Microsoft Product Activation server reachability
Anybody else having a problem reaching (what appears to be) the sole Microsoft Product Activation server (wpa.one.microsoft.com)? $ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes 36 bytes from 213.199.189.41: Communication prohibited by filter I get this sourcing from our network, from AT&T 3G, and from ye residential DSL connection located in the greater Seattle area. They aren't simply source-filtering. Either that or they are source-filtering for 0.0.0.0/0. This is apparently the only server/IP they have set up to respond to these requests. wpa.one.microsoft.com resolves to that IP via every DNS server I've tried (so no round-robin A records), Microsoft products that need to activate over the internet only try to resolve that FQDN, and I've looked for others without success (wpa.two.microsoft.com isn't valid, for example). -- Nathan Anderson First Step Internet, LLC nathana@fsr.com
I have just tested from Singapore [root@trinity ~]# ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data. From 213.199.189.37 icmp_seq=1 Packet filtered From 213.199.189.37 icmp_seq=6 Packet filtered [root@trinity ~]# telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... [root@trinity ~]# telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... On 1/11/2013 12:24 PM, Nathan Anderson wrote:
Anybody else having a problem reaching (what appears to be) the sole Microsoft Product Activation server (wpa.one.microsoft.com)?
$ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes 36 bytes from 213.199.189.41: Communication prohibited by filter
I get this sourcing from our network, from AT&T 3G, and from ye residential DSL connection located in the greater Seattle area. They aren't simply source-filtering. Either that or they are source-filtering for 0.0.0.0/0.
This is apparently the only server/IP they have set up to respond to these requests. wpa.one.microsoft.com resolves to that IP via every DNS server I've tried (so no round-robin A records), Microsoft products that need to activate over the internet only try to resolve that FQDN, and I've looked for others without success (wpa.two.microsoft.com isn't valid, for example).
----- Original Message -----
From: "Nathan Anderson" <nathana@fsr.com> To: "nanog@nanog.org" <nanog@nanog.org> Sent: Thursday, January 10, 2013 11:24:16 PM Subject: Microsoft Product Activation server reachability
Anybody else having a problem reaching (what appears to be) the sole Microsoft Product Activation server (wpa.one.microsoft.com)?
$ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes 36 bytes from 213.199.189.41: Communication prohibited by filter
I get this sourcing from our network, from AT&T 3G, and from ye residential DSL connection located in the greater Seattle area. They aren't simply source-filtering. Either that or they are source-filtering for 0.0.0.0/0.
This is apparently the only server/IP they have set up to respond to these requests. wpa.one.microsoft.com resolves to that IP via every DNS server I've tried (so no round-robin A records), Microsoft products that need to activate over the internet only try to resolve that FQDN, and I've looked for others without success (wpa.two.microsoft.com isn't valid, for example).
-- Nathan Anderson First Step Internet, LLC nathana@fsr.com
I am seeing the same from NYC metro. According to MS (http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to that host on 80 and 443 is all that should be required to activate. (and wpa.one.microsoft.com has no AAAA, go figure) [ben@razor ~]$ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data.
From 213.199.189.41 icmp_seq=2 Packet filtered ^C --- wpa.one.microsoft.com ping statistics --- 6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 5260ms
[ben@razor ~]$ telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... ^C [ben@razor ~]$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... ^C -- Ben
Working now, tested from 3 hosts on different networks on both 80 and 443 : $ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... Connected to wpa.one.microsoft.com. Escape character is '^]'. Scott On Fri, Jan 11, 2013 at 12:02 AM, Ben Carleton <carleton@vanoc.net> wrote:
From: "Nathan Anderson" <nathana@fsr.com> To: "nanog@nanog.org" <nanog@nanog.org> Sent: Thursday, January 10, 2013 11:24:16 PM Subject: Microsoft Product Activation server reachability
Anybody else having a problem reaching (what appears to be) the sole Microsoft Product Activation server (wpa.one.microsoft.com)?
$ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes 36 bytes from 213.199.189.41: Communication prohibited by filter
I get this sourcing from our network, from AT&T 3G, and from ye residential DSL connection located in the greater Seattle area. They aren't simply source-filtering. Either that or they are source-filtering for 0.0.0.0/0 .
This is apparently the only server/IP they have set up to respond to
----- Original Message ----- these
requests. wpa.one.microsoft.com resolves to that IP via every DNS server I've tried (so no round-robin A records), Microsoft products that need to activate over the internet only try to resolve that FQDN, and I've looked for others without success (wpa.two.microsoft.com isn't valid, for example).
-- Nathan Anderson First Step Internet, LLC nathana@fsr.com
I am seeing the same from NYC metro. According to MS ( http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to that host on 80 and 443 is all that should be required to activate. (and wpa.one.microsoft.com has no AAAA, go figure)
[ben@razor ~]$ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data. From 213.199.189.41 icmp_seq=2 Packet filtered ^C --- wpa.one.microsoft.com ping statistics --- 6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 5260ms
[ben@razor ~]$ telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... ^C [ben@razor ~]$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... ^C
-- Ben
So the ICMP message "communication prohibited by filter" must be a normal response to ICMP ping through that gateway. Unfortunately, it's not completely fixed yet, but I'm guessing by this measure of progress that they must be working on it. I now get HTTP 403 in response to any request I send to it. Tried to reactive this copy of Windows Server once more anyway, and now get "Online activation cannot be completed at this time." (Message number: 24579) Before, it simply claimed I must not have working internet connectivity. -- Nathan -----Original Message----- From: Scott Howard [mailto:scott@doc.net.au] Sent: Thursday, January 10, 2013 10:55 PM To: Ben Carleton Cc: Nathan Anderson; nanog@nanog.org Subject: Re: Microsoft Product Activation server reachability Working now, tested from 3 hosts on different networks on both 80 and 443 : $ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... Connected to wpa.one.microsoft.com. Escape character is '^]'. Scott On Fri, Jan 11, 2013 at 12:02 AM, Ben Carleton <carleton@vanoc.net> wrote: ----- Original Message ----- > From: "Nathan Anderson" <nathana@fsr.com> > To: "nanog@nanog.org" <nanog@nanog.org> > Sent: Thursday, January 10, 2013 11:24:16 PM > Subject: Microsoft Product Activation server reachability > > Anybody else having a problem reaching (what appears to be) the sole > Microsoft Product Activation server (wpa.one.microsoft.com)? > > $ ping wpa.one.microsoft.com > PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes > 36 bytes from 213.199.189.41: Communication prohibited by filter > > I get this sourcing from our network, from AT&T 3G, and from ye residential > DSL connection located in the greater Seattle area. They aren't simply > source-filtering. Either that or they are source-filtering for 0.0.0.0/0. > > This is apparently the only server/IP they have set up to respond to these > requests. wpa.one.microsoft.com resolves to that IP via every DNS server > I've tried (so no round-robin A records), Microsoft products that need to > activate over the internet only try to resolve that FQDN, and I've looked > for others without success (wpa.two.microsoft.com isn't valid, for example). > > -- > Nathan Anderson > First Step Internet, LLC > nathana@fsr.com > > I am seeing the same from NYC metro. According to MS (http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to that host on 80 and 443 is all that should be required to activate. (and wpa.one.microsoft.com has no AAAA, go figure) [ben@razor ~]$ ping wpa.one.microsoft.com PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data. From 213.199.189.41 icmp_seq=2 Packet filtered ^C --- wpa.one.microsoft.com ping statistics --- 6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 5260ms [ben@razor ~]$ telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... ^C [ben@razor ~]$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... ^C -- Ben
communication prohibited by filter is just an ICMP response code, sadly Windows does not under it...... Type 3 (Destination unreachable) Code 13 (Communication Administratively Prohibited - generated if a router cannot forward a packet due to administrative filtering;) ICMP echo request for this ip seems to be filtered by Microsoft. TCP connection to port 80 is working fine. tcping wpa.one.microsoft.com Probing 94.245.126.107:80/tcp - Port is open - time=98.491ms Yang On Fri, Jan 11, 2013 at 2:01 AM, Nathan Anderson <nathana@fsr.com> wrote:
So the ICMP message "communication prohibited by filter" must be a normal response to ICMP ping through that gateway.
Unfortunately, it's not completely fixed yet, but I'm guessing by this measure of progress that they must be working on it. I now get HTTP 403 in response to any request I send to it. Tried to reactive this copy of Windows Server once more anyway, and now get "Online activation cannot be completed at this time." (Message number: 24579) Before, it simply claimed I must not have working internet connectivity.
-- Nathan
-----Original Message----- From: Scott Howard [mailto:scott@doc.net.au] Sent: Thursday, January 10, 2013 10:55 PM To: Ben Carleton Cc: Nathan Anderson; nanog@nanog.org Subject: Re: Microsoft Product Activation server reachability
Working now, tested from 3 hosts on different networks on both 80 and 443 :
$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... Connected to wpa.one.microsoft.com. Escape character is '^]'.
Scott
On Fri, Jan 11, 2013 at 12:02 AM, Ben Carleton <carleton@vanoc.net> wrote:
----- Original Message ----- > From: "Nathan Anderson" <nathana@fsr.com> > To: "nanog@nanog.org" <nanog@nanog.org> > Sent: Thursday, January 10, 2013 11:24:16 PM > Subject: Microsoft Product Activation server reachability > > Anybody else having a problem reaching (what appears to be) the sole > Microsoft Product Activation server (wpa.one.microsoft.com)? > > $ ping wpa.one.microsoft.com > PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes > 36 bytes from 213.199.189.41: Communication prohibited by filter > > I get this sourcing from our network, from AT&T 3G, and from ye residential > DSL connection located in the greater Seattle area. They aren't simply > source-filtering. Either that or they are source-filtering for 0.0.0.0/0. > > This is apparently the only server/IP they have set up to respond to these > requests. wpa.one.microsoft.com resolves to that IP via every DNS server > I've tried (so no round-robin A records), Microsoft products that need to > activate over the internet only try to resolve that FQDN, and I've looked > for others without success (wpa.two.microsoft.com isn't valid, for example). > > -- > Nathan Anderson > First Step Internet, LLC > nathana@fsr.com > >
I am seeing the same from NYC metro. According to MS (http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to that host on 80 and 443 is all that should be required to activate. (and wpa.one.microsoft.com has no AAAA, go figure)
[ben@razor ~]$ ping wpa.one.microsoft.com
PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data.
From 213.199.189.41 icmp_seq=2 Packet filtered ^C --- wpa.one.microsoft.com ping statistics --- 6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 5260ms
[ben@razor ~]$ telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... ^C [ben@razor ~]$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... ^C
-- Ben
TCP 80 is working fine now; wasn't last night, though. In the past, my recollection is that ICMP ping to actual Microsoft IP space (not simply Akamai) would have simply been blackholed/dropped with no response, so seeing "packet filtered" come back + no response on any TCP ports made it seem like it could be an issue upstream of the actual server itself. But I can now activate/reactivate products today, so all[1] is right with the world. -- Nathan [1] It's Friday and we are only a few days into 2013, so I'm trying to remain upbeat. -----Original Message----- From: Yang Yu [mailto:yang.yu.list@gmail.com] Sent: Friday, January 11, 2013 9:13 AM To: nanog@nanog.org Subject: Re: Microsoft Product Activation server reachability communication prohibited by filter is just an ICMP response code, sadly Windows does not under it...... Type 3 (Destination unreachable) Code 13 (Communication Administratively Prohibited - generated if a router cannot forward a packet due to administrative filtering;) ICMP echo request for this ip seems to be filtered by Microsoft. TCP connection to port 80 is working fine. tcping wpa.one.microsoft.com Probing 94.245.126.107:80/tcp - Port is open - time=98.491ms Yang On Fri, Jan 11, 2013 at 2:01 AM, Nathan Anderson <nathana@fsr.com> wrote:
So the ICMP message "communication prohibited by filter" must be a normal response to ICMP ping through that gateway.
Unfortunately, it's not completely fixed yet, but I'm guessing by this measure of progress that they must be working on it. I now get HTTP 403 in response to any request I send to it. Tried to reactive this copy of Windows Server once more anyway, and now get "Online activation cannot be completed at this time." (Message number: 24579) Before, it simply claimed I must not have working internet connectivity.
-- Nathan
-----Original Message----- From: Scott Howard [mailto:scott@doc.net.au] Sent: Thursday, January 10, 2013 10:55 PM To: Ben Carleton Cc: Nathan Anderson; nanog@nanog.org Subject: Re: Microsoft Product Activation server reachability
Working now, tested from 3 hosts on different networks on both 80 and 443 :
$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... Connected to wpa.one.microsoft.com. Escape character is '^]'.
Scott
On Fri, Jan 11, 2013 at 12:02 AM, Ben Carleton <carleton@vanoc.net> wrote:
----- Original Message ----- > From: "Nathan Anderson" <nathana@fsr.com> > To: "nanog@nanog.org" <nanog@nanog.org> > Sent: Thursday, January 10, 2013 11:24:16 PM > Subject: Microsoft Product Activation server reachability > > Anybody else having a problem reaching (what appears to be) the sole > Microsoft Product Activation server (wpa.one.microsoft.com)? > > $ ping wpa.one.microsoft.com > PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes > 36 bytes from 213.199.189.41: Communication prohibited by filter > > I get this sourcing from our network, from AT&T 3G, and from ye residential > DSL connection located in the greater Seattle area. They aren't simply > source-filtering. Either that or they are source-filtering for 0.0.0.0/0. > > This is apparently the only server/IP they have set up to respond to these > requests. wpa.one.microsoft.com resolves to that IP via every DNS server > I've tried (so no round-robin A records), Microsoft products that need to > activate over the internet only try to resolve that FQDN, and I've looked > for others without success (wpa.two.microsoft.com isn't valid, for example). > > -- > Nathan Anderson > First Step Internet, LLC > nathana@fsr.com > >
I am seeing the same from NYC metro. According to MS (http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to that host on 80 and 443 is all that should be required to activate. (and wpa.one.microsoft.com has no AAAA, go figure)
[ben@razor ~]$ ping wpa.one.microsoft.com
PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data.
From 213.199.189.41 icmp_seq=2 Packet filtered ^C --- wpa.one.microsoft.com ping statistics --- 6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 5260ms
[ben@razor ~]$ telnet wpa.one.microsoft.com 80 Trying 94.245.126.107... ^C [ben@razor ~]$ telnet wpa.one.microsoft.com 443 Trying 94.245.126.107... ^C
-- Ben
participants (5)
-
Ben Carleton -
Nathan Anderson -
Pui Edylie -
Scott Howard -
Yang Yu