Who is generating an edgesuite.net error message
Three of our locations with Cogent Internet service are unable to access a web site. Three of our non-Cogent locations are able to access the site just fine. We get the error message below, and I don't know enough about this to tell if the issue is with Cogent, with a CDN, or with the web server. Can anyone offer insight? Here is the error we get: You don't have permission to access "http://waf-failover.macys.com/prod/WAF_Failover/WAF_error_page.html?" on this server. Reference #18.5ebc7768.1747925785.aafdbd3 https://errors.edgesuite.net/18.5ebc7768.1747925785.aafdbd3
edgesuite.net <http://edgesuite.net/> is Akamai WAF. Confirm DNS queries return same answer for the Cogent sites as the non-Cogent sites. Also, the Cogent sites may not have been whitelisted.
On May 22, 2025, at 11:44 AM, Jon Miller via NANOG <nanog@lists.nanog.org> wrote:
Three of our locations with Cogent Internet service are unable to access a web site. Three of our non-Cogent locations are able to access the site just fine. We get the error message below, and I don't know enough about this to tell if the issue is with Cogent, with a CDN, or with the web server. Can anyone offer insight? Here is the error we get: You don't have permission to access "http://waf-failover.macys.com/prod/WAF_Failover/WAF_error_page.html?" on this server. Reference #18.5ebc7768.1747925785.aafdbd3 https://errors.edgesuite.net/18.5ebc7768.1747925785.aafdbd3 _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DYWSKWLL...
Sounds like an Akamai issue blocking Cogent IPs. Jared Mauch might be able to help you here. On 5/22/25 11:44, Jon Miller via NANOG wrote:
Three of our locations with Cogent Internet service are unable to access a web site. Three of our non-Cogent locations are able to access the site just fine. We get the error message below, and I don't know enough about this to tell if the issue is with Cogent, with a CDN, or with the web server. Can anyone offer insight? Here is the error we get: You don't have permission to access "http://waf-failover.macys.com/prod/WAF_Failover/WAF_error_page.html?" on this server. Reference #18.5ebc7768.1747925785.aafdbd3 https://errors.edgesuite.net/18.5ebc7768.1747925785.aafdbd3 _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DYWSKWLL...
* nanog@lists.nanog.org (Jason Canady via NANOG) [Fri 23 May 2025, 16:34 CEST]:
Sounds like an Akamai issue blocking Cogent IPs. Jared Mauch might be able to help you here.
Akamai doesn't block Cogent IPs, as a CDN Akamai implements the security policy chosen by the respective customer. -- Niels. --
I have been told that before, but it's clear that Akamai knows how to fix it because it's across multiple customers of theirs. On 5/23/25 10:44, Niels Bakker via NANOG wrote:
* nanog@lists.nanog.org (Jason Canady via NANOG) [Fri 23 May 2025, 16:34 CEST]:
Sounds like an Akamai issue blocking Cogent IPs. Jared Mauch might be able to help you here.
Akamai doesn't block Cogent IPs, as a CDN Akamai implements the security policy chosen by the respective customer.
-- Niels.
These errors / blocks are due to Akamai customers using tools and data provided by Akamai to handle things like geo-restriction and (perceived) DoS attacks. You do have to deal with the Akamai customer for these issues, and some of our NAT addresses have been blocked by Macy's in the past, probably due to a large number of Macy's shoppers being behind a single IPv4 address... Here is the Akamai Client Reputation check: https://www.akamai.com/us/en/clientrep-lookup/ That tool will only check the source IP address from which it is accessed. There is no way to check on another address. Jon On Fri, May 23, 2025 at 11:00 AM Jason Canady via NANOG < nanog@lists.nanog.org> wrote:
I have been told that before, but it's clear that Akamai knows how to fix it because it's across multiple customers of theirs.
On 5/23/25 10:44, Niels Bakker via NANOG wrote:
* nanog@lists.nanog.org (Jason Canady via NANOG) [Fri 23 May 2025, 16:34 CEST]:
Sounds like an Akamai issue blocking Cogent IPs. Jared Mauch might be able to help you here.
Akamai doesn't block Cogent IPs, as a CDN Akamai implements the security policy chosen by the respective customer.
-- Niels.
On 5/23/25 11:19, Jon Meek via NANOG wrote:
These errors / blocks are due to Akamai customers using tools and data provided by Akamai to handle things like geo-restriction and (perceived) DoS attacks. You do have to deal with the Akamai customer for these issues, and some of our NAT addresses have been blocked by Macy's in the past, probably due to a large number of Macy's shoppers being behind a single IPv4 address...
Here is the Akamai Client Reputation check: https://www.akamai.com/us/en/clientrep-lookup/ That tool will only check the source IP address from which it is accessed. There is no way to check on another address.
This isn't limited to Akamai. Basically all CDNs have similar web application firewall (WAF) features, and lots of site admins somewhat naively turn them up to 11. I've noticed an increasing number of Cloudflare client intercepts recently not just on the small SP I run but even from clients on mainstream ISPs like Spectrum and T-Mobile, and I've even gotten outright 403'd by several places in my attempt to give them my money and buy stuff from them and at baffling parts of the process e.g. after getting a user login page and providing valid credentials but before the subsequent redirect to resources requiring auth. I don't know what everybody is trying so hard to protect against, but the collateral damage has to be huge. I assume potential sales are lost somewhat frequently. Given how often this question comes up, the CDNs should probably be more clear and up front about what the various WAF settings do and why or why NOT a user may want to enable various options. I think doing so could make everybody happy: end users, site operators, and the CDNs (by way of making the site operators happier). -- Brandon Martin
I don't know what everybody is trying so hard to protect against, but the collateral damage has to be huge.
Massive bills caused by aggressive AI crawlers. Different CDNs have different tools and options to combat this, with varying degrees of effectiveness, so many people are cranking up the WAF restrictions as well, and unfortunately that often does cause some additional issues. On Fri, May 23, 2025 at 11:16 PM Brandon Martin via NANOG < nanog@lists.nanog.org> wrote:
On 5/23/25 11:19, Jon Meek via NANOG wrote:
These errors / blocks are due to Akamai customers using tools and data provided by Akamai to handle things like geo-restriction and (perceived) DoS attacks. You do have to deal with the Akamai customer for these issues, and some of our NAT addresses have been blocked by Macy's in the past, probably due to a large number of Macy's shoppers being behind a single IPv4 address...
Here is the Akamai Client Reputation check: https://www.akamai.com/us/en/clientrep-lookup/ That tool will only check the source IP address from which it is accessed. There is no way to check on another address.
This isn't limited to Akamai. Basically all CDNs have similar web application firewall (WAF) features, and lots of site admins somewhat naively turn them up to 11. I've noticed an increasing number of Cloudflare client intercepts recently not just on the small SP I run but even from clients on mainstream ISPs like Spectrum and T-Mobile, and I've even gotten outright 403'd by several places in my attempt to give them my money and buy stuff from them and at baffling parts of the process e.g. after getting a user login page and providing valid credentials but before the subsequent redirect to resources requiring auth.
I don't know what everybody is trying so hard to protect against, but the collateral damage has to be huge. I assume potential sales are lost somewhat frequently.
Given how often this question comes up, the CDNs should probably be more clear and up front about what the various WAF settings do and why or why NOT a user may want to enable various options. I think doing so could make everybody happy: end users, site operators, and the CDNs (by way of making the site operators happier).
-- Brandon Martin _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VYRLYAS5...
On Saturday, 24 May 2025 at 04:16, Brandon Martin via NANOG <nanog@lists.nanog.org> wrote:
I don't know what everybody is trying so hard to protect against, but the collateral damage has to be huge. I assume potential sales are lost somewhat frequently.
I agree. I understand what people are trying to protect against (attacks, DDoS yada yada yada). But sadly what I have been seeing a lot of is tarnishing people with the same brush. For example, there are many genuine and legitimate reasons for people to use a VPN service. And yet in recent months I have been seeing an attitude by many website operators that "its a VPN IP therefore it must be bad". Its like, come on guys. Playing whack-a-mole blocking IP addresses is so 1990. You have much better tools at your disposal these days. I would also love to hear how these whack-a-mole lovers plan on continuing their attitude when IPv6 becomes even more prevalent !
is this even a valid entry in dns, anywhere?
server 8.8.8.8 Default Server: dns.google Address: 8.8.8.8
waf-failover.macys.com Server: dns.google Address: 8.8.8.8
*** dns.google can't find waf-failover.macys.com: Non-existent domain
server 1.1.1.1 Default Server: one.one.one.one Address: 1.1.1.1
waf-failover.macys.com Server: one.one.one.one Address: 1.1.1.1
*** one.one.one.one can't find waf-failover.macys.com: Non-existent domain
server 9.9.9.9 Default Server: dns9.quad9.net Address: 9.9.9.9
waf-failover.macys.com Server: dns9.quad9.net Address: 9.9.9.9
*** dns9.quad9.net can't find waf-failover.macys.com: Non-existent domain
On 5/22/2025 10:44 AM, Jon Miller via NANOG wrote:
Three of our locations with Cogent Internet service are unable to access a web site. Three of our non-Cogent locations are able to access the site just fine. We get the error message below, and I don't know enough about this to tell if the issue is with Cogent, with a CDN, or with the web server. Can anyone offer insight? Here is the error we get: You don't have permission to access "http://waf-failover.macys.com/prod/WAF_Failover/WAF_error_page.html?" on this server. Reference #18.5ebc7768.1747925785.aafdbd3 https://errors.edgesuite.net/18.5ebc7768.1747925785.aafdbd3 _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/DYWSKWLL...
-- -Aaron
participants (9)
-
Aaron Gould -
Brandon Martin -
Jason Canady -
jmiller@boselaw.com -
Jon Meek -
Niels Bakker -
Smith -
Tom Beecher -
VMemaillist