Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Roman_s81
New Contributor

One website is blocked by fortigate. No web filter is on.

One website is blocked by fortigate.

No web filter is applied.

 

Ping to this site result in "TTL expired in transit".

It happens (the ping TTL error) from different networks, not only mine. But other networks (behind fortigate FW) is able to get web-site data (the page is loading. And my network keep drop packets, users get site not loaded.

Tracert to this site is getting loop from my network, and others. 

The site is www.6cn.co.il

I understend that there is some issue with website, but still others manage to deal with that and allow trafic.

My forti is in panic-attack.

Please help if possible.

 

Thank you. 

  ‎   
3 REPLIES 3
lobstercreed
Valued Contributor

Out of curiosity I tried looking into this for you.  I can replicate your issue with not being able to access this website, but I can do it from any network whether behind a FortiGate or not.  NMAP seems to think that the website is listening on 80 and 443 though so I was somewhat confused. 

 

So I ran Wireshark packet capture and apparently the website is providing the TCP 3-way handshake but nothing further.  When my browser does a GET, it responds with a mere acknowledgement and then closes the connection (RST,ACK).

 

I used a web-based service to check the site's availability and the only server that seemed to think it was actually up was based in Israel, so maybe they have some special web filtering in place.  Either way the issue is definitely on their end, so no worries with your config or FortiGate device.

emnoc
Esteemed Contributor III

The fortigate is NOT blocking you.  That site is not reachable.

 

When in doubt use "diag debug flow"  and inspect the output.

 

oh forgot to add, it's expired due to a routing loop at 

 

16 180 ms 184 ms 179 ms bzq-166-168-31-133.red.bezeqint.net [31.168.166.133] 17 * * * Request timed out. 18 182 ms 186 ms 181 ms bzq-166-168-31-133.red.bezeqint.net [31.168.166.133] 19 * * * Request timed out. 20 186 ms 185 ms 185 ms bzq-166-168-31-133.red.bezeqint.net [31.168.166.133] 21 * * * Request timed out. 22 214 ms 188 ms 191 ms bzq-166-168-31-133.red.bezeqint.net [31.168.166.133] 23 * * * Request timed out. 24 189 ms 198 ms 186 ms bzq-166-168-31-133.red.bezeqint.net [31.168.166.133] 25 * * * Request timed out. 26 188 ms 192 ms 200 ms bzq-166-168-31-133.red.bezeqint.net [31.168.166.133] 27

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Yurisk

All those security folks can drive IT admins crazy :). 

The bottom line - not everything 'not working' is a gear malfunction case.

 

1) As duly noted the website is available from Israel only 2) Traces with ICMP/UDP are indeed loop, even from inside Israel 3) TCP traceroute on the other hand, and it is something you should try with such strange unavailability cases, works just fine 4) My educated guess is that they use GeoIP blocking and chances are their database is not the most accurate so it even blocks clients from inside Israel.

https://yurisk.info
https://yurisk.info
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors