Some machines in my network can't access a specific website

Question

Something pretty bizarre is happening here. I'm try to access a website from some machines inside my network and I just can't, while other machines access it normally. The website is online.sefaz.am.gov.br. In order to rule out all browser-related problems, I am testing this with telnet.

From my Macbook, I get this:

$ telnet online.sefaz.am.gov.br 80
Trying 200.242.61.43...
Connected to online.sefaz.am.gov.br.
Escape character is '^]'.

From a Windows XP box (Virtual Machine running on the Macbook), I get this:

C:\Documents and Settings\Administrator>telnet 200.242.61.43 80
Connecting To 200.242.61.43...Could not open connection to the host, on port 80: Connect failed

Note that on the Windows box I tried to telnet the IP address directly, so that rules out DNS issues. My anti-virus is disabled and so is the Windows firewall.

The virtual machine's network interface is bridged, so it gets a valid IP in my network. I noticed something pretty odd regarding that as well: if I change the network interface to NAT on the virtual machine, I can access the website normally.

I do have a domain controller in my network, but I'm not aware of any group policies that could block an IP.

So my question is: have you ever seen something like this? If so, how to fix it?

EDIT

I ran nmap against the website from the computer that can't open it on the browser. Here's the outcome:

Starting Nmap 6.25 ( http://nmap.org ) at 2013-02-15 14:31 Pacific SA Standard Time
Nmap scan report for online.sefaz.am.gov.br (200.242.61.43)
Host is up (0.18s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  open   https
8080/tcp open   http-proxy
8443/tcp closed https-alt

TRACEROUTE (using port 8443/tcp)
HOP RTT       ADDRESS
1   ... 10
11  160.00 ms 200.242.61.43

Nmap done: 1 IP address (1 host up) scanned in 46.01 seconds

EDIT2

So I got one of these boxes that can't access the website and connected it directly to my internet link. Nothing changed. I still couldn't access the website. Then, I unplugged the machine from my network and connected it to the internet using a 3G usb stick. Guess what? It worked. So the logical conclusion would be that the problem lies on my internet link somewhere.

Not so fast... this very own computer I am typing from is using the internet link and can access the website normally. Go figure!

@Rex yes, I ran nmap from the win xp box. The same one that fails with telnet — Andre, Feb 15 '13 at 19:02
Bridging your network adapter makes it create a virtual mac address for your guest(s). Are you sure that you don't have any network equipment limiting the number of mac addresses per port? — pauska, Feb 15 '13 at 19:18

score 1 · Accepted Answer · edited Apr 13 '17 at 12:14

1

Based on the error of the telnet "Connect failed", the TCP connection can not be established. Use tcptraceroute to find out which host is filtering your request.

It could be a routing problem or a firewall problem.

Use a network capture program like WireShark and check for ICMP messages or TCP/RST messages when you start the telnet.

The SYN packets send by nmap and telnet were differing. The telnet one was setting the Selective Acknowledgment (SACK).

It seems that the remote server is filtering the TCP packets that were using SACK.

To disable SACK start the Registry Editor and change HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOpts to 0.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] 
"SackOpts"=dword:00000000
0 = disabled; 1 = enabled

See this answer for details about SACK: When to turn TCP SACK off?

edited Apr 13 '17 at 12:14

Community

1

answered Feb 15 '13 at 18:15

Mircea Vutcovici

16,706
4
52
80

I did what you suggested. The website looks fine from nmap (I edited the question to show that). And Wireshark doesn't really give me much; I can see three SYN packages leaving my machine and no response from the website. – Andre Feb 15 '13 at 18:40
Can you please run `tcptraceroute` on port 80/TCP? I am not talking about the `tracert` that comes with Windows. – Mircea Vutcovici Feb 15 '13 at 19:02
When you run the telnet, do you receive the error immediately? If not, can you please run: `netstat -an| find "SYN"` – Mircea Vutcovici Feb 15 '13 at 19:03
I don't have/know where to get tcptraceroute on Windows. I used nmap as an alternative. And when I run telnet, I get the error after 1 or 2 seconds. The netstat command you suggested gives me only this: TCP 192.168.0.15:2158 200.242.61.43:80 SYN_SENT – Andre Feb 15 '13 at 19:14
Try with: `nmap -Pn --traceroute -p 80 200.242.61.43` or `nmap -Pn -sT --traceroute -p 80 200.242.61.43` – Mircea Vutcovici Feb 15 '13 at 19:33
That's pretty much what I did before (see edit on the question). – Andre Feb 15 '13 at 19:59
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/7525/discussion-between-mircea-vutcovici-and-andre) – Mircea Vutcovici Feb 15 '13 at 20:05
thank you for all the time you put on helping me on the chat. I'd +10^3 your solution if I could ;) Cheers – Andre Feb 15 '13 at 22:26

Some machines in my network can't access a specific website

1 Answers1