Re: Some IPs (websites) not accessible over Vodafone

[Jono]

Peter formulated on Friday :

>>
>> What is going on?
>>
>> This used to work for years, works with every other cell network, and
>> used to work on Voda till about 2 months ago.

Is it an IP you don't want to share? I have a voda SIM here which I
could try...?

[Apellation Controlee]

On Fri, 08 Mar 2013 20:57:39 +0000, Peter
<occassional...@nospam.co.uk> wrote:

>
>Jono <noth...@blueyonder.invalid> wrote

>Not publicly (would email it to you) but it belongs to A&A.
>
>I have also just discovered that HTTP fails while POP (email retrieval
>from a server on the same server) works!
>
>I have just checked that the www server and email server IP is the
>same.
>
>So I guess it is indeed a HTTP (website) blocking issue.

Is it possible that the IP address is used by more than one web site?

If so, it may be the content on one of the co-lo sites that's caused
the issue.

[Roland Perry]

In message <91kkj858majrueasn...@4ax.com>, at 20:57:39 on
Fri, 8 Mar 2013, Peter <occassional...@nospam.co.uk> remarked:

>>Is it an IP you don't want to share? I have a voda SIM here which I
>>could try...?
>>

>Not publicly (would email it to you) but it belongs to A&A.
>
>I have also just discovered that HTTP fails while POP (email retrieval
>from a server on the same server) works!
>
>I have just checked that the www server and email server IP is the
>same.
>
>So I guess it is indeed a HTTP (website) blocking issue.

Does the IP address point to a single website, or is it a form of shared
hosting? If the latter then the most likely thing is that one of the
other websites on that IP address is the intended target of the
blocking. Why not raise a ticket with A&A, it's the sort of issue they
could easily be interested in.
--
Roland Perry

[Jono]

It happens that Roland Perry formulated :

I guess this "I have a long standing issue (months) whereby a given
website, running on a fixed IP from a server on ADSL, cannot be accesed
with a phone with a Vodafone SIM" means it's not a shared host.

[Jono]

After serious thinking Peter wrote :

>> Is it an IP you don't want to share? I have a voda SIM here which I
>> could try...?
>>

> Not publicly (would email it to you) but it belongs to A&A.

What's you're email address?

[Roland Perry]

In message <mn.49f27dd32...@blueyonder.invalid>, at 08:18:17
on Sat, 9 Mar 2013, Jono <noth...@blueyonder.invalid> remarked:

>> Does the IP address point to a single website, or is it a form of
>>shared hosting? If the latter then the most likely thing is that one
>>of the other websites on that IP address is the intended target of
>>the blocking. Why not raise a ticket with A&A, it's the sort of issue
>>they could easily be interested in.
>
>I guess this "I have a long standing issue (months) whereby a given
>website, running on a fixed IP from a server on ADSL, cannot be accesed
>with a phone with a Vodafone SIM" means it's not a shared host.

If you can (and people do) run one website at the end of an ADSL line,
it's just as possible to run several.
--
Roland Perry

[Jono]

After serious thinking Roland Perry wrote :

But not one hosted by A&A (and also I did use 'guess')

[Roland Perry]

In message <v1ulj8hp17ntjcme7...@4ax.com>, at 08:53:25 on
Sat, 9 Mar 2013, Peter <occassional...@nospam.co.uk> remarked:

>The websites are tiny and clean, but one of them belongs to my son
>and... :)

Depending on their blocking rules, it could be something like the
Country Park website banned by the software at a local library because
of the "Big Tits" to be seen there.
--
Roland Perry

[Jono]

nob...@absolutely-nowhere.co.uk formulated on Saturday :
> Jono <noth...@blueyonder.invalid> wrote
>
>> What's your email address?
>>
> peter a t peter 2000 c o u k

YGM

[Roland Perry]

In message <mn.4a547dd37...@blueyonder.invalid>, at 09:56:49

on Sat, 9 Mar 2013, Jono <noth...@blueyonder.invalid> remarked:
>>>> Does the IP address point to a single website, or is it a form of
>>>>shared hosting? If the latter then the most likely thing is that
>>>>one of the other websites on that IP address is the intended
>>>>target of the blocking. Why not raise a ticket with A&A, it's the
>>>>sort of issue they could easily be interested in.
>>>
>>>I guess this "I have a long standing issue (months) whereby a given
>>>website, running on a fixed IP from a server on ADSL, cannot be
>>>accesed with a phone with a Vodafone SIM" means it's not a shared host.
>>
>> If you can (and people do) run one website at the end of an ADSL
>>line, it's just as possible to run several.
>
>But not one hosted by A&A

Indeed, but A&A ought to be interested in the way apparently the
connectivity to one of their customer's websites is being hampered by a
third party. It could be the thin end of a larger wedge.
--
Roland Perry

[Andy Champ]

On 09/03/2013 09:54, Roland Perry wrote:
> Depending on their blocking rules, it could be something like the
> Country Park website banned by the software at a local library because
> of the "Big Tits" to be seen there.

I think you mean great tits,

<http://www.rspb.org.uk/wildlife/birdguide/name/g/greattit/index.aspx>

At least you don't live in Scunthorpe or Penistone!

Andy

[Jono]

nob...@absolutely-nowhere.co.uk wrote :
> Jono <noth...@blueyonder.invalid> wrote

>
>> What's you're email address?
>>

> peter a t peter 2000 c o u k

On Voda, if I try to access by domain name, I get nothing....however,
if I try using the IP address, I get a webpage with "Hello" on it.

On PC, using DNS, I get the website; using IP address, I get teh same
"Hello" page.

[Jono]

Jono brought next idea :

Interestingly, I can access the images like:

http://websitename/english/<snip>/menu_r01_c1.gif

[tin...@isbd.co.uk]

That's just a result of virtual hosting on that IP address isn't it.
The server decides which site to display by looking at the name being
used, they're all at the same IP. If you give it a 'raw' IP address
then it can't decide which virtual site to use.

--
Chris Green

[Jono]

It happens that tin...@isbd.co.uk formulated :

>>
>> On Voda, if I try to access by domain name, I get nothing....however,
>> if I try using the IP address, I get a webpage with "Hello" on it.
>>
>> On PC, using DNS, I get the website; using IP address, I get teh same
>> "Hello" page.
>>
> That's just a result of virtual hosting on that IP address isn't it.

....I wasn't saying it wasn't.....just stating what I can and cannot
access.

[Andy Burns]

Jono wrote:

> Interestingly, I can access the images like:
> http://websitename/english/<snip>/menu_r01_c1.gif

If my sleuthing of which website is correct (RS232 etc), then I get
connected to the same server/IP address via plusnet and via vodafone, it
doesn't display properly in a web browser over vodafone instead the
server is sending a "400 Bad Request" response

Even connecting to it over plusnet, the server is remarkably prone to
sending 400 responses to valid but manually typed http requests, it
responds properly for wget, perhaps its making assumptions about timing
of requests, or packet sizes or that the entire http request will arrive
in a single packet?

[Dave Saville]

Correct - the "Hello" will be from the base document root - Quite
common effect.
--
Regards
Dave Saville

[The Natural Philosopher]

it goes to the default.

What this suggests is that some kind of deep packet inspection is
mangling the names or dropping the packets

I.e. its a layer or two above IP routing if you can reach te IP, but not
the named target.

That or the DNS that you are using on the mobile is NOT picking up the
correct IP address.

I am not sure what device you are using on Vodafone, but if you can set
its DNS server to something other than default, that is the way to test
that particular issue..


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.

[The Natural Philosopher]

does it time out with server not found, or what?

Also it could be a browser issue.

So far all you have done is established that the IP routing works.

You now have to work out whether the domain name is being correctly
resolved to that IP address, and whether the browser is correctly
inserting 'this is the name of the site I want' into its header call.

Since I have lost the original post (lifes too short to keep all this
stuff) please repost with what equipment you are attempting to connect,
and with luck someone will know the appropriate diagnostic tool to use
to test the next two potential issues.

[The Natural Philosopher]

On 09/03/13 17:47, Peter wrote:
>
> The Natural Philosopher <t...@invalid.invalid> wrote

>
>> On 09/03/13 12:16, tin...@isbd.co.uk wrote:
>>> In uk.telecom.broadband Jono <noth...@blueyonder.invalid> wrote:
>>>> nob...@absolutely-nowhere.co.uk wrote :
>>>>> Jono <noth...@blueyonder.invalid> wrote
>>>>>
>>>>>> What's you're email address?
>>>>>>
>>>>> peter a t peter 2000 c o u k
>>>>
>>>> On Voda, if I try to access by domain name, I get nothing....however,
>>>> if I try using the IP address, I get a webpage with "Hello" on it.
>>>>
>>>> On PC, using DNS, I get the website; using IP address, I get teh same
>>>> "Hello" page.
>>>>
>>> That's just a result of virtual hosting on that IP address isn't it.
>>> The server decides which site to display by looking at the name being
>>> used, they're all at the same IP. If you give it a 'raw' IP address
>>> then it can't decide which virtual site to use.
>>>
>> it goes to the default.
>

> Yes; going to the base IP is intentionally not going to work.

>
>> What this suggests is that some kind of deep packet inspection is
>> mangling the names or dropping the packets
>>
>> I.e. its a layer or two above IP routing if you can reach te IP, but not
>> the named target.
>>
>> That or the DNS that you are using on the mobile is NOT picking up the
>> correct IP address.
>>
>> I am not sure what device you are using on Vodafone, but if you can set
>> its DNS server to something other than default, that is the way to test
>> that particular issue..
>

> It's a Nokia 808 (Voda contract) but it's the same on an Ipad2 (Voda
> PAYG).
>
That tends to exonerate the browser, but leaves DNS ore a server with
indigestion.

Hmm. Thought. Drop the MTU to 1400 bytes on the server connection.

Sometimes if you are operating over slightly crappy networks packet
fragmentation can cause issues.

[The Natural Philosopher]

On 09/03/13 17:55, Peter wrote:
>
> The Natural Philosopher <t...@invalid.invalid> wrote
>

>> That tends to exonerate the browser, but leaves DNS ore a server with
>> indigestion.
>>
>> Hmm. Thought. Drop the MTU to 1400 bytes on the server connection.
>>
>> Sometimes if you are operating over slightly crappy networks packet
>> fragmentation can cause issues.
>

> We can try dropping the MTU but why only Voda?
>
> All other 3G networks work fine, and even GPRS (10x slower than 3G,
> although perhaps not 10x longer latency) works fine with every other
> server I try.
>
it needs just one router in the mix not doing reassembly correctly and
its toast for big packets


I am just scratching at differences between networks.. and that is one.
Maybe mobile packets are smaller..

its a quick test anyway.

[Roland Perry]

In message <j2frj8d6v73l634aq...@4ax.com>, at 11:15:29 on
Mon, 11 Mar 2013, nobody@nowhere----.com remarked:
>We have done more tests.
>
>The same website (kksystems dot com) is accessible on another server
>(different ISP; we have a backup server there) so the issue cannot be
>packet inspection by Vodafone, presumably.
>
>It is therefore A&A-specific blacklisting of some sort - either by
>Vodafone blocking the A&A IP, or by A&A blocking the Vodafone internet
>gateway IP.

Or Vodafone blocking all the sites sharing the A&A IP in question, as a
result of content on another of the sites.

It's also possible the IP address is blocked because of content on a
former site there - or is their blocking entirely dynamic based on the
traffic requested in real time.

--
Roland Perry

[Dave Saville]

On Mon, 11 Mar 2013 14:15:33 UTC, nobody@nowhere_.com wrote:
<snip>
> Well, here's a good one.
>
> We set the MTU to 1400 and it works!
>
> I found that in the Draytek 2955 router (running over a Draytek 120
> PPPOE modem) the MTU was set to the Draytek default of 1442.
>
> The setting cannot be more than 1492, presumably due to the 8 byte
> header in PPPOE.
>

Correct.

> Does this mean that the Draytek was fragmenting ALL packets coming out
> of the server?

Or it's one of those brain dead sites that send "1500 don't fragment"
and you never get to see the reply if you are less than 1500.
Certainly on BT what ever you set in the router is not necessarily
what the other end sees as BT lie upstream. AAISP have a fix in their
systems for those who use PPoE that gets around the problem.
--
Regards
Dave Saville

[The Natural Philosopher]

On 11/03/13 11:15, nobody@nowhere----.com wrote:
> We have done more tests.
>
> The same website (kksystems dot com) is accessible on another server
> (different ISP; we have a backup server there) so the issue cannot be
> packet inspection by Vodafone, presumably.
>
> It is therefore A&A-specific blacklisting of some sort - either by
> Vodafone blocking the A&A IP, or by A&A blocking the Vodafone internet
> gateway IP.
>

Bad logic. All you have identified is that it is ISP variable.

[The Natural Philosopher]

On 11/03/13 14:15, nobody@nowhere_.com wrote:
>
> Roland Perry <rol...@perry.co.uk> wrote

> Well, here's a good one.
>
> We set the MTU to 1400 and it works!
>
> I found that in the Draytek 2955 router (running over a Draytek 120
> PPPOE modem) the MTU was set to the Draytek default of 1442.
>
> The setting cannot be more than 1492, presumably due to the 8 byte
> header in PPPOE.
>

> Does this mean that the Draytek was fragmenting ALL packets coming out
> of the server?
>

No. What is probably means is that there is a broken router somewhere in
one of the chains and you have worked round it. It's almost certainly
NOTHING to do with your routers at all.

I had teh same effect with a company I do a bit of business with. At a
given point it simply took ages to load. They checked the site: it was
fine and not overloaded, neither was their IP circuit. So I stuck my
packets down to 1400 bytes and it was all fine.

Some weeks later I rebooted to defaults and it still worked. Something
somewhere had been fixed.


> However we have two identical servers, modems, routers, and the one on
> the other IP works fine over Vodafone 3G.
>
> We also found a funny thing: setting the MTU in the network interface
> (rc.conf) to 1400 makes the site work right away, but setting it back
> to 1500 doesn't break it until after the whole server is rebooted.
>

Probably something is caching the value.

[Nick Leverton]

In article <8ae0k850t2q01194l...@4ax.com>,
Peter <occassional...@nospam.co.uk> wrote:
>The current news on this is that something on the AAISP ADSL is not
>responding to MTU size negotiation requests (ICMP packets).
>
>Pings work on it OK but the MTU negotiation is a different type of
>ICMP packet, which I have not found anybody able to test.
>
>Vodafone, apparently, do not support 1500 byte packets. They request
>smaller ones, so the connection will break if that ICMP packet is not
>effective.
>
>I cannot find anything in the Draytek 2955 config which might control
>this, and the www server in question is on a 2nd subnet so the router
>should not come into it anyway as the 2nd subnet bypasses it. So it's
>down to the server firewall rules, and we can't see anything relevant
>there either.
>
>On the "Voda working" site (on ZEN) the www server is behind NAT (with
>port 80 etc open, obviously) and the MTU negotiation is done with the
>router, not with the server, apparently, and the router does that
>correctly. That's why we think it is the server firewall which is
>doing this...

If you have a Unix based client to try from, there is a jolly useful
utility for this sort of thing called tracepath which is a sort of
traceroute with PMTU discovery included. For each hop it prints
the maximum MTU supported and should show you where the problem is.

Wish we'd had it when I used to have to diagnose similar for clients
- mostly it was their router wrongly configured to block all ICMPs
("because ICMPs are insecure" they would say) but occasionally we would
find somewhere in their ISP that was breaking path length discovery.

Nick
--
"The Internet, a sort of ersatz counterfeit of real life"
-- Janet Street-Porter, BBC2, 19th March 1996

[Dave Saville]

On Wed, 13 Mar 2013 08:36:00 UTC, Peter

<occassional...@nospam.co.uk> wrote:

> The current news on this is that something on the AAISP ADSL is not
> responding to MTU size negotiation requests (ICMP packets).
>
> Pings work on it OK but the MTU negotiation is a different type of
> ICMP packet, which I have not found anybody able to test.

So what options are set for your line? Mine after tweaking for PPPoE
says MTU "Auto" and TCPFix checked.
--
Regards
Dave Saville

[Dave Saville]

On Wed, 13 Mar 2013 18:58:44 UTC, Peter
<occassional...@nospam.co.uk> wrote:

>
> "Dave Saville" <da...@invalid.invalid> wrote

> Where would these be set?

Your control pages. Click on the phone number.

--
Regards
Dave Saville

[Dave Saville]

On Thu, 14 Mar 2013 14:02:36 UTC, Peter
<occassional...@nospam.co.uk> wrote:

> Control pages where? Do you mean the A&A Control Panel?

Yes, that's what most people seem to call them AAISP included.

--
Regards
Dave Saville

[Nick Leverton]

In article <t1f7m813n4th94tot...@4ax.com>,
Peter <occassional...@nospam.co.uk> wrote:
>
>We fixed the issue by setting the server MTU to 1400 but never found a
>proper reason for it.
>
>A&A are fairly sure it is an issue between our server and our router
>and suggest a packet analyser on the ethernet connection to the
>router.
>
>I am not convinced; I think it could easily be an issue between
>Vodafone and A&A. In fact anywhere where the packet size negotiations
>fails.
>
>As I posted before, we have an identically configured server on a ZEN
>line and that is accessible via Voda OK.

Have you tried tracepath as I think I suggested previously ? In PMTU
problems it will identify the exact hop that is giving trouble.

[Nick Leverton]

In article <u3h8m853qlfqh711l...@4ax.com>,
Peter <occassional...@nospam.co.uk> wrote:
>
>Nick Leverton <ni...@leverton.org> wrote

>
>>In article <t1f7m813n4th94tot...@4ax.com>,
>>Peter <occassional...@nospam.co.uk> wrote:
>>>
>>>We fixed the issue by setting the server MTU to 1400 but never found a
>>>proper reason for it.
>>>
>>>A&A are fairly sure it is an issue between our server and our router
>>>and suggest a packet analyser on the ethernet connection to the
>>>router.
>>>
>>>I am not convinced; I think it could easily be an issue between
>>>Vodafone and A&A. In fact anywhere where the packet size negotiations
>>>fails.
>>>
>>>As I posted before, we have an identically configured server on a ZEN
>>>line and that is accessible via Voda OK.
>>
>>Have you tried tracepath as I think I suggested previously ? In PMTU
>>problems it will identify the exact hop that is giving trouble.
>

>I think we could not get it running under FreeBSD. Not with the
>command line options required for this job.

I missed that it was BSD at both ends, my apologies. I'm not entirely
surprised that tracepath does dodgy implementation-specific things with
packets ...

[alexd]

Peter (for it is he) wrote:

> The next device up is the Draytek 120 modem, running PPPOE i.e. no
> config whatsoever in that.

Funny you should mention that, I saw a similar issue with a Sonicwall and a
pair of Draytek 120's, lots of bizarre connectivity issues which were
resolved by lowering the MTU.

--
<http://ale.cx/> (AIM:troffasky) (UnSoEs...@ale.cx)
20:34:16 up 26 days, 11:30, 5 users, load average: 0.11, 0.13, 0.13
Qua illic est reprehendit, illic est a vindicatum

[Nick Leverton]

In article <sci8m8d9jusknti59...@4ax.com>,
Peter <occassional...@nospam.co.uk> wrote:
>
>The client device can be anything, and all show the same problem. It
>can be a winXP laptop, an Ipad (both foregoing with a built-in GPRS/3G
>radio and a PAYG SIM card), or my Nokia 808 phone (Symbian).
>
>I even did a tracert on the phone, which showed some interesting stuff
>(which I think I posted here) but since that uses pings, it is not
>conclusive because a lot of devices don't respond to pings anyway.
>
>Funnily enough, very small websites do work - obviously if the entire
>website (or I should say the entire block delivered by the server in
>one go e.g. all of index.html) is under 1400 bytes ;)

What about booting a linux live CD on the laptop, that should give you
more access to diagnostic tools. You seem to have tried most things
though ...