Trouble Reaching Google.com, Again

Polymathink
Getting noticed

Trouble Reaching Google.com, Again

Anyone else starting to see issues reaching google.com through an MX device? This is looking curiously like the incident(s) in 2017 when we had trouble reaching google.com through the firewalls. There is nothing in the logs that I can see. There have been no config changes. This surfaced yesterday in one of our offices using an MX64 device and has started, today, in another office using an MX 80.

 

The errors we're getting seem to be related to https but we can attach to other sites using https such as Amazon, Microsoft, and anything else we try....except for google.

 

Google.com has been whitelisted since the issue in 2017.

13 REPLIES 13
Nash
Kind of a big deal

I recall the issue in 2017. But there's no reason to assume the same problem is happening.

 

What happens when you run a pcap while attempting to get to Google.com? What's the traffic show? I'd probably dump it into Wireshark to review, btw, since you'll need to look at both the LAN and Internet interfaces and that's a good bit of traffic.

route_map
Building a reputation

what happens when you do a traceroute

I can tracert to google.com fine. When using any browser I get a variation (browser dependent) of https connection error.

 

i.e. from Firefox:

 

An error occurred during a connection to www.google.com. PR_CONNECT_RESET_ERROR

 

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

    Please contact the website owners to inform them of this problem.

Nash
Kind of a big deal

Tracert is an entirely different protocol from HTTPS. We're talking ICMP vs TCP.

 

What happens when you run a pcap on your Internet interface while attempting to go to Google? And on your LAN? That will show you what's happening with the TCP connection on 443.

NFL0NR
Getting noticed

when in doubt... reboot.  We've had issues today with 3 different devices that rebooting them resolved.  

Hahahaha, we tried that. Did not work. Curiously, two machines that exhibited this beahviour yesterday in the office with the MX64 can access google.com fine, today.

 

The machine identified with this issue in the office with the MX80 still has the issue. Looking to not be a firewall issue at all, I think but perhaps a DNS issue. Allowing DoH did not resolve the issue. Still digging and will try packet sniffing next.

Nash
Kind of a big deal


@NFL0NR wrote:

when in doubt... reboot.  We've had issues today with 3 different devices that rebooting them resolved.  


As a matter of best practice, I wouldn't do this as an initial step. If you reboot, you lose the local logs on the device. Sometimes support needs to review those when you call in about a problem.

@Polymathink  what happens if you try using 8.8.8.8 for the devices DNS does the problem go away?

Using 8.8.8.8 (google DNS) did not work, nor did using Umbrella DNS. Not all machines had the issue, either, so it (very likely) wasn't firewall related, after all. Odd that it was only google.com.

It seems a restart worked. Not a simple reboot, but a complete shutdown and fire the machine back up was what worked. When we simply restarted the machine, it still would not connect to Google.com

KevinH
Here to help

Last week I had an incident where Google DNS was briefly being Content Filtered under the category of Proxy Avoidance and Anonymizers. All the clients had no internet access when that happened. Meraki tech support said a third party controls the block list and basically said it wasn't their problem.

Got it, It helps more of we also check in detail https://community.meraki.com/t5/Security-SD-WAN/Trouble-Reaching-Google-com-Again-fifa/td-p/73309

Anyhow! Bundle of thanks

Robort
Conversationalist

was this issue solved we seem to have a similar issue? thanks

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels