One webserver reachable, the other is not

hrpt_rnws · 11-20-2007, 03:55 PM

We have, what I think, is a fairly typical 3-homed FW/DMZ setup.

If I can attempt crude ASCII Art:

Code:

Internet 
    | 
GroupTel
    |
Our SW1
    | 
Our FW
    |
Our SW2
    |
----------------
|              |
LAN            DMZ 
|              |  
desktops       public servers

Let's say for a moment if I have two servers in the DMZ (host1, host2) that are essentially the same hardware, OS, services running on them, etc.

From the internet then (like, from home), I can telnet host1:80 no problem, but I cannot telnet host2:80. The FW rule that passes *.80 to host1 is precisely the same as the one for host2 (I made a copy and changed the IP address). I've tried reloading and even hard restart of the FW.

I've broken out tcpdump and host1 sees tonnes of traffic. host2 practically none (ICMP and NTP stuff, but that's about it).

I've also looked at tcpdump on the FW itself, and I can't see any traffic that is destined for host2 (I do see it for host1).

If I then disconnect host2 from SW2, and put it right up on SW1 (beside the firewall, not behind it)... then the internet can now suddenly see host2.

Does this smell like a problem with the 'upstream provider', or might it still be something I need to do to either FW or SW1 ? (and what might that be?) I can't get past that tcpdump on FW saw no traffic destined for host2.. it makes me think it's an upstream problem.

dholland · 11-20-2007, 04:57 PM

I know this sounds basic, but off the top of my head I'd delete the rule for your 2.host and instead of copying 1.host and changing the IP I'd manually enter it. I've seen FW's do goofy things with copied rules.

--Edit

The other thing I'd do is first make sure your firewall and remote PC are fairly synched as far as time... Then make a request to host2, noting the time and see if there are any entries in the FW logs for that time.

hrpt_rnws · 11-21-2007, 02:39 PM

I did try to create a new rule from scratch. That didn't work, so thought there might be some magic foo by copying an existing one that did work.

As far as firewall logs... I was in my datacenter, accessing host2 from our backup connection (so, to our network, I was coming "from outside"), and requesting the host2 website, and I just moved my head 20 degrees to the right, and watching for my traffic on a real-time tcpdump of the firewall. I was using "tcpdump port 80 | grep 'my.ip.here'"

What could I get from a firewall log, that isn't going to first show up in tcpdump? I'm not being snide, I'm genuinely unsure. Would the FW decide to drop the packet , due to a FW rule, before tcpdump saw it? Was my invocation of tcpdump incorrect?

Thanks.