Closed
Bug 1278331
Opened 8 years ago
Closed 8 years ago
SFO - Vidyo not working over guest WiFi network
Categories
(Infrastructure & Operations Graveyard :: AVOps: Vidyo, task)
Infrastructure & Operations Graveyard
AVOps: Vidyo
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: trecendez, Assigned: dcurado)
Details
Vidyo desktop not working on the Guest Network in SFO. Works fine in MTV.
Gathering additional details to assist with troubleshooting.
Assignee | ||
Comment 1•8 years ago
|
||
If you can specify the source IP (the host on the guest network) and the destination IP address that host is trying to get to, on which port... that would be great.
Thank you.
Comment 2•8 years ago
|
||
The K-Ingleside line's iMac is pulling the IP: 10.251.34.84 from the Mozilla Guest network
Comment 3•8 years ago
|
||
N-Judah line is pulling the IP: 10.251.35.113 from the Mozilla Guest network
Assignee | ||
Comment 4•8 years ago
|
||
OK, great, Thanks!
Now, what destination IP and destination port are their clients trying to get to?
Thanks!
Comment 5•8 years ago
|
||
J-Church line is pulling the IP: 10.251.34.164 from the Mozilla Guest network
Assignee | ||
Comment 6•8 years ago
|
||
Mark -- thank you, I've got enough source IP addresses now.
What I need now is/are destination IP and ports.
There have been no changes made to the office firewalls in some time.
The policies from the guest network out to the Internet, or to the corp zone, or to our internal VPN,
all match between mtv2 and sfo1. (in fact, all our office firewalls now run the same configuration)
So, this is a bit of a puzzle.
Comment 7•8 years ago
|
||
Totally understand, was just logging them individually because it's quite an arduous process retrieving the IP addresses from the iMacs.
What they're trying to hit is:
Portal: Name: v.mozilla.com
Address: 63.245.215.252
Assignee | ||
Comment 8•8 years ago
|
||
Mark -- thank you, I've got enough source IP addresses now.
What I need now is/are destination IP and ports.
There have been no changes made to the office firewalls in some time.
The policies from the guest network out to the Internet, or to the corp zone, or to our internal VPN,
all match between mtv2 and sfo1. (in fact, all our office firewalls now run the same configuration)
So, this is a bit of a puzzle.
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED
Assignee | ||
Comment 9•8 years ago
|
||
Weird.
Can a host on the guest wifi ping v.mozilla.com?
some debugging:
from the firewall in sfo1, I can ping v.mozilla.com
dcurado@fw1.ops.sfo1.mozilla.net> ping 63.245.215.252
PING 63.245.215.252 (63.245.215.252): 56 data bytes
64 bytes from 63.245.215.252: icmp_seq=0 ttl=60 time=21.413 ms
64 bytes from 63.245.215.252: icmp_seq=1 ttl=60 time=4.215 ms
64 bytes from 63.245.215.252: icmp_seq=2 ttl=60 time=4.464 ms
64 bytes from 63.245.215.252: icmp_seq=3 ttl=60 time=5.417 ms
^C
--- 63.245.215.252 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.215/8.877/21.413/7.251 ms
and if I trace the security policies, everything (except email) is
allowed out of the guest network...
dcurado@fw1.ops.sfo1.mozilla.net> show route 63.245.215.252
inet.0: 101 destinations, 123 routes (100 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 19w6d 10:20:56
> to 63.245.219.49 via reth0.1045 <-------
[BGP/170] 15w3d 22:29:58, MED 0, localpref 100
AS path: 3549 I
> to 159.63.23.37 via reth0.426
[Static/200] 19w6d 10:20:56
> to 159.63.23.37 via reth0.426
{primary:node0}
dcurado@fw1.ops.sfo1.mozilla.net> show interfaces reth0.1045 | match zone
Security: Zone: external <------------
{primary:node0}
dcurado@fw1.ops.sfo1.mozilla.net> show security policies from-zone guest to-zone external
node0:
--------------------------------------------------------------------------
From zone: guest, To zone: external
Policy: filter-smtp, State: enabled, Index: 26, Scope Policy: 0, Sequence number: 1
Source addresses: guest-ww
Destination addresses: any
Applications: filter-smtp-app
Action: deny
Policy: filter-internal, State: enabled, Index: 27, Scope Policy: 0, Sequence number: 2
Source addresses: any
Destination addresses: mozilla-internal
Applications: any
Action: deny
Policy: interwebs, State: enabled, Index: 28, Scope Policy: 0, Sequence number: 3
Source addresses: any <-------
Destination addresses: any <-------
Applications: any <-------
Action: permit, log <-------
Comment 10•8 years ago
|
||
Yes, I'm able to ping v.mozilla.com from my laptop while on guest, while literally next to these conference rooms on the third floor.
Comment 11•8 years ago
|
||
These particular machines were functioning without issue last week, and then on Monday they stopped working altogether on Mozilla guest. Also, they are able to log in to Vidyo Desktop, just cannot complete any calls.
Assignee | ||
Comment 12•8 years ago
|
||
OK, great info, thank you.
Did anything change with v.mozilla in that time frame?
Not trying to point the finger of blame at AVops here, it's just that nothing
changed in SFO1 at all, and nothing changed on the core switches where v.mozilla.com connects.
Since you can ping it, we know reachability is fine. There is some sort of filtering going
on somewhere.
Do you happen to know which tcp/udp port(s) the clients use when sending packets to v.mozilla.com?
Thanks.
Comment 13•8 years ago
|
||
Yes, UDP ports 50000-65535
Assignee | ||
Comment 14•8 years ago
|
||
From guest in sfo1 going out to v.mozilla.com, nothing is blocked.
(see comment 9)
From there packets go to border1.pao1, then border1.scl3 (no filtering there) and then
on to core1.scl3, where there is a packet filter, but packets to v.mozilla.com are explicitly allowed
through...
term vidyo {
from {
destination-prefix-list {
vidyo-router;
vidyo-portal; <---- this line includes v.mozilla.com
vidyo-replay;
}
}
then accept;
}
That said, the fact that we can ping from src to dest, but not make calls, certainly does *feel* like
a firewall/filter problem. I'm just not seeing one. (and nothing has changed in the past weeks/months
with this network gear) I've pinged Guillermo to see if we can debug this together.
Assignee | ||
Comment 15•8 years ago
|
||
Guillermo has identified the problem.
The fix will require a CAB approval for a brief vidyo hit.
Assignee | ||
Comment 16•8 years ago
|
||
closing due to inactivity.
I believe Guillermo will open a service now case for the required CAB approval mentioned in
comment 15.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Comment 17•8 years ago
|
||
Confirming this was a Vidyo Infrastructure configuration issue.
CHG0010646 has been approved to fix the config.
Status: RESOLVED → REOPENED
Component: NetOps: Other → AVOps: Vidyo
QA Contact: jbarnell → rcarroll
Resolution: INCOMPLETE → ---
Comment 18•8 years ago
|
||
Work completed
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → FIXED
Updated•1 year ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•