Do you have a question? Post it now! No Registration Necessary. Now with pictures!
July 1, 2004, 2:17 pm
rate this thread
uber annoying "I can't get to xyz webpage". Most of the time, those
are PEBCAK errors, but the complaints keep mounting. When I started
digging in to it, it looks like they are legit. The users were getting
403'd on webpages that they should have access to. It's cross
platform....mickeysoft and sun. So far reports have been for Netscape
Enterprise and again, mickeysoft webservers. The one common thread
that I'm seeing is that it looks like the Denies happen when the https
acl references a DNS query rather than an IP range. So any acl saying
*.gov is good ain't working. But if the class b is there, users are
saling. Reports have been from here in Portland and in
Chicago...totally different networks, different sysadmins, different
DNS servers. Has anyone else been seeing this recently? I dug through
the config file of one of the servers, and everything looks fine. That
particular server is also a email bridge head- if DNS were really
failing on it, about 3000 people be gripping about not getting their
SPAM. Any suggestions?
Re: DNS based ACLs failing
:uber annoying "I can't get to xyz webpage".
:The one common thread
:that I'm seeing is that it looks like the Denies happen when the https
:acl references a DNS query rather than an IP range. So any acl saying
:*.gov is good ain't working.
You haven't given us any information about what kind of equipment
you are using to impliment the DNS-based ACLs, and we cannot infer
it from your choice of newsgroups.
We -can- infer that you are not using Standard or Extended ACLs
under Cisco IOS or ACLs on a Cisco PIX, as those do not support
acls such as "*.gov". (But you might be using CBAC on Cisco IOS
This signature intentionally left... Oh, darn!