Hi everyone, We've been researching the MTU issue but our firewall can send and receive fragmented packets just fine, so there are no blackhole routers out there. Curiously, we cannot ping that address from our firewall ip, but we can ping from every other ip. It's possible, despite their assertions, that they have blocked our ip address. It would explain a lot...
:) I will keep you posted. This list has been a great resource for me as I learn about firewalls, and I wanted to let you all know how much I appreciate your help and just the day to day discussions. Also, we just got approval for a new firewall :) Thanks Laura Folden PC/Network Administrator The Humane Society of the United States. -----Original Message----- From: Ron DuFresne [mailto:[EMAIL PROTECTED]] Sent: Friday, January 11, 2002 11:23 AM To: Richard de Jong Cc: 'Laura Folden'; '[EMAIL PROTECTED]' Subject: RE: IP error 522...? Laura, Richard, Et. Al., I've been working with Laura offlist on this some. I found that a lynx client using the URL http://205.229.56.205 from sites about the globe reaches the refresher URL and hangs there until one selects that refresher at which point it goes to the pages in question. There is a very minor issue with the refersher URL not being terminated with a / and results in a minor note to the lynx client about the URL not being absolute. We are waiting to hear from Laura as to whether she can reach her pages being served by these folks with the http IP URL above, this would certainly hint at there being DNS issues as many have hinted at in-list. If this does not work for her, we have another theory here: the firewall on one end or another might well be running some http filtering SW, and their updates for Bad Sites<TM> might have grabbed a IP address not menat for filtering in the SW's rulebase criteria. All theory, some conjecture, we are hoping for more info when the requester has time to deal with this matter, ain't it a pain how work gets in the way> <grin>. These are our findings to this point... Thanks, Ron DuFresne On Fri, 11 Jan 2002, Richard de Jong wrote: > Hi Laura, > > I'm not sure whether this is a firewall problem, I think it relates to > the webserver software. Check this out: > > [ricjon@rich ricjon]$ telnet 205.229.56.205 80 > Trying 205.229.56.205... > Connected to 205.229.56.205. > Escape character is '^]'. > GET / > > HTTP/1.0 200 OK > Server: JRun Web Server/3.0 > Date: Fri, 11 Jan 2002 08:42:47 GMT > Last-Modified: Thu, 15 Nov 2001 20:16:55 GMT > Connection: close > Content-Type: text/html > Content-Length: 54 > > <meta http-equiv="refresh" content="0;url=/ace/352"> Connection closed > by foreign host. > > --(This one is perfectly ok.)-- > > [ricjon@rich ricjon]$ telnet 205.229.56.205 80 > Trying 205.229.56.205... > Connected to 205.229.56.205. > Escape character is '^]'. > GET / HTTP/1.1 > > HTTP/1.0 200 OK > Server: JRun Web Server/3.0 > Date: Fri, 11 Jan 2002 08:43:01 GMT > Last-Modified: Thu, 15 Nov 2001 20:16:55 GMT > Connection: close > Content-Type: text/html > Content-Length: 54 > > <meta http-equiv="refresh" content="0;url=/ace/352"> Connection closed > by foreign host. [ricjon@rich ricjon]$ telnet 205.229.56.205 80 > Trying 205.229.56.205... > Connected to 205.229.56.205. > Escape character is '^]'. > GET / HTTP/1.1 > host: bla.com > > > ^] > telnet> quit > --(it lasted and lasted here)-- > > > Looks like this JRun has a faulty HTTP/1.1 implementation, since it > does not require you to enter the "host: " statement. However, when > you do enter a hostname, it can't deal with it. It might be that it > tries to resolve the hostname and fails, bu t I can't imagine that > taking more than a few minutes to fail. > > Then when I try to request the /ace/352 URL, this is what happens: > > [ricjon@rich ricjon]$ telnet 205.229.56.205 80 > Trying 205.229.56.205... > Connected to 205.229.56.205. > Escape character is '^]'. > GET /ace/352 HTTP/1.0 > > HTTP/1.0 302 Moved Temporarily > Server: JRun Web Server/3.0 > Date: Fri, 11 Jan 2002 09:01:48 GMT > Location: / > Connection: close > > --(The above seems faulty to me, since we were already moved from / to > /ace/352 and it now directs us back.)-- > > Connection closed by foreign host. > [ricjon@rich ricjon]$ telnet 205.229.56.205 80 > Trying 205.229.56.205... > Connected to 205.229.56.205. > Escape character is '^]'. > GET /ace/352 HTTP/1.1 > > HTTP/1.0 302 Moved Temporarily > Server: JRun Web Server/3.0 > Date: Fri, 11 Jan 2002 09:02:06 GMT > Set-Cookie: > SessionID=alvsaimtvrdejtbreoafpswwputcjyhrrbsztpqx;expires=Sun, > 12-Jan-2003 09:02:06 GMT;path=/ > Expires: Thu, 01 Dec 1994 16:00:00 GMT > Location: http://null/ace/352?nopermanentcookies=true > Cache-Control: no-cache="set-cookie,set-cookie2" > Content-Type: text/html > Connection: close > > Connection closed by foreign host. > > This is a nice answer as well, it redirects you to http://null, which > obviously won't work. > > To conclude, this JRun web server is wrongly configured or hanging. My > best bet would be to put it behind an Apache webserver or the like, > but this of course depends on the setup of your website. There exist > other Java web servers as well, even Free/Open Source ones, for > instance Tomcat from Apache > (http://jakarta.apache.org) or Orion (http://www.orionserver.com/). > > Hope this helps, > > Grtz, Richard > > > -----Original Message----- > > From: Laura Folden [mailto:[EMAIL PROTECTED]] > > Sent: donderdag 10 januari 2002 18:06 > > To: 'Ron DuFresne' > > Cc: '[EMAIL PROTECTED]' > > Subject: RE: IP error 522...? > > > > > > Thanks, Ron. > > > > Our new website (being prepared for launch) is being hosted > > by circle.com at the ip address 205.229.56.205 . Their site > > then does a redirect of the traffic to a subfolder beneath > > the main ip. The subpage is /ace/352 . Their logs show that > > we connect to the site but, after that, we time out. > > > > Our firewall is Altavista, running on Windows NT. We have a > > Cisco router 2601 connecting to a Netgear switch. The Netgear > > switch then connects back to the firewall directly. Lots of > > other computers can connect to this site, but for some reason > > we cannot. We can connect to every other site without problems. > > > > The MTU on our router is 1500. We have a full T1. We > > believe the problem might have to do with our firewall not > > being able to handle the redirect. > > > > I hope that's everything... > > > > Laura > > > > -----Original Message----- > > From: Ron DuFresne [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, January 10, 2002 11:25 AM > > To: Laura Folden > > Cc: '[EMAIL PROTECTED]' > > Subject: Re: IP error 522...? > > > > > > Laura, > > > > Can you provide some more info on exactly what you are trying > > to accomplish and what kinda of equipment lies on your > > network and the party you are trying to reach? The more > > detailed you can be, the better folks can attempt to help you > > nail down the issue and determine how, and if there is a > > resolution to the problem. > > > > Thanks, > > > > Ron DuFresne > > > > > > On Thu, 10 Jan 2002, Laura Folden wrote: > > > > > Recently I posted regarding "looping" at site 205.229.56.205 . We > > > remain unable to connect to those sites...although we *can* > > connect to > > > another site behind that host's firewall. We had our firewall > > > tech > > > support try to duplicate the problem with the same build of our > > > firewall and OS and got nothing. ALL other sites connect just fine. > > > > > > Dug deep into the logs and what we see is a 500 522 error. > > > Unknown > > > protocol error returned. The website does have a redirect > > on it, could > > > this be the problem? Has anyone seen it? > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > "Cutting the space budget really restores my faith in > > humanity. It eliminates dreams, goals, and ideals and lets > > us get straight to the business of hate, debauchery, and > > self-annihilation." -- Johnny Hart > > ***testing, only testing, and damn good at it too!*** > > > > OK, so you're a Ph.D. Just don't touch anything. > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
