Hello, first time posting here. Not exactly sure the protocol on what to post I shall do my best. I've got an HR user that connects to a secure website: https://sbsftp.benefitfocus.com/ When I give my laptop public IP and try from outside firewall the connection works, and wireshark says: followed by server hello, certificate, client key exchange, then packets that look like this When I try from inside, browser gives 'err-connection-closed' error and will not connect. I get this from wireshark RED row(s) followed by similar packets - the port 443->53427 - the second number increments with each error. Thanks for any help! Brent asked 05 May '15, 09:14  FrankChibu edited 05 May '15, 09:23  grahamb ♦ |
One Answer:
It seems you are still using the public IP on your laptop when connecting from inside? That's what the text you posted shows (74.213.141.49 used in both cases). The "error" case you show looks like your client is closing the connection, what was the URL you used in the "internal" case? If it's the "internal IP" of the server, then it's likely not to match the info in the server certificate and so the client will close the connection. This is more likely if the RST occurs after receipt of the server certificate. Update: OK I misread the text, thinking that packet was the client SYN, but it's obviously the server SYN ACK back. Yet more proof that analysis by text snippet is awkward. So the server is issuing the RST, this makes me think it's more likely that something in the network path from the client to the server (router or server itself) is configured to reject connection attempts to the external IP from an internal route. Note: Analysing issues using portions of text output is a bit of guesswork, much better to post a capture somewhere publically (cloudshark, Google Drive, Dropbox etc.), using an anonymiser such as TraceWrangler if necessary. answered 05 May '15, 09:32 grahamb ♦ edited 05 May '15, 10:39 showing 5 of 9 show 4 more comments |
Hi. I am using class C internal (10. ) -didn't want to publish that. Same for public IP - just didnt want to publish. The 74.213.141.49 is- the destination ip for -> https://sbsftp.benefitfocus.com/
The client is a browser (any browser). This used to work, and does from other Geo sites
I'll upload the entire capture to dropbox when I can, wanted to answer these questions now.
Thanks!
Sorry I thought the files would be viewable, here are links to files
https://www.dropbox.com/s/yz4sme5dj5iro42/frominside?dl=0
https://www.dropbox.com/s/7qkt85wrspqutxb/fromoutside?dl=0
Those files appear to be text exports from the captures, and as I've mentioned analysing text isn't great, as we can't use all the great facilities in Wireshark.
Can you provide the actual capture files?
Thanks for the feedback. Wireshark is pretty new to me.. how do I get the actual capture files?
Many thanks!
From the menu, File |> Save.
This will include all internal and public IPs... can't do that.
Could you gleam anything from an outside (working) capture only?
As I mentioned above
Sir, I must thank you for the hand holding. I appreciate it. File are uploaded, here is link. Many thanks again.
https://www.dropbox.com/s/jiq2tzrdxq2v5ps/wireshard%20from%20outside%20-%20successful_anon.pcapng?dl=0
https://www.dropbox.com/s/2fbh16n7fitgjvt/wireshark%20from%20inside_anon.pcapng?dl=0
I have the same issue with the above mentioned website at my facility. What was involved in the this case to correct the issue?