Port 443 to PayPal blocked but not blocked?!

[Jeff_Mash]

Hoping someone can help me with this urgent issue.

All of the sudden, our ecommerce site stopped making connections to PayPal.

I think the issue may be with CSF for some reason (happened overnight) but I cannot figure out how to troubleshoot it.

1. Port 443 is listed in the TCP_IN and TCP_OUT configuration.

2. The nslookup for paypal is fine:

nslookup paypal.com
Server: 10.0.80.11
Address: 10.0.80.11#53

Non-authoritative answer:
Name: paypal.com
Address: 151.101.3.1
Name: paypal.com
Address: 151.101.195.1
Name: paypal.com
Address: 162.159.141.96

3. For the heck of it, I whitelisted what I think are PayPal's IP addresses:

- 151.101.3.1
- 151.101.195.1
- 162.159.141.96

4. Telnet seems to be fine:

telnet paypal.com 443
Trying 162.159.141.96...
Connected to paypal.com.
Escape character is '^]'.

5. CURL works for other connections, but not for PayPal:

CURL Connection successful.
Connecting to PayPal IPN (port 443)...
Warning: fsockopen(): Unable to connect to www.paypal.com:443

WHEN I DISABLE CSF, THEN I THE CURL CONNECTION TO PAYPAL WORKS FINE.

Any idea how to get around this issue which suddenly began happening last night?

[Jeff_Mash]

I think I see the issue.

Apparently, there is SOMETHING in the CC_DENY countries that is now preventing the connection to PayPal's REST server.

Here was our config:

CC_DENY = "CN,BG,BW,ET,GT,IN,IQ,IR,KZ,LT,MA,MY,PK,PL,RU,SG,TR,VN,ZM"

We added CC_DENY_ENABLED = "1" before that line.

We then removed all but the "CN" country to test, and this worked. Connection was made to Paypal REST server.

We are now going to add each country, line by line, to see which one is the cultprit.

Is there any limitations to having long lists of countries like the one we had? Is there a better way to filter out these places (since most of them are where we see thwarted attacks against our server, either from connection attempts or SMTP Auth attempts.