i can ping site but cant browes http server

spiceuser-p7j82 · 2022-06-30T05:41:23.000Z

good day

I am in a new company and i have very little information about the network configuration. I know that i have a FortiGate firewalls with VPN setup between two sites, as i can ping other site edge devises and access shared folder on the DC. but the problem I am wondering as a fresh IT grad, how can i ping the server but cant browse it?. I used Wireshark’s and validated that the client and server are communicating via port 80 and getting back ACKS. I have tried opening port 80 on the client both in bound and outbound but also no luck. could be that the FortiGate firewalls are blocking some traffic?

bojanzajc6669 · 2022-06-30T05:52:38.000Z

Probably the VPN setup is using tight traffic filtering, so it allows only the really required/approved connections.

Filtering of the connections can be set up on either of the VPN gateways (Fortigates in your case) or even on both.

First point to troubleshoot a problem like this, are the firewall logs. First check the local firewall’s log if it allowed the outgoing http connection. If allowed, it will be the remote firewall that is blocking the http connection. If it’s neither that one and it shows the connection as allowed, than it is something on the web server that is not allowing the connection.

grsl · 2022-06-30T06:06:45.000Z

Yes.

Check that port 80 is open on the firewalls for http and https traffic.

spiceuser-p7j82 · 2022-06-30T06:14:42.000Z

I am now sure based on your replay that’s its not a client or server side issue as while I was at the other site i was able to browse http server normally, so I am comfortable conforming its a FW traffic blockage issue.

bojanzajc6669 · 2022-06-30T06:27:30.000Z

spiceuser-p7j82:

I am now sure based on your replay that’s its not a client or server side issue as while I was at the other site i was able to browse http server normally, so I am comfortable conforming its a FW traffic blockage issue.

when you were at the remote site, you had a remote site IP address. That doesn’t have to mean, that connections from your current remote location are also allowed at the server!

However, in general, http servers are usually not configured to be so selective on incoming connections. Usually it would be some local firewall or endpoint protection software, that would be messing with incoming connections.

Still start looking at firewall logs - these are the shortest path to get some usable diagnostics (if you have access to them).

Internet_Schneider · 2022-06-30T06:40:27.000Z

What do you mean by “browse”? What are you trying to browse on a DC? Do you have a web server running on the DC? Could you connect it using telnet on the 80 port?

spiceuser-p7j82 · 2022-06-30T07:38:59.000Z

i did not meant to browse the DC on http I meant that I can access the shard folders within in it remotely.

spiceuser-p7j82 · 2022-06-30T07:44:11.000Z

I know, but all my ports are open and I know that network discovery is enabled on the remote server.

sandippatel6 · 2022-06-30T14:11:14.000Z

As fresh grad, you need to remember to use your troubleshooting skills base on OSI model you learned in school. New grads tents to always jump the gun when troubleshooting issues (Such as start using wireshark). This is the approach I would take base on issue you stated.

Am i able to ping? in this case you can. (Under OSI layer physical layer, your connective is good) You ruled out your physical layer.
Can you browse share from your other location? In this case no, this means your app layer and other layers are not working (my next step would be to browse share on the server itself are remote location)
Steps 2 rule out server issue if i can browse share on the server (in your case you are able to). If you have issues browsing share on the server itself you know you have server is your issue, in this case you would follow step 4 to rule out your server.
3A) This issue now mostly points to either your client or lies somewhere between two office.
To mostly rule out my client, i would check to see if there are any local firewall that may be blocking this. Make sure you are able to browse other share on your local network. Make sure Client for Microsoft network is enable under your NIC adapter.
If all above steps are ruled out, i would focus on your firewall, which is in the middle. I would start by reviewing traffic log originating from your client to start investigating there. See if firewall is able to pass traffic thru.
Basically, you have to try to trace the path data will take along the way and rule out any devices that are in between one by one.

gerardbeekmans · 2022-07-02T01:14:04.000Z

Don’t forget to check the windows firewall on the web server itself in addition to both your Fortigates. The windows firewall on the client computer that’s trying to access the website likely isn’t at fault but you can never make assumptions at this stage.

Logs generated by the web server itself can help shed light on it as well (IIS for instance if that’s what you’re using as a web server software).

If you’re comfortable with using command line, you can run a diagnose command on the Fortigates to show you what happens to your port 80 traffic. It may provide a clue where it all breaks down and which device is dropping the connection (if at all).

Something like this. The “4” at the end is not a typo. This will show which interfaces a packet goes through and can give a clue where it stops passing which could indicate a firewall policy on that Fortigate blocking the traffic.

diagnose sniffer packet any "host ip_address_of_web_server and port 80" 4