Microsoft Product Activation server reachability

Nathan Anderson nathana at fsr.com
Fri Jan 11 22:03:11 UTC 2013


TCP 80 is working fine now; wasn't last night, though.  In the past, my recollection is that ICMP ping to actual Microsoft IP space (not simply Akamai) would have simply been blackholed/dropped with no response, so seeing "packet filtered" come back + no response on any TCP ports made it seem like it could be an issue upstream of the actual server itself.

But I can now activate/reactivate products today, so all[1] is right with the world.

-- Nathan

[1] It's Friday and we are only a few days into 2013, so I'm trying to remain upbeat.

-----Original Message-----
From: Yang Yu [mailto:yang.yu.list at gmail.com] 
Sent: Friday, January 11, 2013 9:13 AM
To: nanog at nanog.org
Subject: Re: Microsoft Product Activation server reachability

communication prohibited by filter is just an ICMP response code,
sadly Windows does not under it......
Type 3 (Destination unreachable)
Code 13 (Communication Administratively Prohibited - generated if a
router cannot forward a packet due to administrative filtering;)

ICMP echo request for this ip seems to be filtered by Microsoft. TCP
connection to port 80 is working fine.

tcping wpa.one.microsoft.com

Probing 94.245.126.107:80/tcp - Port is open - time=98.491ms


Yang

On Fri, Jan 11, 2013 at 2:01 AM, Nathan Anderson <nathana at fsr.com> wrote:
>
> So the ICMP message "communication prohibited by filter" must be a normal response to ICMP ping through that gateway.
>
> Unfortunately, it's not completely fixed yet, but I'm guessing by this measure of progress that they must be working on it.  I now get HTTP 403 in response to any request I send to it.  Tried to reactive this copy of Windows Server once more anyway, and now get "Online activation cannot be completed at this time." (Message number: 24579)  Before, it simply claimed I must not have working internet connectivity.
>
> -- Nathan
>
> -----Original Message-----
> From: Scott Howard [mailto:scott at doc.net.au]
> Sent: Thursday, January 10, 2013 10:55 PM
> To: Ben Carleton
> Cc: Nathan Anderson; nanog at nanog.org
> Subject: Re: Microsoft Product Activation server reachability
>
> Working now, tested from 3 hosts on different networks on both 80 and 443 :
>
> $ telnet wpa.one.microsoft.com 443
> Trying 94.245.126.107...
> Connected to wpa.one.microsoft.com.
> Escape character is '^]'.
>
>
>   Scott
>
>
>
> On Fri, Jan 11, 2013 at 12:02 AM, Ben Carleton <carleton at vanoc.net> wrote:
>
>
>         ----- Original Message -----
>         > From: "Nathan Anderson" <nathana at fsr.com>
>         > To: "nanog at nanog.org" <nanog at nanog.org>
>         > Sent: Thursday, January 10, 2013 11:24:16 PM
>         > Subject: Microsoft Product Activation server reachability
>         >
>         > Anybody else having a problem reaching (what appears to be) the sole
>         > Microsoft Product Activation server (wpa.one.microsoft.com)?
>         >
>         > $ ping wpa.one.microsoft.com
>         > PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes
>         > 36 bytes from 213.199.189.41: Communication prohibited by filter
>         >
>         > I get this sourcing from our network, from AT&T 3G, and from ye residential
>         > DSL connection located in the greater Seattle area. They aren't simply
>         > source-filtering. Either that or they are source-filtering for 0.0.0.0/0.
>         >
>         > This is apparently the only server/IP they have set up to respond to these
>         > requests. wpa.one.microsoft.com resolves to that IP via every DNS server
>         > I've tried (so no round-robin A records), Microsoft products that need to
>         > activate over the internet only try to resolve that FQDN, and I've looked
>         > for others without success (wpa.two.microsoft.com isn't valid, for example).
>         >
>         > --
>         > Nathan Anderson
>         > First Step Internet, LLC
>         > nathana at fsr.com
>         >
>         >
>
>
>         I am seeing the same from NYC metro. According to MS (http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to that host on 80 and 443 is all that should be required to activate. (and wpa.one.microsoft.com has no AAAA, go figure)
>
>         [ben at razor ~]$ ping wpa.one.microsoft.com
>
>         PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data.
>
>         From 213.199.189.41 icmp_seq=2 Packet filtered
>         ^C
>         --- wpa.one.microsoft.com ping statistics ---
>         6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 5260ms
>
>         [ben at razor ~]$ telnet wpa.one.microsoft.com 80
>         Trying 94.245.126.107...
>         ^C
>         [ben at razor ~]$ telnet wpa.one.microsoft.com 443
>         Trying 94.245.126.107...
>         ^C
>
>         -- Ben
>
>
>
>
>





More information about the NANOG mailing list