Re: Websurfing trouble to .gov and .il.us

2018-03-13 Thread valdis . kletnieks 
On Mon, 12 Mar 2018 17:44:47 -, Sam Kretchmer said:

> I am part of a small ISP based in Chicago. We have several clients
> complaining of an inability to hit a couple specific government websites,
> specifically http://tierii.iema.state.il.us/TIER2MANAGER/Account/Login.aspx 
> and
> https://www.deadiversion.usdoj.gov/. It does seem to be related to the IP's
> they use, specifically parts of 213.159.132/22

First thing that comes to mind:  Fire up wireshark and
see if anything pops out.

Second thing: PMTU black hole or similar - the 3 packet handshake
completes, and TLS fires up, and then comes to a screeching halt
when something large causes a MTU-sized packet to happen.

Double-check the pages, make sure they aren't doing something
squirrelly like fetching CSS from some *other* site that's down
or PMTU black holed.

Oh, and 519 lashes with a wet noodle for the IL state division of IT
for having a Login.aspx on an http: site. ;)


pgpFFLigylybv.pgp
Description: PGP signature

Re: Websurfing trouble to .gov and .il.us

2018-03-13 Thread lists 
On Mon, Mar 12, 2018, at 10:44 AM, Sam Kretchmer wrote:
> IP's they use, specifically parts of 213.159.132/22. They can surf any 

This block appears to have shifted over from RIPE into ARIN space.

I've seen a few firewalls and filtering systems that block countries or block 
unallocated/weird/bogon ranges in broken ways (probably more so if it was an 
enterprise/government/finance situation). They could be locally terminating 
connections at the entry point or something in a browser, which might produce 
oddities like the loading/connecting/loading. 

Alternatively, I've also seen some crappy fw/transparent proxies have problems 
dealing with IPs that end in .0 and .255 and sometimes .254.

Re: Websurfing trouble to .gov and .il.us

2018-03-13 Thread Stephen Satchell 

On 03/12/2018 10:44 AM, Sam Kretchmer wrote:

specifically http://tierii.iema.state.il.us/TIER2MANAGER/Account/Login.aspx  
andhttps://www.deadiversion.usdoj.gov/.


Wireshark?  It could be a problem with the sides having an infinite 
referral loop.  It doesn't necessarily have to be a network problem per se.

Re: Websurfing trouble to .gov and .il.us

2018-03-13 Thread William Herrin 
On Mon, Mar 12, 2018 at 1:44 PM, Sam Kretchmer  wrote:
> We have several clients complaining of an inability to hit a couple specific 
> government websites,

Hi Sam,

Some basic troubleshooting:

1. traceroute? TCP traceroute?

2. From an affected address, do you get a TCP connect to the site or
not? e.g. "telnet tierii.iema.state.il.us 80"

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: