Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Hello All,We have some strange issue that we need your help in understanding it. We have one of our downstream customers who has own IP/ASN resources and we are giving him IP transit.all was well until early this month when they reported that some sites are not opening. We asked them to share the list of sites and we tried it within our network using our IPs and the sites open fine.We have tested same sites on other networks and they open fine.We suspected DNS and asked them to try different DNS including public ones like 22.214.171.124/126.96.36.199 but no change. still sites dont open.We have asked them to NAT their traffic using the P2P we have given them and sites open fine when they do that. The sites are mostly Banking sites, so we suspected Asymmetric routing and tried to make sure traffic takes same path for exit and return but still no change. Not sure what could be happening. Could anybody provide insights what could be happening?Regards, Lish.
There are many possibilities why this is happening.
First of all, I would check if there are proper entries in the RIR databases on the basis of which the filters are built Then start by verifying that the addresses from which you can't connect aren't on some kind of blacklist
Also, I would check if the addressing is properly broadcast to your uplinks because it may turn out that it is not or the filters are not accepting something even though you are sending
Hello,thank you for the insight.we have verified the prefixes have up to date RiR entries.
also we have confirmed with several looking glasses both international and local and the prefixes are visible and properly propgated.As of now it looks end sites are somehow having some form of blacklist entry for this blocks but how that happens for large number of sites is bit worrying. Maybe they abused these sites with strange traffic and got blocked.
we have tickets opened with some of the sites and will update if we make progress on this case.thank you so much again for your time and input!
------------------------------GRZEGORZ DACKAOriginal Message:Sent: 03-31-2023 05:05From: ahmed-lishSubject: certain IP blocks are not able to access banking sites
I have seen this happen when the target sites are running security software that finds specific ip ranges or addresses to be malicious. Since the company is likely a customer of the financial institution they should open a ticket with them to have this checked out on that side too. This is especially indicated as possible since the nat option from the same site does work.
Hello Spluka,thank you for guidance. We have raised ticket with of the financial institution and are waiting for their feedback.
there are alot of different sites apart from the financial institutions that are having the same issue so we not sure what might have triggered this widespread "blacklisting" of the blocks.
next thing we going to try tomorrow (Monday) is to actually borrow another IP/ASN block fro our sister company that is not using for now and configure on this customers border routers just to see if its something to do with how they doing their setup. We quite certain this new IP blocks will work but just want to try.
Since multiple sites are affected but not everything, it seems likely they have been put on some sort of globally managed block list. Feedback from one of the blocking companies should help identify which list and therefore why they were added.You could run their address through some of the checker sites to see if you get lucky too.example:https://dnschecker.org/ip-blacklist-checker.php
years ago, i had banking site issues with cgnat. after implementing features and techniques to stabilize the customer ip address translation, like, EIM, EIF, APP and symmetry with the cgnat node, problems went away.
We run into this a lot in the Azure cloud with out VDI/VPN/Servers. We have figured out that a lot of banks and Gov sites block Azure IP ranges. Our work around for this right now is to route them back through our on prem gear to give them an IP that we "own". Our future end game is to use the bring your own IP in Azure.