gk987

Q: Ports suddenly appearing as closed when they are open.

Hi all,

 

I recently set up a Server on 10.11. I am using Profile Manager and VPN form outside the network.

I forwarded all the necassary ports, and that all worked fine, then about a week later Profile Manager stopped appearing under 'Reachable'. I checked the ports with canyouseeme.org and they were reported as 'closed'. They are open on the firewall.

Then a week later VPN dropped from 'Reachable'.

I ran some packet captures and found that the traffic was going into the LAN and being rejected by the server.


Can anyone think of any suggestions on why the traffic is being rejected?


Thank you.


iMac, OS X El Capitan (10.11.4), Server

Posted on Apr 20, 2016 7:55 AM

Close

Q: Ports suddenly appearing as closed when they are open.

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Apr 20, 2016 5:17 PM in response to gk987
    Level 10 (208,000 points)
    Applications
    Apr 20, 2016 5:17 PM in response to gk987

    Are the services reachable inside the network?

  • by Gino_Cerullo,

    Gino_Cerullo Gino_Cerullo Apr 20, 2016 7:50 PM in response to gk987
    Level 3 (567 points)
    Apple TV
    Apr 20, 2016 7:50 PM in response to gk987

    According to Apple's documentation regarding "reachability"

     

    "How does reachability testing work?


    The Server app securely connects to Apple and asks automated servers at Apple to try connecting to your server for each service that’s enabled. Because Apple servers are outside your local network, they can simulate external clients trying to connect to your server. The results are shown in the Server app.


    The Apple servers check for:

    • An externally accessible IP address.
    • A public host name.
    • A handshake to each service enabled on the server. No information besides the connection availability is exchanged.
    • Properly configured port forwarding, if necessary.

     

    Apple doesn’t retain any of your personal information and transmits only enough information about your configuration to let Apple’s servers know what kinds of connection to check for."

     

    Make sure that the services you've configured on Apple Server meet all that criteria.

     

    Also, does Airport Utility indicate that the port forwarding settings are in place? Are you setting up the port forwarding or are you letting Server app do that for you?

  • by Bosco1983,

    Bosco1983 Bosco1983 Apr 21, 2016 1:09 AM in response to Gino_Cerullo
    Level 1 (61 points)
    Servers Enterprise
    Apr 21, 2016 1:09 AM in response to Gino_Cerullo

    My server has always shown what is in the attached screenshot but appears to work ok. 

    My server has a local IP but is also Nat'd for external access.  Server App shows our general public IP, not the unique public IP of the server.  Dont know if that helps in any way?  Or whether I should look at sorting my set up out.

     

    Screen Shot 2016-04-21 at 09.06.35.png

  • by gk987,

    gk987 gk987 Apr 21, 2016 2:20 AM in response to Bosco1983
    Level 1 (4 points)
    Servers Enterprise
    Apr 21, 2016 2:20 AM in response to Bosco1983

    Thanks for the replies.

     

    All the services work fine inside the network.

    It is all configured according to that article about the reachability. It must be the handshake that is failing.

    I set up a client machine with Server App, enabled VPN and changed the ports to forward to the client. It worked.

    So, it is something to do with my server, it is rejecting the traffic.

    I have checked the SSL certificates, and even renewed them, but this hasn't helped.

    Do you think it could be certificate related?

  • by John Lockwood,Solvedanswer

    John Lockwood John Lockwood Apr 21, 2016 6:25 AM in response to gk987
    Level 6 (9,349 points)
    Servers Enterprise
    Apr 21, 2016 6:25 AM in response to gk987

    Lots of possibilities. I would initially do a port-scan test on your LAN to the server, if this shows the ports are indeed closed it would likely be down to an issue on the server itself, if the ports are shown as open which as you say the services work on the LAN is likely to be the case then it would suggest the problem is either not on the server itself or the server is configured to only allow traffic from the LAN. Network Utility can do simple port-scans.

     

    • Check the network settings on the server, especially the default gateway
    • Check the port forwarding rule in your router is still pointing to the correct destination, as your server should have a static IP address in theory it should but it is worth checking
    • Check to see if the Firewall is turned on in System Preferences -> Security & Privacy, if on you could temporarily turn it off to test
    • Check to see if the Adaptive Firewall (not the same as above) is turned on, see How to enable the adaptive firewall on OS X Server - Apple Support again if it is on try turning it off temporarily
    • Check to see if the pf firewall is running, again temporarily disable if running, the process for enabling pf under El Capitan seems to be more complex and Apple's instructions wrong due to SIP, see https://groups.google.com/forum/#!topic/macenterprise/AI5KYpPugRY
    • If the Profile Manager server is also a VPN server you might have followed a setup like the one provided by MacMiniVault see https://github.com/MacMiniVault/Mac-Scripts/blob/master/vpnscript/vpnscript-READ ME.md this adds a VLAN to the server and in order for that to work also setups network forwarding rules, this could have upset things and certainly also requires adding a Static IP route to your router
  • by Linc Davis,

    Linc Davis Linc Davis Apr 21, 2016 5:54 AM in response to gk987
    Level 10 (208,000 points)
    Applications
    Apr 21, 2016 5:54 AM in response to gk987

    In the sidebar of the Server app window, please select the server by name, then select the Access tab. The network access setting for the service should be All Networks if you want the clients to be able to connect from anywhere. The ports on which the service listens are also shown.

    If there's no entry for the service in the Custom Access list, the default settings will apply.

  • by gk987,

    gk987 gk987 Apr 21, 2016 6:24 AM in response to John Lockwood
    Level 1 (4 points)
    Servers Enterprise
    Apr 21, 2016 6:24 AM in response to John Lockwood

    Thank you very much. This solved my problem.

    The firewalls were all fine.

    The issue was the VPN. When I switched the VPN service off Profile Manager came back. My server is not providing DHCP, it is set up in a 'magic triangle', just taking care of the Macs in an AD environment. So this could have caused the issue.

  • by gk987,

    gk987 gk987 Apr 22, 2016 3:38 AM in response to gk987
    Level 1 (4 points)
    Servers Enterprise
    Apr 22, 2016 3:38 AM in response to gk987

    Update: issue not solved!

    After I stopped the VPN service, the issue was solved (profile manager was reachable), but then it disappeared again 10 mins later.

    I then stopped VPN by running:

    sudo launchctl stop com.apple.racoon

    This stopped the issue for another 10 mins, then it happened again.

    So, something to do with VPN most likely, just need to find out exactly what.