Thursday, October 18, 2018

networking: pcaps tell the whole story

Working for an MSP, I have the opportunity to interface with a large number different clients and vendors. A few months ago a vendor contacted me on behalf of a mutual client, stating they "updated their scripts" and now their application, wasn't working for our mutual client. They had tested in their (the vendors) test environment, and determined the clients firewall (of which I was responsible), must be blocking the traffic.

I tested with the client and saw the traffic being allowed through; so I informed the client I'd work directly with the vendor and provide them with updates.

During testing with the vendor, I could see two way traffic being allowed thru the firewall; however, the vendor reported they weren't receiving any traffic from the client.

This caused me great confusion, and requested we run a Packet Capture on both sides to compare. Which quickly allowed me to determine that traffic was being sent / received on both sides. Not only that, all traffic was making it thru in a timely manner, but still the SFTP uploads and webpage calls were failing.

With the pcaps determining that bi-directional traffic was allowed; they agreed to dig into the pcaps with me. And we quickly determined the clients server was attempting to negotiate TLS 1.0, which had been depreciated on the vendors servers, in favor of TLS 1.2, as part of the "script updates".

A quick installation of the TLS 1.2 libraries on the clients servers resolved the issue. This experience has made me much quicker to run packet captures to check for obvious issues, rather than pushing them off as a last resort!

No comments:

Post a Comment