Meraki

Community

Geoblocking causes Facebook to be unavailable?

DallasH
New here
‎Jul 20 2018 8:59 AM
‎Jul 20 2018 8:59 AM

Geoblocking causes Facebook to be unavailable?

It didn't make sense to me, but the morning after I installed an MX-64 with advanced security, the client site was unable to get to Facebook. It seems to be Geoblocking doing it because once I removed the rule, the users were able to load FB in their browsers.

 

I had the layer 7 rule configured such that only traffic from the US and Canada was allowed (client site in the US).

 

I pinged and traced to Facebook from the client site, and it was a few hops away in a DFW data center (at least the farm my client network hits). I could ping it, traceroute to it, but not connect on port 80 or 443 to it. 

 

Any idea what I am not seeing?

 

Thanks,

 

Dallas

0 Kudos
5 Replies 5
BrandonS
Kind of a big deal
‎Jul 20 2018 9:24 AM
‎Jul 20 2018 9:24 AM

Take a closer look at the traffic (packet capture) when you load a FB page.  You will see it loads content from dozens if not hundreds of sites and many of them may be outside the US.

 

 

- Ex community all-star (⌐⊙_⊙)
0 Kudos
In response to BrandonS
BrandonS
Kind of a big deal
‎Jul 20 2018 9:26 AM
‎Jul 20 2018 9:26 AM

Or it is also possible the geolocation database has some incorrect information too.  Either way, if you try to lock your network down to US and Canada traffic only you will need to be prepared to start whitelisting things.

- Ex community all-star (⌐⊙_⊙)
0 Kudos
In response to BrandonS
Adam
Kind of a big deal
‎Jul 20 2018 10:52 AM
‎Jul 20 2018 10:52 AM

And when you block stuff with those layer 7 rules it makes it hard to diagnose what to whitelist because the blocks don't show up in the event logs.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
DallasH
New here
‎Jul 20 2018 10:54 AM
‎Jul 20 2018 10:54 AM

Going to verify with packet captures, but adding Ireland back in did the trick.

 

I have (on other sites with less restrictive lists) had to add Singapore, Australia, and the UK for all our agents to show up in the WebrootPortal.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 20 2018 1:03 PM
‎Jul 20 2018 1:03 PM

A modern web page is made of of lots and lots of components.  Many of these components are from third parties.  Simply testing access to facebook.com is not sufficient.

 

My guess is something that the Facebook page is dependent on is falling into the geo block.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.