Weird access problem

[daytooner]

I have spent over 30 years researching and designing networks - from the time before there was an internet, or tcp/ip, or even ethernet - so I'm not exactly a noob with regards to networking. But this problem has me stumped. And I've had this same problem before, with previous version of Fedora, and it seemed to get resolved only when I upgraded to a newer version of Fedora.

Anyways, here's the problem:

I have three computers. All are connected to the same switch, which is connected to my firewall (a cisco pix), which is connected to my DSL router. Two of these boxes are running Fedora 17 (kernel 3.5.0-2.fc17). Both have the linux firewall disabled, as well as selinux. The third box is running WinXP.

Everything was fine until a few days ago: I started seeing that I could not access certain sites. One of these sites is mozilla.org (another is facebook.com). I can ping the sites, and I can open a tcp connection to them (eg, telnet to port 80). But if I send an HTTP GET - either with firefox, or just wget - no response comes back.What's really weird, though, is that on the WinXP box I have no problems accessing these sites. (Note again that all three are connected to the same ethernet switch.)

So, after a process of elimination, it seems there must be some issue with linux networking (more specifically, its HTTP) and these sites.

Other things I've tried:

- replaced my pix firewall with a simple netgear gateway. Same problems.

- changed wan IP address ( I have three, and tried all of them).

- Checked with a friend who has the same ISP, and is running F17. He has no problems.

- sniffed the network traffic on one of the Fedora boxes, via wireshark: saw tcp req sent, tcp ack received, HTTP GET sent, but only tcp ack (for the first tcp req) retransmitted. Saw basically the same thing on the wan side of the firewall.

Weird, huh? This is driving me nuts. Not only can I not accessed these sites, but I just can't understand why not. I must be missing something very simple somewhere.

So any help will be greatly appreciated.

TIA

ken

[solo2101]

just Firefox?

[daytooner]

Quote:

Originally Posted by solo2101

just Firefox?

No.wget as well:

Code:

[ken@Elmer ~]$ wget -v http://www.mozilla.org
--2012-08-08 23:51:37--  http://www.mozilla.org/
Resolving www.mozilla.org... 63.245.215.20
Connecting to www.mozilla.org|63.245.215.20|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

--2012-08-08 23:54:59--  (try: 2)  http://www.mozilla.org/
Connecting to www.mozilla.org|63.245.215.20|:80... connected.
HTTP request sent, awaiting response... ^C
[ken@Elmer ~]$

I also telnet to that site, on port 80 - and I do get a connection opened - then type "GET /" with CR. I should get back some kind of HTTP response from their server. But I get nothing.

ken

[flyingfsck]

Run a little experiment and set one Linux box EXACTLY the same as the working Windows box in terms of:
IP Address, Netmask, Gateway Address, DNS and Default Route

Of course unplug he other machines when you do that.

[daytooner]

Quote:

Originally Posted by flyingfsck

Run a little experiment and set one Linux box EXACTLY the same as the working Windows box in terms of:
IP Address, Netmask, Gateway Address, DNS and Default Route

Of course unplug he other machines when you do that.

Thought of that one. No dice. Even tried DHCP for both a linux box and WinXP box. Still the same: WinXP okay, linux no.

To make things even weirder, I connected my Android phone to my LAN via a wireless router. It wouldn't work with those sites - although it did work a few days earlier (before an update?), as well as working via its broadband link.

It seems that - for the linux boxes (and Android) - the remote site never gets the HTTP GET request. I can look at the traffic on the wan side of my firewall, and I see that request going out, but nothing coming back.

This is just too weird.

Thanks for helping. Keep those suggestions/ideas coming.

ken

[flyingfsck]

Also plug it into the same switch port as the Windows machine.

[solo2101]

by any chance....

do you assing statics IP to your machines?

---------- Post added at 08:26 PM ---------- Previous post was at 05:58 PM ----------

Quote:

Originally Posted by daytooner

Thought of that one. No dice. Even tried DHCP for both a linux box and WinXP box. Still the same: WinXP okay, linux no.

Oops miss that one...


I can only think in the firewall...

for DNS I use Google's... 8.8.8.8 on my router

[daytooner]

Okay, I (kind of) solved this. Well, I figured out where the problem is.

HTTP traffic is not being passed through my firewall for (at least) these two IP addresses (63.245.215.20 = www.mozilla.org, and 69.171.234.21 = www.facebook.com), and ONLY with linux boxes (not WinXP).

More specifically, I have a cisco pix firewall. I can watch the traffic coming into it on the inside interface- from my linux box - and also watch traffic going out on the wan interface.

If I telnet into one of theses addresses, on port 80, I see a connection established - on both the wan interface and the inside interface. If I then type single letters (eg, 'G' 'E' 'T' '/'), I see them on the inside interface, but not on the wan. If I do this to an IP of a site other than these two, I do see the letters passed out to the wan, and will get an HTTP response back from the site - which means it did receive the traffic.

The really weird part is that if I do this from my WinXP box, with either of these two IPs, I see the letters going into the inside interface, and also going out the wan interface. And even weirder, I know that I could access these sites previously.

So, something in my firewall has changed, but I can't find it. I have rebooted it, and also reset it back to the defaults and then re-configured it. But still no dice.

So that's where I'm at. If anyone has any experience with cisco pix firewalls, I'd love to hear from you. This problem is driving me nucking futs.

Thanks again to all for your help.

ken

[flyingfsck]

Why don't you chuck the Pix and use one of the Linux boxes as a router for the others? Why bother even with that - just get a dinky little Dlink/Linksys box and be done with it?

[daytooner]

Quote:

Originally Posted by flyingfsck

Why don't you chuck the Pix and use one of the Linux boxes as a router for the others? Why bother even with that - just get a dinky little Dlink/Linksys box and be done with it?

The PIX was free (from a dying company). Up till now, it was working great. I have several "dinky" router/gateway/firewalls. And they are just that: "dinky". They don't quite handle large volume net traffic like the PIX.

Besides, I just want to understand what is going on here...

ken