Hi folks,
I am trying to find a problem which suddenly appeared today. We have not changed any configurations at our network.
Suddenly websites, hosted at one austrian provider, where our homepage is hosted do not open anymore.
Only giving a: PR_CONNECT_RESET_ERROR in Firefox and do not open in Edge too.
Sites are doing this, when I try via curl:
curl -vv https://www.pc-howto.com
* Rebuilt URL to: https://www.pc-howto.com/
* Trying 81.19.159.68...
* TCP_NODELAY set
* Connected to www.pc-howto.com (81.19.159.68) port 443 (#0)
* schannel: SSL/TLS connection with www.pc-howto.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 181 bytes...
* schannel: sent initial handshake data: sent 181 bytes
* schannel: SSL/TLS connection with www.pc-howto.com port 443 (step 2/3)
* schannel: failed to receive handshake, SSL/TLS connection failed
* Closing connection 0
* schannel: shutting down SSL/TLS connection with www.pc-howto.com port 443
* Send failure: Connection was aborted
* schannel: failed to send close msg: Failed sending data to the peer (bytes written: -1)
* schannel: clear security context handle
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
If I try outside our network (without our Fortigate) it works.
If I turn off all filters @ the policy used for my client the connection is still not working.
I am running out of ideas now.
Any help, hint or tip is very welcome....
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
mcdaniels wrote:you are still coming from the same IP address as when you are coming from the FortiGate?If I try outside our network (without our Fortigate) it works.
if you are going from another network can you check if your not working traffic arives at the server?
im kinda expecting an issue at the other side here, but you need to see how to confirm that.
Hi,
I am coming over 4G connection from smartphone for example (not the same ip) -> then it works.
I have very limited access to the logs (of the website-hoster). I have to doublecheck it.
A friend of mine is coming from a completly other network -> it works.
If the situation is: mynetwork -> fortigate -> my provider -> webspaceprovider -> it is not working.
If I use: single pc -> my provider -> webspaceprovider -> it works
This is the log of whireshark - another website, same hoster, same behavior (If I see it right the RST is coming from the hosters-side):
it is difficult to say for sure, but there is a chance the hoster is blocking you for some reason. as you have a website there i would at least reach out and ask them to check.
where is that capture taken? if it is on the fortigate then yes it might be the hoster. if it is on a client then it could also be the fortigate.
does the fortigate logging show anything for these requests?
I asked the hoster multiple times. He always says: It is working if we try to connect. Very hard to discuss this with the support.
The wireshark-log is directly taken on the client which is behind the fortigate unit.
192.168.10.210 -> Client behind the FGT
I see it in Fortiview -> Destinations / or Sources... but there is only a little amout of data being exchanged.
I have no blockingmessages in any filter or in the ssl log.
I just sniffed with the fgt-packetcapture. This happens if I initiate the connection on the client. (This is what the fgt unit does at WAN1 Port
81.19.159.68 = Hoster
I'm suspecting they are blacklisting your address based on what I see. Also not sure of your env but if you have multiple address or interfaces try sourcing the client with that address and try ( src.nat in the policy and a ippool or egress interface SNAT )
Ken Felix
PCNSE
NSE
StrongSwan
hi,
thanks for all your answers. I will see what support (of the webhoster) tells me tomorrow. This is very weird. I have no idea what happended here.
Hm. I am not 100% sure about what you are meaning exactly @emnoc: I have multiple official IP Adresses. I assume you mean that I should give one client "another" address @WAN-side? Correct? So I will see whether our official IP is blocked @ the provider?
Dear experts,
I managed to do a SNAT and used a different WAN-IP. Used it only for one client to test.
After switching the IP, all websites work. So I assume you very 100% right with your guess:
Our official IP (used for all clients) ist blocked by the webhoster. Unfortunatly I have not received a reply from them.
Time to move on and switch the hoster, or go back to self-hosting.
Thanks for your help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.