site. they can ping the site. they can run a trace route all the way to the site. they just can't browse the site using a web browser. they said that a month ago they had a similar problem and then it just went away. now the problem is back to stay.

i think someone (startelco or Z-Corum) has a misconfigured router. does that sound like a likely answer?

 

[spidey07]

possibly. Normally though if you can traceroute to the site layer3 is good.

move up a layer.

telnet www.site.com 80

type GET and hit return.

should get a response from the web sever. If you get a connection refused then an ACL is blocking it, if you get a time out then probably an ACL or firewall somewhere dropping the packet and not sending a TCP FIN back to the source. Could also do a trace on the webserver end and filter on their IP sources to see what is going on. Really that is the best was to resolve it, otherwise you're just guessing. A trace on both sides.

 

[spikespiegal]

Sounds like somebody is using Network Solutions as a registar again

 

[Payton]

It sounds like a DNS issue really... talk to their ISP and see if they can see your site

 

[nweaver]

Originally posted by: Payton
It sounds like a DNS issue really... talk to their ISP and see if they can see your site

no, it's not DNS, read the thread. Spidey (as usual) is hitting the next step in troubleshooting on the head, move up the stack one more layer.

I would also poke around in the logs for their IP's. Tailing the error_log and access_log and piping it through grep for their public IP's, while having somoene access the page could prove usefull (are you getting an error, are you getting an access request). The telnet and snifffer are also good ideas.

 

[ArchAngel777]

Originally posted by: Payton
It sounds like a DNS issue really... talk to their ISP and see if they can see your site

YAWN... Sadly, people spout this off whenever they don't know the answer to your question. DNS issues are sorely overrated. He mentioned several times that he was able to resolve the correct ip address, thus, DNS isn't the problem.

I would probably point the finger at a firewall blocking a certain IP range for a certain port. But without being there, that is a shot in the dark.

 

[ArchAngel777]

Originally posted by: blemoine

this is also weird. when they come out to install DSL they download a program to change the MTU size from 1500 to 1492. without this change you can't access sites like yahoo.com

any ideas on what the problem could be???????????

That can be done either through the registry or Dr. TCP. You know, this could be the problem depending on how your bank is setup as well. But why don't you work with a customer and change the value of the MTU to 1400, then save and reboot and retry. Then try it with 1500 and try it again. It doesn't hurt to check this out, just in case. You can always set the MTU back to 1492 anytime you want. But, I would try 1400 and 1500 (default) just to be sure. You can do this through the registry pretty easily, or just download Dr. TCP.

Admin into your hardware firewall and go through each of the firewall settings and make sure you are not blocking legimate IP's or ports for certain IP ranges. It seems rare, but I have seen this done many times.