Single Secure Website Appears to be Blocked Behind Watchguard T15

2»

Comments

  • edited November 2022

    Trying one more time to see if there was ever a resolution as I am not getting anywhere with support from comcast, or in my case, Cisco/Meraki.
    1 [Redacted this line - James C]
    2 [Redacted this line - James C]
    3 14 ms 13 ms 10 ms 96.120.112.25
    4 13 ms 13 ms 12 ms 96.108.124.177
    5 14 ms 11 ms 12 ms 96.108.122.169
    6 17 ms 18 ms 22 ms 24.153.88.85
    7 * 27 ms 28 ms 4.68.110.122
    8 46 ms 43 ms 44 ms ae7.7.edge2.newark1.level3.net [4.69.218.41]
    9 52 ms 49 ms 52 ms colo4-dalla.edge2.newark1.level3.net [4.30.130.246]
    10 46 ms 62 ms 52 ms te0023.corertr-01.tek.tierpoint.net [69.7.225.116]
    11 52 ms 45 ms 50 ms te0001.corertr-02.vfo.tierpoint.net [69.7.225.22]
    12 47 ms 50 ms 47 ms 198.82.168.68.static.dbsintl.net [68.168.82.198]
    13 48 ms 50 ms 48 ms 216.129.154.5
    14 * * * Request timed out.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @albrigtp

    The resolution for the previous customer was that something further upstream via the ISP was blocking that traffic, and the ISP was able to resolve it.

    I searched all current open support cases, and I don't see any currently mentioning dmz.aclarahosting.com or aclara.

    The traceroute suggests your traffic is getting well past your gateway firewall, but ICMP traffic is not the same as TCP HTTPS traffic.

    If you can reply with your case number, I'd be happy to take a look into your issue.

    -James Carson
    WatchGuard Customer Support

  • edited November 2022

    For what it is worth, I have a Comcast cable connection, and from behind my T20, running 12.9 Beta 4, I can access https://dmz.aclarahosting.com/ using a HTTPS proxy, with Inspect enabled for that web site.
    I see a logon page for Aclara.
    I don't get anything for a HTTP access attempt.

    Here is my Tracert. Notice that a number of hops of mine are the same as for you. I do successfully get to the dest IP addr.

    C:\Users\Bruce>tracert dmz.aclarahosting.com

    Tracing route to dmz.aclarahosting.com [104.37.109.144]
    over a maximum of 30 hops:

    1 12 ms 6 ms 7 ms Bruce_T20w [10.0.1.1]
    2 17 ms 16 ms 16 ms 96.120.37.77
    3 18 ms 16 ms 130 ms 68.85.230.193
    4 17 ms 16 ms 15 ms 69.139.180.238
    5 33 ms 132 ms 20 ms ae-17-ar02.stuart.fl.pompano.comcast.net [162.151.2.161]
    6 23 ms 21 ms 46 ms be-40-ar01.northdade.fl.pompano.comcast.net [68.86.165.161]
    7 39 ms 32 ms 30 ms lag-8.ear1.Miami1.Level3.net [4.68.74.237]
    8 108 ms 54 ms 53 ms ae7.7.edge2.Newark1.level3.net [4.69.218.41]
    9 61 ms 54 ms 54 ms COLO4-DALLA.edge2.Newark1.Level3.net [4.30.130.246]
    10 93 ms 67 ms 134 ms te0023.corertr-b.tek.tierpoint.net [69.7.225.118]
    11 60 ms 54 ms 53 ms te0001.corertr-01.vfo.tierpoint.net [69.7.225.45]
    12 159 ms 56 ms 55 ms 69.7.236.33
    13 61 ms 59 ms 56 ms 216.129.154.5
    14 57 ms 55 ms 55 ms 104-37-109-155.static.dbsintl.net [104.37.109.155]
    15 * * * Request timed out.
    16 126 ms 57 ms 54 ms 104-37-109-144.static.dbsintl.net [104.37.109.144]

    Trace complete.

    Since you are not getting the full tracert, it is possible that your IP addr is on a block list at 104.37.109.155

  • Sorry to jump in drag this topic up again!

    I'm facing a similar issue trying to access a website - no blocks on my Watchguard firewall (M390) but clients on the LAN cannot access the website - "This site can't be reached", but can through mobile connections or my backup line. I've tried the MTU checks and all appear to be at 1472+28 (1500).

    I tried a tracert on both external lines and both ended at the same address, ruling out a block further up the line. The address gcmi.co.uk (185.225.163.83) worked fine on the network last week but now does not.

    Any suggestions?

  • edited August 2023

    You can add a HTTPS packet filter To: this IP addr, and turn on Logging on it to see allows for this site in Traffic Monitor.

    My web browsers (Firefox, Chrome) are not happy with the cert.
    I use deep inspection and have the WG cert installed on my PC.

    This suggests that there is a missing Intermediate cert.
    https://www.sslshopper.com/ssl-checker.html#hostname=gcmi.co.uk

Sign In to comment.