01-27-2015 06:16 PM
We have reports of certain users not being able to access our public website but majority of users are able to. The traffic log shows that the application is incomplete. Packet capture reveals the 3-way handshake does not complete and the session times out. The same person who is NOT able to access the public website is able to access another website of ours that is hosted on another IP address but on the same firewall. The difference between the two sites are as follows:
Different external IPs but same subnet
Different internal Zones (1 server is on DMZ; not working and 1 server is on the Trust zone; working)
Different gateways, different switches
The DMZ's gateway is the firewall while the server on the trust side's gateway is a core switch
Has anyone seen something like this before? Again, it works for 99% of the users but there are a number of users that are not able to get to the website for some reason. We initially thought it could be a routing issue with the ISP that we use since majority of the users who reported the issue belongs to the same ISP that we use. HOWEVER, we did find a user who uses the same ISP and IS ABLE to browse.
NAT is a regular destination NAT
Untrust to Untrust
Src IP: Any
Dst IP: Public IP of server
Destination translation IP: DMZ IP of the server
Policy is a regular allow inbound policy
allow access to website
Zone: Untrust to DMZ
Src IP: Any
Dst IP: External IP of DMZ server
Some other info that might help.
There are two ISPs but only one is used and the other is a backup in case the other one is down. I'm using PBF to achieve this as per the PBF doc/KB.
There is a zone protection profile and enabled all of them. I removed it temporarily but it didn't help.
I tried to do a static bi-directional NAT as a test but it didn't seem to help
Any help would be appreciated!
