Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jtfinley
Contributor

Akamai sites fail in browser, can ping

I have a strange issue. New customer with (2) DSL connections on WAN1 & WAN2. WAN 1 = /28 block of IP' s WAN 2 = /29 block of IP' s All websites function fine, however, any site that' s hosted on Akamai web site just spins. pb.com, staples.com, officemax.com, microsoft.com Customer made us aware as this is a new installation. Remote control of a PC at the location shows this, however when running a packet sniff, many trans-it exceeded errors during trace routes from the PC. PW Policies work (NAT) (internal->WAN1) (internal -> WAN2) Routes are EQLB Pings & Trace-routes to said sites reply and finish.... Called ISP asking if they were experiencing peering issues.... Perplexed..... customer thinks it' s the firewall since its " new" .
27 REPLIES 27
Dave_Hall
Honored Contributor

What' s the MTU value set on the two WAN ports? Any UTM policies (Web Profile/URL filter/App Control) applied to the internal Interface ->WAN(S) that could be blocking akamai related sites?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
jtfinley

What' s the MTU value set on the two WAN ports? Any UTM policies (Web Profile/URL filter/App Control) applied to the internal Interface ->WAN(S) that could be blocking akamai related sites?
No UTM policies are applied. UTM is unchecked. There' s only two FW policies, one for each WAN. MTU Size on both WAN' s are set to 1492. First thought of that issue...no difference.
emnoc
Esteemed Contributor III

My thoughts are MTU issues also but why only with Akamai? So what I would do, have you tested with only one WAN connection ? What does your packet captures shows and mainly with advertsied mss ( in the SYN and SYN/ACK _) packets and do you see any reset? Also can you explain the following;
PW Policies work (NAT) (internal->WAN1) (internal -> WAN2)
Are you routing out both links , load balancing, or using PBR ,etc....... And finally, what model of FGT and code?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jtfinley

Hello.... Internal -> Wan1 & 2 I am working on getting another PC connected to verify. MTU was also my thought, but when the customer listed websites he couldn' t visit....I started noticing a pattern. Tried various DNS providers, Google, Open, ISP. Same result. Routing is equal cost; shut down each interface to test each link...
Federico_Vecchiatti
New Contributor II

Hi, can you confirm your firmware version ? After an upgrade to 4MR3 Patch 11 I' m experiencing a similar issue. Some users complain that with IE Explorer they cannot reach some URL. Same url are accessible with Firefox. Also, with IE Explorer some customer are not able to connect to SSL VPN Portal. We connect to the internet with a SDH fiber, carrier confirm the line is ok. Since the issue is not always present, I suspect something related to " session" or other dynamic configuration (ARP, MTU, etc). I' ve noticed the same behaviour with the SYN, ACK traffic. I' m monitoring the situation and evaluating if a downgrade is the solution (I' ve one of the HA node offline still with the old relase).
jtfinley

I was on MR3p10 and upgraded to mR3p11.....
jtfinley

Ok, get this... ISP sends out (2) techs. They plug a laptop in back of DSL modem w/ a routable IP within the subnet and state they can hit all websites. I downgraded the firmware from MR3p11 to MR2p13 with same result. Customer thinks it' s the firewall. Again, it appears only to affect Akamai servers?
emnoc
Esteemed Contributor III

I was going to say your address is blacklisted, but if they used the same ip_address in the test, than that' s not the problem. So did you do; 1: get pcap of the connection 2: diag debug flow

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jtfinley

Working from 10 hrs away of that location. Ill run a tracer...all indications show the syn, no ack coming back . As if a bad route.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors