Technical - intermittent networking problem

[DTMark]

Just looking for some suggestions as this has me stumped. Actually, I don't do this sort of support, because it's a nightmare, but I seem to have got sucked in to this and I'm intrigued..

Client in London. Their website is hosted in a DC in Manchester.

Periodically they can't access their own website. They can access everything else. Theirs just times out - it's a connection timeout rather than a website bug or database deadlock.

It's not DNS. A traceroute looks normal. The internet connectivity is not sporadic. Still nothing. For about half an hour, then it just starts working again.

Seemingly everyone else can access the site, just not the client. Throughout, it loads perfectly for me. I'm not in their office. All the machines in their office develop the same problem at the same time.

There's nothing like Active Directory involved here. Just a bunch of machines on one internet connection that cannot load one site and only that one (though I haven't tried every single website in the world to prove that).

The server does have active threat monitoring. Maybe it's that - their admin area is part of the same site. Maybe it thinks their access is suspect and locks them out for a while. This is my best theory. However the DC says not. Their fixed IP is whitelisted.

Turning the modem off and on again achieves nothing.

Next step is to disable the active threat monitoring however this only happens about 4 times a month and I don't want to leave that disabled in perpetuity to "see if that's probably what it was".

Any ideas..

 

[DTMark]

The DC have - finally - confirmed that this is indeed being caused by the active threat monitoring software and will whitelist the IP address.

[nirvana]

VPN issue.....it fails when they load it up

[DTMark]

There's no VPN involved, the ISP connection has a fixed IP which is permissioned to access the back-end but which isn't needed for the customer site and that fails too at the same time. For them. Actually I did think to try configuring a VPN on one machine and accessing the site through that but the PC has had the Windows update which breaks VPNs, so no joy there.

It seems to be some sort of active block but where is a mystery.

[spunko]

@DTMark

Do they ever connect via SSH, is it via something simple like putty or some sort of proprietary software? If not the former, get them to try that first. Better to see if this issue affects only http/80 port or entire server. Try :21 or :22?

What is their server running? In 90% of cases like that from my experience if it's a LAMP server then their IP has been blocked by the firewall. You said it's been whitelisted, but if it's CSF for example then that'll only last for a bit I (which you mention). It needs to be added to ignore.csf which is permanent. I don't know about firewalld or any of the others but they all seem similar.

Edited May 15, 2021 by spunko

[spunko]

Also are you sure they're not using Cloudflare for DNS? You said it's not a DNS issue but just to be sure, they need to connect via a non-orange cloud address (ie skip out Cloudflare completely). It's amazing how OTT cloudflare can be sometimes. Could be if they're all repeatedly trying to connect, the DDOS stuff is kicking in.

Admittedly if that's the case it should show a Cloudflare error code, but worth checking anyway.

[nirvana]

What he said, I've seen issues like this before, it's nearly always DNS or a 'routing issue'......that's why I mentioned the VPN angle

have you compared the traceroute between working and non?

Last time I saw a similar issue was a mate using some VPN software on his tablet cos someone told him he should always use a VPN, but then he couldn't access his web cam or something on on his local LAN

Edited May 15, 2021 by nirvana

[DTMark]

No Cloudfare. Tracert is normal from client premises - ICMP is blocked so the last hop is the one before the server, at the DC.

When this last happened I temporarily opened up the access to all IPs on the server, and they were able to connect normally.

My suspicion still lies with the active threat monitoring on the web server itself. The DC does have some form here in that there have been two instances of problems with that in the past - the servers are 'managed' so they installed it.

[DTMark]

.. or some weird form of NAT that means that, randomly, the IP presented is not their fixed IP. Yet, whenever I've checked whatsmyip from a desktop there, it shows that the correct fixed IP is being presented. Something to do with IPv6 and NAT perhaps?

[reformed nice guy]

Have you tried turning it off and putting it back on again?