Routing issues.. Cybersmart Lightspeed to Azure

[Anthro]

I am again having routing issues, this time on my home ISP to servers and services in Azure.
Worked last week, now no longer...
What is going on with the network layers between Service Providers these days ?
Do Cybersmart or Lightspeed even have a representative on here ?

I can SSH to this server, but browsing to the Webserver .. nope trace also looks funky

C:\Users\Owner>tracert ***

Tracing route to ***
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.100.1
2 1 ms <1 ms <1 ms 192.168.77.77
3 <1 ms <1 ms <1 ms 105.233.13.105
4 1 ms 1 ms <1 ms 105.233.17.182
5 2 ms 7 ms 1 ms microsoft.ixp.capetown [196.60.70.47]
6 1 ms 1 ms 1 ms ae24-0.icr02.cpt20.ntwk.msn.net [104.44.230.108]
7 18 ms 18 ms 18 ms be-122-0.ibr02.cpt20.ntwk.msn.net [104.44.20.213]
8 18 ms 18 ms 18 ms be-7-0.ibr02.jnb21.ntwk.msn.net [104.44.28.134]
9 18 ms 17 ms 18 ms ae120-0.icr01.jnb21.ntwk.msn.net [104.44.20.92]
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * *

 

[CrypticZA]

I am again having routing issues, this time on my home ISP to servers and services in Azure.
Worked last week, now no longer...
What is going on with the network layers between Service Providers these days ?
Do Cybersmart or Lightspeed even have a representative on here ?

I can SSH to this server, but browsing to the Webserver .. nope trace also looks funky

C:\Users\Owner>tracert ***

Tracing route to ***
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.100.1
2 1 ms <1 ms <1 ms 192.168.77.77
3 <1 ms <1 ms <1 ms 105.233.13.105
4 1 ms 1 ms <1 ms 105.233.17.182
5 2 ms 7 ms 1 ms microsoft.ixp.capetown [196.60.70.47]
6 1 ms 1 ms 1 ms ae24-0.icr02.cpt20.ntwk.msn.net [104.44.230.108]
7 18 ms 18 ms 18 ms be-122-0.ibr02.cpt20.ntwk.msn.net [104.44.20.213]
8 18 ms 18 ms 18 ms be-7-0.ibr02.jnb21.ntwk.msn.net [104.44.28.134]
9 18 ms 17 ms 18 ms ae120-0.icr01.jnb21.ntwk.msn.net [104.44.20.92]
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * *

ISP is handing over traffic to Microsoft at hop 5 so it is out their network.

 

[PBCool]

I am again having routing issues, this time on my home ISP to servers and services in Azure.
Worked last week, now no longer...
What is going on with the network layers between Service Providers these days ?
Do Cybersmart or Lightspeed even have a representative on here ?

I can SSH to this server, but browsing to the Webserver .. nope trace also looks funky

C:\Users\Owner>tracert ***

Tracing route to ***
over a maximum of 30 hops:

1 2 1 ms 3 4 1 ms 1 ms 5 2 ms 7 ms 1 ms microsoft.ixp.capetown [196.60.70.47]
6 1 ms 1 ms 1 ms ae24-0.icr02.cpt20.ntwk.msn.net [104.44.230.108]
7 18 ms 18 ms 18 ms be-122-0.ibr02.cpt20.ntwk.msn.net [104.44.20.213]
8 18 ms 18 ms 18 ms be-7-0.ibr02.jnb21.ntwk.msn.net [104.44.28.134]
9 18 ms 17 ms 18 ms ae120-0.icr01.jnb21.ntwk.msn.net [104.44.20.92]
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * *

What makes the trace look funky? If you can SSH but not access another port it's a filter issue, either at ISP or server level. Unlikely at ISP level though typically.

 

[Anthro]

What makes the trace look funky? If you can SSH but not access another port it's a filter issue, either at ISP or server level. Unlikely at ISP level though typically.

Thats the best way I can put it.
The server is mine at Azure, I have made no firewall changes whatsoever.
Worked last week, this week nada.

 

[PBCool]

Thats the best way I can put it.
The server is mine at Azure, I have made no firewall changes whatsoever.
Worked last week, this week nada.

What are you using as a router/firewall on your side, is your service on the alternative port accessible from other networks? Try run a trace from the server to your home IP.

 

[Anthro]

What are you using as a router/firewall on your side, is your service on the alternative port accessible from other networks? Try run a trace from the server to your home IP.

Mikrotik router
Service is a HTTPS API
Unable to trace back from the server to my home connection either.. whack
Works on different ISP's with no issue

 

[PBCool]

Mikrotik router
Service is a HTTPS API
Unable to trace back from the server to my home connection either.. whack
Works on different ISP's with no issue

Port 443 then? I would open a ticket with MS, it isn't routing related if ssh works.

 

[PsyWulf]

Mikrotik router
Service is a HTTPS API
Unable to trace back from the server to my home connection either.. whack
Works on different ISP's with no issue

Days of traces being very useful are over,ICMP is blocked 9/10 times

Spawn a linux VM in another Region (or a free one on Google Cloud) and see if you can Telnet and Wget to the IP and Port
nb$ wget https://iol.co.za
--2021-11-01 13:38:35-- https://iol.co.za/
Resolving iol.co.za (iol.co.za)... 172.67.8.153, 104.22.29.113, 104.22.28.113, ...
Connecting to iol.co.za (iol.co.za)|172.67.8.153|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.iol.co.za/ [following]
--2021-11-01 13:38:35-- https://www.iol.co.za/
Resolving www.iol.co.za (www.iol.co.za)... 104.22.29.113, 104.22.28.113, 172.67.8.153, ...
Connecting to www.iol.co.za (www.iol.co.za)|104.22.29.113|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html [ <=> ] 370.55K 384KB/s in 1.0s

2021-11-01 13:38:37 (384 KB/s) - ‘index.html’ saved [379439]

If you can SSH then you can reach it,i've had the odd occasion where a NSG rule stops working

 

[r00igev@@r]

Mikrotik router
Service is a HTTPS API
Unable to trace back from the server to my home connection either.. whack
Works on different ISP's with no issue

That ICMP or async routing might be stuffing up the mtu.

 

[r00igev@@r]

Days of traces being very useful are over,ICMP is blocked 9/10 times

People who block ICMP are Poephols. With a capital P.

 

[PsyWulf]

People who block ICMP are Poephols. With a capital P.

Not disagreeing

 

[r00igev@@r]

Not disagreeing

Like every bank in South Africa. Eish! Their approach to cybersecurity is putting a paper bag over their heads and expecting not to be shot.

 

[Anthro]

That ICMP or async routing might be stuffing up the mtu.

I am allowing ICMP ;-) I am not a poephol lol

 

[Anthro]

Days of traces being very useful are over,ICMP is blocked 9/10 times

Spawn a linux VM in another Region (or a free one on Google Cloud) and see if you can Telnet and Wget to the IP and Port
nb$ wget https://iol.co.za
--2021-11-01 13:38:35-- https://iol.co.za/
Resolving iol.co.za (iol.co.za)... 172.67.8.153, 104.22.29.113, 104.22.28.113, ...
Connecting to iol.co.za (iol.co.za)|172.67.8.153|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.iol.co.za/ [following]
--2021-11-01 13:38:35-- https://www.iol.co.za/
Resolving www.iol.co.za (www.iol.co.za)... 104.22.29.113, 104.22.28.113, 172.67.8.153, ...
Connecting to www.iol.co.za (www.iol.co.za)|104.22.29.113|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html [ <=> ] 370.55K 384KB/s in 1.0s

2021-11-01 13:38:37 (384 KB/s) - ‘index.html’ saved [379439]

If you can SSH then you can reach it,i've had the odd occasion where a NSG rule stops working

The NSG allows HTTPS traffic from everywhere, and SSH from trusted IP's
Strange, very strange

 

[PsyWulf]

I am allowing ICMP ;-) I am not a poephol lol

You don't own the nodes inbetween so it doesn't mean much

 

[r00igev@@r]

You don't own the nodes inbetween so it doesn't mean much

"The nodes in between". Often referred to as the Bermuda triangle of the cloud.