Hi, same issue here. But which IP block is on the sanctions list in this ASN? From your link to the ASN Details, there doesn't seem to be any "strange" country. Would be helpful to know which block or get more info from you so I can reach out the the provider.
Welcome @Pieter_Verschuur!
I don't quite follow. Are you saying your IP belongs to the same ASN as @HaaseIT?
If you expand the IP ranges on that page you will see a IP range belonging to a sanctioned country. I'm happy for you to follow up with your provider in that case.
If it's a different ASN please share your IP information on the thread and I can check.
Hope that helps!
Hi Carly, it is the same: ASN 28753. I don't see any sanction country in that list to be honest. Is there a list of countries that you block?
When looking up that ASN I see at least one IP range (185.17.120.0/22) linked to Russia, which I suspect is on the sanctions list. As I do not work for Elastic and do not work with the sanctions implementation there may naturally be more sanctioned connections on the list.
Are we talking about the EU or US sanctions list? As in the EU (as Elastic is a Dutch entity), as far as I know, services can be delivered to Russian entities, unless they are connected to the Russian Federation. An IP range is not (really) connected to a country.
Anyways, even if it is, to me it seems that your blocklist is too strict (eg: blocking whole providers instead of just the IP range itself), causing problems for others.
Thanks for your feedback @Pieter_Verschuur. I appreciate you taking time to give feedback. I can't really opine on which sanctions list this refers to or the legislation in jurisdictions. I'm not a legal contact. I know the basic list of countries and raise requests with the internal team for review and action if it passes their checks. I'm far from an expert here!
In the past I have discussed unblocking of individual IPs not covered by our CDN compared to the current procedure of by ASN with the team responsible and it's not a viable option sadly. Generally I would recommend contacting your ASN on this one.
If there are particular concerns I'm happy to raise a request for the team to discuss further. Let me know if this would help, and if so which IP specifically you are having issues with.
Hope that helps!
1 Like
So can I assume that you block Russia? (is there a complete list somewhere)
Would be good to raise this with your team again as blocking whole ASNs is really weird. F.e. RIPE (who is in control of all those IP ranges) is not blocking those ranges, so why would any other company be more strict than the authority on the IP ranges and ASNs, which also need to comply to the same rules.
I talked to my provider, they said, that the ripe-data is outdated and will have it updated shortly. I will post here again once the data has been updated.
1 Like
Thanks so much for following up @HaaseIT! I appreciate the update. Let me know when it's updated. I'll draft the request to send when you confirm.
If yourself and @Pieter_Verschuur could also let me know which assets you are receiving the error for that would also be helpful.
Please recheck our providers ASN, it should be fine now.
Thanks for the update @HaaseIT. I did check earlier today and have submitted a request to the team. It can take some time to action but I'll revert back when I have an update.
Hello,
We have an issue with a server under HCloud, 5ish days ago we could download the elastic key, and now we seem to be blocked again 
, resulting in delaying our work.
The server's IP Address is 157.180.27.247. Please whitelist it in order for us to continue working on the server. Thank you!
Best regards,
Metodi Sokolov
Hi @msokolov,
Welcome back! This looks to be an IP related to AS24940 which we don't have blocked. Can you check and confirm you're not using IPv6? That is a common issue that we see on this thread that could be causing the block.
Let us know!
Hello,
I believe it is not due to the IPv6. At least seeing this output tells me that the IPv4 is failing with forbidden:
IPv6:
$curl -6 https://artifacts.elastic.co
curl: (7) Couldn't connect to server
IPv4:
$ curl -4 https://artifacts.elastic.co
403 ForbiddenError: Forbidden
Your client does not have permission to get URL / from this server.
We experience the same issue with ipv6 disabled.
I did test with other web pages, and they seem to be working okay, one of which was the discuss.elastic.co and it seems to be fine.
Would appreciate your advise on this.
Best regards
@msokolov this ASN is explicitly allowed on our side, and I've received confirmation from the team on this when others have raised similar issues.
Others who have experienced this issue on Hertzer have found it's down to IPv6 being enabled on the host. I would check the setting and confirm. Otherwise I would recommend following up with the ISP and also sending us a trace as per this post.
Hope that helps!
Hello, I'm getting 403 while trying to install filebeat from official repository. The URL is https://artifacts.elastic.co/packages/8.x/apt/dists/stable/InRelease which resolves to 2600:1901:0:1d7::.
Is it possible to allow connections from 2a01:7e0::/32 please?
Many thanks
UPD: I see that IPv6 is not possible to fix for some reason, is that true? I'm experiencing the HTTP 403 error only on one machine across my fleet, specifically in AS44066. Other machines in 2a02:c206::/32 (AS51167) are good.
Hi @constructed,
We don't support IPv6 sadly. It is something I've discussed with the team before.
I would recommend trying another host in this case.
Hope that helps!
Thanks for reply, that's what I've figured out while reading this forum. Is there any underlying reason for this or it's Google internal decisions?
In the meanwhile I've figured out the workaround for apt:
# cat /etc/apt/apt.conf.d/83force-ipv4
Acquire::ForceIPv4 "true";
^ this may be useful for someone
Thanks for sharing your fix @constructed. I'm not quite sure the reason why. But generally we have found disabling IPv6 as you've outlined is a workaround.
Hope that helps!
Hi @HaaseIT, @dios-gg, @pszi, @SpunkyIceke, @Damien_Gustave and @jconnary,
I hope you're all well. I've received word that the ASNs that your IP belongs to have been explicitly allowed. It may take some time to propogate.
If you are still having issues please ensure you have IPv6 disabled, and share the tracing information.
Hope that helps!