Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

Unable Access Two Websites

Strange situation with a couple websites.  (my.voya.com and bkdconnect.bkd.com)

We have an HA cluster of 15600s R80.10, all other internet traffic works fine just the above two sites fail to load and timeout, logs show no drops.

All internet traffic is hidden with manual NAT rule behind the VIP of the cluster.  If I NAT traffic behind another of our  external IP addresses the pages load fine.  

I'm guessing it has something to do with the VIP of the cluster but can't seem to find where the issue is.

I have checked and we are not using VMAC with the cluster.

It's strange as these two sites seem to be just login portals and I've not heard from users of any other site experiencing anything like this.

 

 

Jason

0 Kudos
3 Replies
Highlighted
Admin
Admin

Have you compared tcpdump output between the "working" and "not working" configuration?
Perhaps there is some clue there.
0 Kudos
Employee++
Employee++

Hi Jason

Are the test IPs from a different subnet to the VIP or the same?

Perhaps the far end is imposing some IP based restrictions -or- there is a problem with the return route...

fw monitor or tcpdump may give you some further insight I.e. confirm if there is any reply traffic.

 

Regards,

Chris

0 Kudos
Highlighted
Champion
Champion

Does it make a difference if you try http://my.voya.com and let it redirect into https, or go HTTPS directly with https://my.voya.com in the browser URL bar?  Also I assume using different browser types (i.e. Firefox vs. Chrome) doesn't make a difference?

There are some firewall drop events that won't generate a usual log entry, to find those run fw ctl zdebug drop then try to access those two sites through the cluster hide NAT.

Next step since you are on R80.10, is to try disabling SecureXL with fwaccel off then try to access the websites again.  Be sure to turn SecureXL back on with fwaccel on when done.  Not likely to help but worth a try.

There could be a stability/setup problem with your cluster which is why moving it to an arbitrary hide address makes it work, try gracefully powering off the standby member, then see if the reachability of those two websites changes while there is only a "cluster of one".

Failing those, next step as was mentioned earlier is a packet capture using tcpdump.

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos