hello all,

I used to work in networking and thought I had a reasonable grasp of
tcp/ip.

A person in England has a problem accessing a website in the USA. I am
in the USA and have no problem getting to the site. Ping gets the
right IP adress so I presume its not q DNS fault.

we both do a tracert and BOTH timeout at the same address in the USA
xxxxxxxxxx.vario.net

I can still access the site.


Why does tracert fail and I still get access.


Is this sometrhing to do with the time-to-live on the packets?

This is more from curiosity than anything . I have suggested he contact
his local ISP and see if they can debug his problem.

In article <1161725846.643512.305390@e3g2000cwe.googlegroups. com>,
<marks542004@yahoo.com> wrote:

>A person in England has a problem accessing a website in the USA. I am
>in the USA and have no problem getting to the site. Ping gets the
>right IP adress so I presume its not q DNS fault.

>we both do a tracert and BOTH timeout at the same address in the USA
>xxxxxxxxxx.vario.net

>I can still access the site.

>Why does tracert fail and I still get access.

Probably verio is blocking ICMP time-exceeded packets through
that particular point.

You can get through because your regular packets don't exceed the
TTL in getting to the site.

The person in England cannot get through for any of a number of
possible reasons, including possibly:
- their -particular- host is blocked
- their IP address block is blocked, if verio is consulting a table that
deems the address block to be troublesome (e.g., residential ISP
customers get blocked from accessing some resources)
- their IP address block is blocked because verio is determining that
they are not in the USA (or, alternately, because verio cannot prove
to its own satisifaction that they -are- in the USA)
- they have Path MTU problems in getting responses from the site;
look up PMTUD (Path MTU Detection).

Walter Roberson wrote:
> In article <1161725846.643512.305390@e3g2000cwe.googlegroups. com>,
> <marks542004@yahoo.com> wrote:
>
> >A person in England has a problem accessing a website in the USA. I am
> >in the USA and have no problem getting to the site. Ping gets the
> >right IP adress so I presume its not q DNS fault.
>
> >we both do a tracert and BOTH timeout at the same address in the USA
> >xxxxxxxxxx.vario.net
>
> >I can still access the site.
>
> >Why does tracert fail and I still get access.
>
> Probably verio is blocking ICMP time-exceeded packets through
> that particular point.
>
> You can get through because your regular packets don't exceed the
> TTL in getting to the site.
>
> The person in England cannot get through for any of a number of
> possible reasons, including possibly:
> - their -particular- host is blocked
> - their IP address block is blocked, if verio is consulting a table that
> deems the address block to be troublesome (e.g., residential ISP
> customers get blocked from accessing some resources)
> - their IP address block is blocked because verio is determining that
> they are not in the USA (or, alternately, because verio cannot prove
> to its own satisifaction that they -are- in the USA)
> - they have Path MTU problems in getting responses from the site;
> look up PMTUD (Path MTU Detection).


OK, thanks for that .


I had never seen a tracert fail before where a route was actually
working , but then most of my work was within a large private network.

I have put him onto the site admin so they can attempt to sort out the
problem , apparently the site went down for an hour or two last weekend
and he hasnt been able to get back since.

In article <1161749325.305259.224830@f16g2000cwb.googlegroups .com>,
marks542004@yahoo.com wrote:

> I had never seen a tracert fail before where a route was actually
> working , but then most of my work was within a large private network.

You obviously haven't tried to trace to many web sites.

Can you ping the web server? TRACERT sends the same ICMP packets that
ping sends, and many web sites block these packets at the router that
connects the data center to the Internet.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Hello,

Walter Roberson a écrit :
> <marks542004@yahoo.com> wrote:
>
>>A person in England has a problem accessing a website in the USA. I am
>>in the USA and have no problem getting to the site. Ping gets the
>>right IP adress so I presume its not q DNS fault.

Does the ping get a reply ?

>>we both do a tracert and BOTH timeout at the same address in the USA
>>xxxxxxxxxx.vario.net
>
>>I can still access the site.
>>Why does tracert fail and I still get access.

Web access uses a regular TCP connection on port 80.
Windows' tracert sends ICMP echo-reply packets with increasing TTL and
expects routers to reply with ICMP time-exceeded packets. Some
traceroute tools use UDP packets instead of ICMP echo-reply.
Try a traceroute tool that can use TCP instead, like tcptraceroute or
BSD's traceroute.

> Probably verio is blocking ICMP time-exceeded packets through
> that particular point.

Rather because it blocks the incoming ICMP echo-request packets from the
traceroute. There is no reason to block the outgoing ICMP time-exceeded
packets.

marks542004@yahoo.com wrote:

> A person in England has a problem accessing a website in the USA. I am
> in the USA and have no problem getting to the site. Ping gets the
> right IP adress so I presume its not q DNS fault.

That's an incredibly vague description of the problem. All you've told
is that he "has a problem". That could mean anything.

> we both do a tracert and BOTH timeout at the same address in the USA
> xxxxxxxxxx.vario.net

So that's not the problem.

> I can still access the site.
>
> Why does tracert fail and I still get access.
>
> Is this sometrhing to do with the time-to-live on the packets?

No, the site just blocks either the outbound packets or the replies to
them. They may do this for security reasons (to stop you from viewing
the internals of their network), to hide embarassing details (to stop
you from viewing the internals of their network), for security through
obscurity (if you can't figure out the IPs of the routers, you can't
attack them, they hope), or for some more legitimate security reason
(perhaps the replies might overload their routers, who knows).

> This is more from curiosity than anything . I have suggested he contact
> his local ISP and see if they can debug his problem.

Why? If you had any evidence it was a connectivity issue, you didn't
share it with us.

DS

In article <1162037272.932667.133210@f16g2000cwb.googlegroups .com>,
"David Schwartz" <davids@webmaster.com> wrote:

> marks542004@yahoo.com wrote:
>
> > A person in England has a problem accessing a website in the USA. I am
> > in the USA and have no problem getting to the site. Ping gets the
> > right IP adress so I presume its not q DNS fault.
>
> That's an incredibly vague description of the problem. All you've told
> is that he "has a problem". That could mean anything.

Right. Does he get a timeout, does he get a "500 page not found" error,
etc.?

If it's taking a long time to come up, do "netstat -an | findstr <ip>"
while the browser is hanging -- see if the connection is in SYN-SENT or
ESTABLISHED state. This tells you whether the problem is with basic
communication (blocking the SYN packets) or something else.

For even more advanced troubleshooting, download the Wireshark network
analyzer to see the whole sequence of packets to/from the site.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***