kial,
thanks again for your pcap traces.
I think we are in a position to be able to explain why you are seeing failures. I suspect that elements of this explanation hold for other people seeing problems too.
Working through your traces one at a time:
http_dl_failed -
Lines 1&2 are the DNS query, returning the correct IP for
www.personalfirewall.com of 91.199.212.132.
The session then goes on to pull various elements from the webpage (although you haven't captured the "get" and the reply for the page itself).
Line 74 is where it starts to look strange, because you suddenly hit a new (to this session) IP address of 85.91.228.132. No DNS query has returned this IP address in this session log.
Line 81 sees you doing an HTTP GET of download.comodo.com/download/setups/file_details.js from 85.91.228.132.
Line 121 sees (50 seconds later) the answer from that GET come back with a 503 - service not available.
The problem there is that the IP of download.comodo.com is really 91.199.212.132 (same as
www.personalfirewall.com). You are picking up a cached or otherwise out-of-date DNS entry for download.comodo.com. Also, the fact that you get an HTTP 503 error back suggests to us that you are hitting the internet through a transparent proxy (presumably run by your ISP). You hit the proxy for file_details.js, the proxy tries to hit 85.91.228.132 and gets nothing back because those servers have gone. The proxy returns (we think) the 503 error to you.
https_forums_failed:
This is just talking to the wrong IP address from the start. It is talking with 85.91.228.149, whereas those servers (for forums.comodo.com) are now on 91.199.212.149.
https_forums_failed2:
This is interesting because it includes the coloquy between you and your DNS server.
You ask the DNS server at 172.31.140.69 to resolve forums.comodo.com.
You get the answer back that it resolves to 85.91.228.149. Then you try to start an SSL session with 85.91.228.149 but you're sunk because again the IP address should have been 91.199.212.149.
https_forums_failed3:
ditto
http_forums_failed:
Here your DNS gives the correct IP address for forums.comodo.com (91.199.212.149), but for some reason the connection timed out and the transparent proxy returned a 503 (after 50 seconds).
This one would be worthy of more research, if it was the predominating failure mode.
You can see the monitor at
https://secure1.securityspace.com/netmon/report.html?graphID=28122 trying exactly this and succeeding every 5 minutes from 5 separate monitoring locations.
The 85.91.228.* IP addresses are an IP block which our servers were active on 2 or 3 weeks ago.
The 91.199.212.* block is the current one.
Our DNS servers are correctly configured to serve the newer address range.
I think you will see the apparent availability to you of the forums improve when your ISP kick their DNS servers (or maybe the proxy servers).
The fact that you don't get the problem all the time suggests to us that there may be several Proxy or DNS servers, and only one of them has it's DNS "stuck" at some point in the past.
Robin
Author