It is the firewall, but not MY firewall...

deanwebb · July 23, 2015, 01:29:39 PM

On the phone with a certain vendor that rhymes with "shmittishtelecom"...

ME: Is there a firewall in the path that is blocking HTTPS traffic?
VENDOR: We are trying to determine that right now.
ME: Don't you have a drawing of the connectivity flow?
VENDOR: Please be patient. We are trying to determine which firewall is involved. There are many.
ME: Well, we know it's not a routing issue, since the traceroute works. (ME posts traceroute info)
(pause)
VENDOR: Ah! We see now in the traceroute the hostname of the firewall! We will investigate the rules on the firewall.
(ME mutes phone)

deanwebb · July 23, 2015, 01:35:03 PM

More...

VENDOR: Ah, the traffic is blocked.
ME: Can you permit the traffic?
VENDOR: It is blocked.
ME: But we can ping and traceroute from A to B. Open the port for HTTPS.
VENDOR: That will not help. The ping and traceroute takes a different path than HTTPS.
(ME mutes phone)

deanwebb · July 23, 2015, 01:51:26 PM

Good lord, yet more...

ME: Have a look at this traceroute from the other server, it shows that it travels the same path as from the first one. They both go through the same firewall.
(ME posts another traceroute that does not resolve IP addresses to DNS names)
VENDOR: No, there's no firewall in that path.
ME: Yes there is. The IP address of the device that you said was the firewall in the traceroute from the first server is right there, on hop 12.
VENDOR: That is a router interface because the name did not resolve.
(ME mutes phone)

icecream-guy · July 23, 2015, 02:00:51 PM

deanwebb · July 23, 2015, 02:09:14 PM

Finally off the call. That's 3 hours of my life that I'll never get back.

RESOLUTION:
1. Yes, there is a firewall in the path.
2. Yes, it is blocking the traffic.
3. Yes, we will raise a change request to permit the traffic that should have been permitted in the first place when we made the firewall changes necessary to implement the guest wireless access portal SIX MONTHS AGO oh when will the hurting stop?

Nerm · July 24, 2015, 07:47:37 AM

And I still can't find a facepalm emoticon. It would be so relevant here lol.

deanwebb · July 24, 2015, 07:59:51 AM

I should get a facepalm... nice project for a Friday...

deanwebb · July 24, 2015, 12:01:52 PM

In the "more" popup.

wintermute000 · July 24, 2015, 06:16:28 PM

To be fair, depending on the way it's configured, a traceroute is misleading within mpls

deanwebb · July 25, 2015, 01:03:11 AM

Quote from: wintermute000 on July 24, 2015, 06:16:28 PM
To be fair, depending on the way it's configured, a traceroute is misleading within mpls

True... but this was all LAN stuff, at least with the first site. Second site still had the same last mile, which is what we were looking at.

Dieselboy · August 11, 2015, 02:30:47 AM

shmittish telecom? Oh yes I think I know full well.

At least it's not just me that has these kinds of conversations, then. I usually sit back and ask them to completely explain everything, in detail. When they have finished (I make sure not to interrupt them as it's rude), I then give them reasons why their explanations are complete BS.

deanwebb · August 11, 2015, 07:45:43 AM

Their techs once said, "You need to have DNS for traceroute to work. The traceroute failed because you don't have access to the DNS server."

Nerm · August 11, 2015, 08:23:13 AM

NetworkGroover · August 11, 2015, 11:39:34 AM

Quote from: deanwebb on August 11, 2015, 07:45:43 AM
Their techs once said, "You need to have DNS for traceroute to work. The traceroute failed because you don't have access to the DNS server."

Well played sir! You must be like a CCIE or something!