On the phone with a certain vendor that rhymes with "shmittishtelecom"...
ME: Is there a firewall in the path that is blocking HTTPS traffic?
VENDOR: We are trying to determine that right now.
ME: Don't you have a drawing of the connectivity flow?
VENDOR: Please be patient. We are trying to determine which firewall is involved. There are many.
ME: Well, we know it's not a routing issue, since the traceroute works. (ME posts traceroute info)
(pause)
VENDOR: Ah! We see now in the traceroute the hostname of the firewall! We will investigate the rules on the firewall.
(ME mutes phone)
:developers: :zomgwtfbbq: :angry: :wall:
More...
VENDOR: Ah, the traffic is blocked.
ME: Can you permit the traffic?
VENDOR: It is blocked.
ME: But we can ping and traceroute from A to B. Open the port for HTTPS.
VENDOR: That will not help. The ping and traceroute takes a different path than HTTPS.
(ME mutes phone)
:developers: :zomgwtfbbq: :rage:
Good lord, yet more...
ME: Have a look at this traceroute from the other server, it shows that it travels the same path as from the first one. They both go through the same firewall.
(ME posts another traceroute that does not resolve IP addresses to DNS names)
VENDOR: No, there's no firewall in that path.
ME: Yes there is. The IP address of the device that you said was the firewall in the traceroute from the first server is right there, on hop 12.
VENDOR: That is a router interface because the name did not resolve.
(ME mutes phone)
:kiwf: :rtfm:
:drama: :drama: :drama:
Finally off the call. That's 3 hours of my life that I'll never get back.
RESOLUTION:
1. Yes, there is a firewall in the path.
2. Yes, it is blocking the traffic.
3. Yes, we will raise a change request to permit the traffic that should have been permitted in the first place when we made the firewall changes necessary to implement the guest wireless access portal SIX MONTHS AGO oh when will the hurting stop?
:notthefirewall: :itcrowd:
And I still can't find a facepalm emoticon. It would be so relevant here lol.
:doh:
I should get a facepalm... nice project for a Friday...
:ivan:
:phone:
In the "more" popup. :)
To be fair, depending on the way it's configured, a traceroute is misleading within mpls
Quote from: wintermute000 on July 24, 2015, 06:16:28 PM
To be fair, depending on the way it's configured, a traceroute is misleading within mpls
True... but this was all LAN stuff, at least with the first site. Second site still had the same last mile, which is what we were looking at.
shmittish telecom? Oh yes I think I know full well.
At least it's not just me that has these kinds of conversations, then. I usually sit back and ask them to completely explain everything, in detail. When they have finished (I make sure not to interrupt them as it's rude), I then give them reasons why their explanations are complete BS.
Their techs once said, "You need to have DNS for traceroute to work. The traceroute failed because you don't have access to the DNS server."
:phone:
:facepalm1:
Quote from: deanwebb on August 11, 2015, 07:45:43 AM
Their techs once said, "You need to have DNS for traceroute to work. The traceroute failed because you don't have access to the DNS server."
Well played sir! You must be like a CCIE or something!
:yeahright: