No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The external network cannot access 1433 port of interior servers

Publication Date:  2012-09-18 Views:  60 Downloads:  0
Issue Description
The external network cannot access 1433 port of interior servers ,but it can access 80 port of interior servers .
Alarm Information
  None.
Handling Process
 The 1433 port of servers’ operation is working  , because it can access 1433 port of servers from internal network normally .
  We should check that there are no problems at firewall configuration information and there is no deny 1433 port in packet filtering rule .It can ping public network address of servers  successfully from public network and can ping internal network address of servers from firewall .
  We let client access 1433 port of servers and check the session list in the firewall .
  disp fire sess ta v destination in 10.10.8.2
  tcp, (vpn: public -> public)
   zone: untrust -> trust   tag: 80400002
   ttl: 00:20:00  left: 00:19:59  Id: 329250
   <-- packets:0 bytes:0   --> packets:0 bytes:0
   220.180.150.247:8080[10.10.8.2:8080]<--211.141.192.230:2456
   tcp, (vpn: public -> public)
   zone: untrust -> trust   tag: 80400002
   ttl: 00:20:00  left: 00:20:00  Id: 412491
   <-- packets:0 bytes:0   --> packets:0 bytes:0
   220.180.150.247:8080[10.10.8.2:8080]<--211.141.192.230:2458
   tcp, (vpn: public -> public)
   zone: untrust -> trust   tag: 00400002
   ttl: 00:00:05  left: 00:00:01  Id: 451812
   <-- packets:0 bytes:0   --> packets:0 bytes:0
   220.180.150.247:1433[10.10.8.2:1433]<--211.141.192.230:2452
  Current Total Sessions : 3
  From the session we can see the 8080 port of servers’ operation is natural and the ttl is 20 minutes ,but the session list exist time to access 1433 port has only 5 seconds .It shows that the firewall has got SYN message ,but hasn’t got SYN ACK message and the session has been half connection state .
  Tracert server , we can find that there is another equipment between firewall and server .Client say that it’s a switch , we think the switch forbid 1433 port .
tracert  10.10.8.2
traceroute to  10.10.8.2(10.10.8.2) 30 hops max,40 bytes packet
1 10.10.0.2 16 ms  0 ms  0 ms
2 10.10.8.2 0 ms  0 ms  0 ms
logging in the switch ,we can find the acl 3001 deny 1433 port and the rule has been used on the inbound interface after checking the configuration of the switch .We can access internal network 1433 port of servers from external network after deleting that rule .
Root Cause
 The reasons as follows :
1、 The servers don’t undo the service of 1433 port .
2、 The service process of server’s 1433 port conk out .
3、 The message of 1433 port has been filtrated by middle equipment .
The reason of this example is that the message of 1433 port has been filtrated by middle equipment .
Suggestions
  None.

END