No traffic after putting UT into production - Page 3

Muggle · 07-11-2009, 12:46 AM

Are you using the exact same port on the switch when it does and then does not work? Also, are you using the exact same cables when it does and does not work?

I bring up these questions simply because I've had similar issues, not with UT, but other appliances. How about a straight-through cable ? I know that should not matter nowadays..but you never know...

Just a couple of thoughts, seems like all the other bases have been covered.

neiby · 07-11-2009, 08:52 AM

Quote:

Originally Posted by Muggle

Are you using the exact same port on the switch when it does and then does not work? Also, are you using the exact same cables when it does and does not work?

I bring up these questions simply because I've had similar issues, not with UT, but other appliances. How about a straight-through cable ? I know that should not matter nowadays..but you never know...

Just a couple of thoughts, seems like all the other bases have been covered.

I've tried it both ways, using the same and different ports on the switch. I've also cleared the ARP cache and MAC tables after making the switch to ensure that the 6509 doesn't have any leftover entries for whatever reason.

This seems to be a higher layer problem. We have no problem with IP connectivity, but DNS names don't resolve. Something's happening at a higher layer to impede that traffic.

far182 · 07-11-2009, 11:18 AM

Type nslookup
server 4.2.2.1
www.google.com

Do you get anything back?

neiby · 07-11-2009, 11:58 AM

Quote:

Originally Posted by far182

Type nslookup
server 4.2.2.1
www.google.com

Do you get anything back?

Nope. We tried that. I tried hard setting UT to use that server for DNS, and I also tried setting it using nslookup as you suggested. Either way, no names would resolve even though UT could ping that server. It doesn't make any sense!

neiby · 07-11-2009, 12:58 PM

I need to find a way to continue testing this without disrupting our network. This is on our primary Internet connection, which means we have mobile police/fire units and other emergency vehicles who count on this connection, not to mention all the servers and users behind it that need Internet access, even in off hours. I can't keep bringing that connection down to test. I think I have a free interface on our firewall, though. Maybe I'll connect to that instead and configure it similar to our main inside interface.

Then again, that's not going to work because it's not exactly the same. To replicate our situation, I would have to have real users and at least one DNS server behind UT. This could be a fairly complicated test setup.

far182 · 07-11-2009, 02:07 PM

I really don't believe it's untangle that is causing the problem. To rule that out, you could do a fresh install.

neiby · 07-11-2009, 02:49 PM

Quote:

Originally Posted by far182

I really don't believe it's untangle that is causing the problem. To rule that out, you could do a fresh install.

This is a fresh install.

I don't think the problem lies solely with Untangle since it works when not connected directly to our firewall. My suspicion is that there is some strange interaction between the two. Someone else suggested one possible problem, but I *think* I've ruled that out.

Surely we're not the first to connect this version of UT directly to a Cisco ASA. If others have done it with no problem then it's just a matter of figuring out what's different between our configuration and theirs.

far182 · 07-11-2009, 02:50 PM

Disable all the "fixup" in the ASA. Fixup can cause problems.

neiby · 07-11-2009, 02:59 PM

Quote:

Originally Posted by far182

Disable all the "fixup" in the ASA. Fixup can cause problems.

I'll try it, but *why* should I have to do that? If UT is acting as a transparent bridge, that sort of thing shouldn't be necessary. I should be able to drop it inline without any problem. It should be, um, transparent.

It must not be completely transparent for non-blocked traffic, which I thought it would be. Even with a couple of things in the rack, all turned off, it was still blocking DNS. That proves that it is having some sort of effect on the traffic even when it should just be passing it through.

EDIT: I just checked. The fixup command is missing on the ASA. That functionality is either not there, is integrated, or has been moved to another command. I'll have to do more research.

neiby · 07-11-2009, 03:10 PM

The only thing I can find in the ASA config related to DNS is that dns-guard is enabled. That enforces a single reply to any DNS query. Other than that, I don't see anything, and I don't know how that would affect things at all.

Again, if UT is truly transparent for unblocked traffic, it shouldn't matter. Is UT completely transparent to unblocked traffic?

07-11-2009, 12:58 PM	#25 (permalink)
neiby Master Untangler Join Date: Jun 2009 Location: Denver, CO Posts: 603	I need to find a way to continue testing this without disrupting our network. This is on our primary Internet connection, which means we have mobile police/fire units and other emergency vehicles who count on this connection, not to mention all the servers and users behind it that need Internet access, even in off hours. I can't keep bringing that connection down to test. I think I have a free interface on our firewall, though. Maybe I'll connect to that instead and configure it similar to our main inside interface. Then again, that's not going to work because it's not exactly the same. To replicate our situation, I would have to have real users and at least one DNS server behind UT. This could be a fairly complicated test setup. __________________ Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.

07-11-2009, 03:10 PM	#30 (permalink)
neiby Master Untangler Join Date: Jun 2009 Location: Denver, CO Posts: 603	The only thing I can find in the ASA config related to DNS is that dns-guard is enabled. That enforces a single reply to any DNS query. Other than that, I don't see anything, and I don't know how that would affect things at all. Again, if UT is truly transparent for unblocked traffic, it shouldn't matter. Is UT completely transparent to unblocked traffic? __________________ Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.

07-11-2009, 12:46 AM	#21 (permalink)
Muggle Untangler Join Date: Jun 2009 Location: Lakewood, CA Posts: 67	Are you using the exact same port on the switch when it does and then does not work? Also, are you using the exact same cables when it does and does not work? I bring up these questions simply because I've had similar issues, not with UT, but other appliances. How about a straight-through cable ? I know that should not matter nowadays..but you never know... Just a couple of thoughts, seems like all the other bases have been covered.

07-11-2009, 11:18 AM	#23 (permalink)
far182 Master Untangler Join Date: Aug 2008 URLs submitted: 1 Posts: 936	Type nslookup server 4.2.2.1 www.google.com Do you get anything back?

07-11-2009, 02:07 PM	#26 (permalink)
far182 Master Untangler Join Date: Aug 2008 URLs submitted: 1 Posts: 936	I really don't believe it's untangle that is causing the problem. To rule that out, you could do a fresh install.

07-11-2009, 02:50 PM	#28 (permalink)
far182 Master Untangler Join Date: Aug 2008 URLs submitted: 1 Posts: 936	Disable all the "fixup" in the ASA. Fixup can cause problems.