[afnog] Blocked or filtered network ?

Epeli Tagi epelit at sprep.org
Fri Dec 2 04:49:38 UTC 2011 

Hi Regardt, Graham, Jacques et al

Problem is now solved! Apparently it was our local ISP that was filtering the 41.0.0.0 network.

Feeling a bit foolish having to go half way around the world to figure out this one.

After forwarding the latest post to them, they rechecked and removed the filter.

Thanks again for all your help.

Sincere apologies to Jacques, Riaana and the Vodacom team.

Really appreciate everyone's assistance!

I am just glad we have 'full access' to the internet...

Until the next 'filtered route'...

Take care
Epeli



-----Original Message-----
From: Epeli Tagi
Sent: Thursday, 1 December 2011 4:44 p.m.
To: Regardt van de Vyver
Cc: afnog at afnog.org
Subject: RE: [afnog] Blocked or filtered network ?

This was somehow tagged as spam.

Anyway, thanks for the detailed analysis Regardt. We all initially concluded 'vodacom' from the tracert from Durban that I had sent earlier.

I will raise this with our local ISP CSL and their upstream providers (BlueSky Communications).

I appreciate your time and efforts.

Regards
Epeli

-----Original Message-----
From: Regardt van de Vyver [mailto:regardt at neology.co.za]
Sent: Thursday, 1 December 2011 10:28 a.m.
To: Epeli Tagi
Cc: afnog at afnog.org
Subject: RE: [afnog] Blocked or filtered network ?

Hi Epeli,

I think the problem is far larger than Vodacom only - as Graham alluded to
a large number of netblocks behind 41.0.0.0/8 seem impacted with
connectivity to Samoa.

I decided to have a quick look at your problem - maybe I can provide some
insights. Some of this is obvious but just typing it all here for
completeness.

Your subnet (123.176.76.160/28) is announced via AS38227.

Looking at the typical AS path flow from that AS:
AS38227-->AS23657-->AS4323-->(most of the world) as seen by HE.net
[http://bgp.he.net/AS38227#_graph4]

Your upstream AS: AS23657 (Blue Sky Communications) announces themselves
via both TW Telecoms (AS4323) and Pacific Teleports (AS38456).

A sample trace from the UK shows:
traceroute to 123.176.76.161 (123.176.76.161), 64 hops max, 52 byte
packets
 1  64.22.106.73 (64.22.106.73) [AS3595]  1 ms  0 ms  1 ms
 2  64.22.106.9 (64.22.106.9) [AS3595]  0 ms  10 ms  0 ms
 3  xe-2-0-5-101.ar1.atl1.us.nlayer.net (69.31.135.41) [AS4436]  4 ms  4
ms  2 ms
 4  ae0-70g.cr1.atl1.us.nlayer.net (69.31.135.129) [AS4436]  0 ms  1 ms  0
ms
 5  xe-0-0-3.cr1.iah1.us.nlayer.net (69.22.142.117) [AS4436] [MPLS: Label
413872 Exp 1]  15 ms [MPLS: Label 414656 Exp 1]  15 ms  15 ms
 6  xe-4-2-1.cr1.lax1.us.nlayer.net (69.22.142.122) [AS4436]  46 ms  47 ms
46 ms
 7  eqix.lsan.twtelecom.net (206.223.123.36) [AS10026]  51 ms  50 ms  50
ms
 8  hnl1-ar3-xe-2-0-0-0.us.twtelecom.net (66.192.250.206) [AS4323]  100 ms
101 ms  114 ms
 9  67.218.63.130 (67.218.63.130) [AS23657]  207 ms  208 ms  208 ms
10  gi0-0-rnas05.apia.samoa.net.ws (123.176.72.250) [AS23649]  152 ms  154
ms  154 ms
11  202.4.48.61 (202.4.48.61) [AS9398/AS9822/AS23649/AS11908/AS17993]  372
ms  210 ms  210 ms

A trace from a 41. range IP in ZA shows:
traceroute to 123.176.76.161 (123.176.76.161), 64 hops max, 52 byte
packets
 1  bnksr01-eth2-2.neoinx.net (41.216.193.17) [AS37105]  0 ms  0 ms  0 ms
 2  bnkcrs01-vl1.neoinx.net (41.216.193.9) [AS37105]  0 ms  0 ms  0 ms
 3  grzbr01.neoinx.net (41.216.193.14) [AS37105]  0 ms  0 ms  0 ms
 4  rrba-ip-hsll-1-wan.telkom-ipnet.co.za (196.25.110.45) [AS5713/AS24077]
1 ms  1 ms  1 ms
 5  ams-ip-dir-globalc-pos-4-0-0.telkom-ipnet.co.za (196.43.18.26)
[AS5713/AS24077]  184 ms  184 ms  185 ms
 6  so-0-2-0.ar2.AMS2.gblx.net (64.210.21.45) [AS3549]  183 ms  183 ms
183 ms
 7  TWTC.TenGigabitEthernet9-1.ar2.SJC2.gblx.net (64.212.32.234) [AS3549]
358 ms  358 ms  358 ms
 8  hnl1-ar3-xe-0-0-0-0.us.twtelecom.net (66.192.250.202) [AS4323]  373 ms
373 ms  373 ms
 9  * * 67.218.63.130 (67.218.63.130) [AS23657]  477 ms !A

The inbound routes don't quite follow what HE.NET has as AS path - this
isn't a problem per se - just a note.

So, the last valid hop is AS23657 -- we never get a response from the
routers on AS23649 (New Skies Satellites - Hong Kong). The moment I saw
the New Skies AS in the path my heart sank - I've had similar issues
before trying to resolve weird and wonderful routing issues with them. But
lets ignore that for the moment ;-)

The AS of interest is AS17993 or Samoatel aka samoa.ws... Anything on this
AS or behind it cannot get to our 41. IP ranges.

At a guess - check with New Skies or SamoaTel - they likely have a static
or a blackhole of some sort within that netblock.

I searched extensively for a public route server or traceroute server
behind that AS to no avail. If you can give me access to a shell or a
traceroute I'll try help from there.

Kind regards,
Regardt van de Vyver

More information about the afnog mailing list