Page 1 of 1
Specific IP address not able to access vicidial on port 80
Posted:
Wed Jun 29, 2016 6:12 am
by dspaan
Our callcenter can not reach the vicidial server anymore via HTTP.
At the same time we can connect fine to vicidial via HTTP from other locations.
We checked the firewall config but the callcenter IP should have access on port 80
We tried by disabling the firewall but no luck.
We checked the firewall log and fail2ban log but nothing in there either.
No errors in the apache logs.
Nothing, we can't find out why this is happening. You simply get a timeout message in every browser (IE or chrome) on all workstations. We also tried making an exception by attaching one workstation to the modem of the callcenter directly and bypassing the firewall in the callcenter but the problem remains the same.
I suspect this IP is still being blocked somewhere in OpenSUSE but we can't figure out where.
Or it's a routing issue somewhere else on the internet, but that doesn't make sense either because from that location i can ping the vicidial server and also access it by SSH on port 22. Only HTTP is blocked. We also tried binding apache to port 88 which worked fine from other locations but not from the callenter IP again. We also tried HTTPS but no dice.
We also tried to do telnet to the vicidial server. This works from any authorized location in yast firewall but again not from the callcenter IP location.
Any suggestions? Never seen this problem in 5 years working with vicidial.
Re: Specific IP address not able to access vicidial on port
Posted:
Wed Jun 29, 2016 3:56 pm
by dspaan
Solved: After a quick call with vicidial support we found that the issue was in /etc/asterisk/sip.conf
Before i gave this server the IP of the old server i gave it a temporary IP when i moved it from hardware machine to the other. This IP was still set in the sip.conf under the externip setting.
For some reason this value is not being update when you run the server update ip script. Or i made a mistake. Anyway, this also caused inbound calls not to come in and SIP connections getting killed after 60 seconds because of lack of RTP activity.
Re: Specific IP address not able to access vicidial on port
Posted:
Wed Jun 29, 2016 4:32 pm
by williamconley
That setting is the one that always avoids scripting because its "need to be changed" is different based on your carrier and networking configuration(s).
So you must ALWAYS check the value of externip during any IP change scenario, outside the ip update script.
Always.
Re: Specific IP address not able to access vicidial on port
Posted:
Thu Jul 14, 2016 7:00 am
by dspaan
For some reason this tuesday out of the blue we were not able to access the vicidial server again from that same IP. I could not find any reason for it. I checked with the datacenter network department and they said that the IP is not being blocked. I could not find anything.
Is there some sort of security mechanism in the latest vicibox 7 apart from the OpenSUSE firewall and Fail2ban that could be causing this?
After about 2 days we could access the vicidial server again from that IP.
Re: Specific IP address not able to access vicidial on port
Posted:
Mon Jul 18, 2016 11:55 pm
by williamconley
- Code: Select all
iptables-save
it'll be in there somewhere ... IF the vicidial server is dropping the packets.
there are also logging options within iptables to find out whose packets are being dropped.
And then there's the "reboot the router!" method and the "are you sure it's not DNS?" question.
Re: Specific IP address not able to access vicidial on port
Posted:
Tue Jul 19, 2016 12:46 am
by dspaan
Hi Bill,
iptables-save show's the IP address but only ACCEPT rules.
There also is a Yast Firewall log which you can check if packets are being dropped and it showed nothing at the time.
Also it can't be DNS because we tested by connecting IP based.
And i can't reproduce it anymore because it started magically working again.
Re: Specific IP address not able to access vicidial on port
Posted:
Tue Jul 19, 2016 11:16 am
by williamconley
I'd also consider:
What if you were experiencing a brute force attack on your outer firewall? Been known to cause similar issue.
I'll repeat that "reboot the router" bit from earlier.
And my personal favorite: It may not have been you, but an interlink somewhere between your ISP connection and the vicidial server's ISP connection. These happen from time to time and are usually very temporary. We've had several clients "cut off" for anywhere from a few minutes to half a day. Some have even had to call tech support for their ISP and actually had it fixed during the support call. And it was ONLY affecting their connection with a very specific range of IPs. In a couple cases, it was "Us" and "Godaddy". LOL
Re: Specific IP address not able to access vicidial on port
Posted:
Tue Jul 19, 2016 2:38 pm
by dspaan
If it was an attack other IP's would have had the same problem of if you mean the source IP then it would not have been able to access other hosts.
I think it was the latter but those problems are hard to tackle, ISP's always say it's your fault and not theirs.
Re: Specific IP address not able to access vicidial on port
Posted:
Tue Jul 19, 2016 3:17 pm
by williamconley
traceroute is a useful application sometimes.
firewall logging is also useful
and iftop is very useful.
Re: Specific IP address not able to access vicidial on port
Posted:
Tue Jul 19, 2016 5:54 pm
by dspaan
instead of traceroute i often use MTR which is a combo of traceroute and ping
Re: Specific IP address not able to access vicidial on port
Posted:
Tue Jul 19, 2016 6:29 pm
by williamconley
dspaan wrote:If it was an attack other IP's would have had the same problem ...
Not always. And it depends on which side of your problem is experiencing the attack, and how your router is handling the scenario. Some brute force attacks have been known to fill the MAC address table in a router, and no NEW access attempts will work after that moment. Networking is tricky. There are enough rules to make all the rules appear more like "guidelines", LOL