大陸連線 https 有問題，台灣正常

[kcsboy]

狀況：
我架好https 之後主機在台北，經 使用https:\\真實IP\ 可以連線
我台南的朋友也可以連線。
當然https 使用443 的外部port 我經過 isa 到內部也使用 443 ，不過我把IIS SSL 移到 442。而台灣連線正常。
以下是，經過防火牆的訊息


HINET IP (開始連線)
202.39.24.242:動態 192.168.0.243:443 External Local Host Establish 0x0 MAILD 轉送服務 HTTPS Server 0 0
202.39.24.242:動態 192.168.0.243:443 External Local Host Establish 0x0 MAILD 轉送服務 HTTPS Server 0 0
202.39.24.242:動態 192.168.0.243:443 External Local Host Establish 0x0 MAILD 轉送服務 HTTPS Server 0 0
HINET IP (結束連線)
202.39.24.242:動態 192.168.0.243:443 External Local Host Terminate 0x80074e20 MAILD 轉送服務 HTTPS Server 1048 1048
202.39.24.242:動態 192.168.0.243:443 External Local Host Terminate 0x80074e20 MAILD 轉送服務 HTTPS Server 1148 1148
202.39.24.242:動態 192.168.0.243:443 External Local Host Terminate 0x80074e20 MAILD 轉送服務 HTTPS Server 1474 1474


0x80074e20 訊息是
WSA_RWS_GRACEFUL_SHUTDOWN or FWX_E_GRACEFUL_SHUTDOWNA
A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.



可是在大陸連到台灣的https 會有RST segment 的問題 TCP headerxxxxxx
以下是，大陸經過防火牆的訊息

大陸 IP (開始連線) 有2個IP
10:30:12 TCP 218.14.3.201:動態 192.168.0.243:443 External Local Host Establish 0x0 MAILD 轉送服務 HTTPS Server 0 0
10:30:12 TCP 218.14.3.201:動態 192.168.0.243:443 External Local Host Terminate 0x80074e21 MAILD 轉送服務 HTTPS Server 246 246
10:30:13 TCP 218.249.5.194:動態 192.168.0.243:443 External Local Host Establish 0x0 MAILD 轉送服務 HTTPS Server 0 0
10:30:14 TCP 218.249.5.194:動態 192.168.0.243:443 External Local Host Terminate 0x80074e21 MAILD 轉送服務 HTTPS Server 229 229
大陸 IP (拒絕開始連線)
10:30:14 TCP 218.14.3.201:動態 192.168.1.253:443 External Local Host Denied 0xc0040017 - Unidentified IP Traffic 0 0
10:30:14 TCP 218.14.3.201:動態 192.168.1.253:443 External Local Host Denied 0xc0040017 - Unidentified IP Traffic 0 0
10:30:14 TCP 218.249.5.194:動態 192.168.1.253:443 External Local Host Denied 0xc0040017 - Unidentified IP Traffic 0 0

0x80074e21
WSA_RWS_ABORTIVE_SHUTDOWN or FWX_E_ABORTIVE_SHUTDOWN
A connection was abortively closed after one of the peers sent a RST segment.


0xC0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED
A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.


可是有一個方式卻可以用大陸和 https 連線
方法是這樣，內部使用 port 443
而防火牆外部使用potr 80 ，並把80port 轉到 內部port 443
就可以連線，大陸也沒問題
也就是==> https:// DNS name :80/
可是這樣 port 80 就被 MAILD 搶走了

可是我想用https:// xxx :443/ 也要讓大陸能夠連線
有何良策

[kcsboy]

找到問題了，看來中國的網路還滿爛的

此為台灣連線封包狀況
http://home.so-net.net.tw/huangslite/tw_link.jpg

此為大陸連線封包狀況
http://home.so-net.net.tw/huangslite/china_link.jpg
大陸連線，產生RST connect 導致，非80 port 都會有問題

我目前與中國電信處理中



append.

435 89.218750 ANI CO47C003 EDIMAX9329C5 TCP ...R.., len: 0, seq:2515660683-2515660683, ack: 0, win: 1, src: 1601 dst: 443 218.14.3.3 192.168.1.253 IP
Frame: Base frame properties
Frame: Time of capture = 2006/3/7 13:29:13.655
Frame: Time delta from previous physical frame: 78125 microseconds
Frame: Frame number: 435
Frame: Total frame length: 60 bytes
Frame: Capture frame length: 60 bytes
Frame: Frame data: Number of data bytes remaining = 60 (0x003C)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 0000B49329C5
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 00400547C003
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 60 (0x003C)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 46 (0x002E)
IP: ID = 0x40; Proto = TCP; Len: 40
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 40 (0x28)
IP: Identification = 64 (0x40)
IP: Flags Summary = 0 (0x0)
IP: .......0 = Last fragment in datagram
IP: ......0. = May fragment datagram if necessary
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 49 (0x31)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0xE9D9
IP: Source Address = 218.14.3.3
IP: Destination Address = 192.168.1.253
IP: Data: Number of data bytes remaining = 20 (0x0014)
IP: Padding: Number of data bytes remaining = 6 (0x0006)
TCP: ...R.., len: 0, seq:2515660683-2515660683, ack: 0, win: 1, src: 1601 dst: 443
TCP: Source Port = 0x0641
TCP: Destination Port = 0x01BB
TCP: Sequence Number = 2515660683 (0x95F1EF8B)
TCP: Acknowledgement Number = 0 (0x0)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x04 : ...R..
TCP: ..0..... = No urgent data
TCP: ...0.... = Acknowledgement field not significant
TCP: ....0... = No Push function
TCP: .....1.. = Reset the connection
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 1 (0x1)
TCP: Checksum = 0x82AF
TCP: Urgent Pointer = 0 (0x0)
00000: 00 00 B4 93 29 C5 00 40 05 47 C0 03 08 00 45 00 ..’?)A.@.GA...E.
00010: 00 28 00 40 00 00 31 06 E9 D9 DA 0E 03 03 C0 A8 .(.@..1.eUU...A‥
00020: 01 FD 06 41 01 BB 95 F1 EF 8B 00 00 00 00 50 04 .y.A.??ni?....P.
00030: 00 01 82 AF 00 00 00 00 37 24 46 C8 ..?‾....7$FE

[Eric0626]

之前也遇過類似問題 ,跟 中國電信又無法溝通 , 最後改採用 香港線路 ,才改善網路不穩的問題!!
_________________
雷電 :MAILD 4.6
雷電 :FTPD v2.4.3401
DNS:TWNIC 代管
系統 :Windows 2016 Server
防毒 :TrendMicro OfficeScan

[kcsboy]

這個問題我處理掉了，在網路上依然是使用中國電信

1.首先內部虛擬WEB 使用 80,81...... port 重點是不能使用 MAILD 的SSL 功能

2.在內部一台IIS 上安裝一個憑證

3.在對外的 ISA 上安裝 內部 IIS 的那個 RSA 憑證

4.設定 ISA 將外部 SSL 轉到 內部 非 SSL 的 Http

參考
1.
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/outlook_web_access_publishing_ee.mspx

2.
http://www.microsoft.com/taiwan/isaserver/downloads/2004/default.mspx

的
伺服器發佈和 VPN
40 MB 壓縮的 EXE
TechNet TNT Session - 2004 年 6 月 24 日發行

[蛋頭]

[Eric0626]

[蛋頭]

[kcsboy]

第一線(安萊)在中國，並沒有 ADSL 連 INternet 的服務
只能使用 ADSL 專線到機房==>然後連到香港==>然後連到台灣

是一種點對點連接，
如果把 router 設 0.0.0.0 mask 0.0.0.0 gateway 是可以上網的。
一個月我問到 256K 是 (6000-4500) 人民幣
有點貴，所以我不想用了