Would a new switch or switch configuration solve my problem?

A few questions:
This switch is a dumb switch? I take it it is 100Mbps?
Can you confirm that you are accessing the Internet via standard routing processing, as opposed to a proxy?

As a matter of interest all default configurations on managed switches have auto negotiation configured; all dumb switches have auto negotiation on no matter what. It has been said that auto negotiation sometimes has problems. I know of people who have had this happen, but never to myself. My own experience is it's reliable. In any case if auto negotiation was failing there would be no communication with the local network never mind the Internet if negotiation was your problem.

Have you checked that when this problem is occurring that you can ping the router, then try pinging the IP address of an internet host, such as an internet DNS server and then try pinging www.google.com(this is all assuming you corporate policy and PIX configuration allows for this)? I like pinging google as they're one of the few people that don't block ICMP. See if you get an IP address returned when pinging. If you get an address, but no replies that means that DNS is working but something is blocking your pings. When the Internet is working again test all these things again and watch for the differences.

If all else fails could you post your PIX config, the IP addresses of the machines your having trouble with and any other relevant info?

SEL, thanks for your suggestions:

Here are your answers, I hope:

It is a  Netgear 10/100 Model# JFS524 Fast Ethernet Switch with auto sensing.

I do not believe we are using a proxy. I went to a "bad" machine when it was not accessing the Internet but was accessing the network (which is always the case) and it:

Could ping the router
Could not ping the DNS, but none of the PCs can
Could ping the server
Could ping remote host computers
Could not ping www.google.com but could access it via nslookup (none of my PCs could ping www.google.com)
Could not ping www.cnn.com but could do an nslookup (none of my PCs could ping www.cnn.com)

On Google on the bad machine, the error message was it could not find host. While on www.cnn.com it just showed Request Timed Out four times.

My PIX configuration is already posted on another question:

https://www.experts-exchange.com/questions/21509148/How-do-I-open-UDP-port-2023-on-PIX-501.html

The IP addresses of four out of five of the PCs (I am working on the other one at the moment) are

192.168.1.x
255.255.255.0 for the subnect
The Gateway address

DNS1
DNS2

where x = 24, 21, 14 and 57

I hope this helps.

By the way, the "bad" computer that was working is no longer working. They come on and off quite frequently.

OK,
I actually took a bit of time and scanned over you 'war and peace' effort. I have to admit it got a bit boring near the end and I started scanning.
To answer one problem that came up in that post I reckon the reason that the forwarders tab is greyed out is because you have a 'root' zone configured in DNS. If you go back into the DNS tool and expand 'Forward lookup zones' underneath this I reckon you have a zone called simply '.' as in "dot", as opposed to "yourdomain dot whatever". Delete this entry (it's OK, don't be afraid) and go back into where the forwarders tab is and it should no longer be greyed out. All this entry does is make this server the root DNS server, which mean in english that as far is it's concerned it knows everything about the DNS namespace and the Internet namespace does not exist.

Another thing you could do for testing is set the DNS server for one of the machines that has trouble to an internet DNS server and see how reliable it is. Be aware that if you do this you will not be able to talk to the domain, and will not be able to log in using a domain account (unless otherwise cached credentials are used). Only do this to see if it improves their reliabilty and try not to log off (if you do your username and password should be cached locally and should still allow you to log on, but you must make sure you have a local administrative username and password if all else fails)

Let me know

SEL:

Thanks. Ironically, I did a search a couple a days ago on Enable Forwarding and found numerous articles including on here about deleting the '.' zone. I was a bear leary at first, but I did and was able to set forwarding which, of course, did nothing to solve the problem. I can't understand why all of the other PCs have no problems with DNS and these five do.

Anyway, I will try your suggestion. Please explain what I can use for an Internet DNS server.

Thanks.

When you do your ping request, does your command prompt at least display a number (IE Pinging google.com (64.231.255.22)

I would check to make sure that there aren't any entries in ther HOSTS file. Some Spyware & Spyware blockers will change that file.

Markie,

On the good machines, I get the following. On the "bad" machine WHEN it does access the Internet I get the following as well. On the "bad" machines that are not accessing the Internet, they do not get the 216.239.37.147. I will check the HOSTS file.

C:\Documents and Settings\Name>ping www.google.com

Pinging www.l.google.com [216.239.37.147] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 216.239.37.147:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

OK....where do I find the HOSTS file? Is it opened with notepad? Should there be no entries in it?

Bert

Look for the HOSTS file in  C:\WINDOWS\system32\drivers\etc

It has no extension and can be opened with Notepad.

The only entry there by default is

127.0.0.1       localhost


Cheers,

Gary

Thanks, I found the files. They all just have the 127.0.0.1 The only difference between the machines which cannot intermittently connect is they have a file called hosts.bak where the connecting macines do not.

I also tried repairs Windsock2, but I don't think it was corrupt anyway, because I used the Ms32... thing to check, and it all seemed cool.

I am beginning to wonder if the only way to fix it would be to reinstall Windows XP on those machines. Of course, that would be a lot of work if it didn't fix the problem.

Well, I am going to stop for the night. This just gets so frustrating. As I stated in the "War and Peace" TA before, I can't get past the coincidence that these five computers are used by one person. Everything I do seems to lead to the fact that it's due to something on those computers and not a more global issue like DNS servers not being forwarded on the server.

Also, could someone answer why the switch should be autonegotiation and the network cards are as well. Shouldn't at least one of them being fixed on 100 Full? Sorry, I know very little about networking, which is why I am here.

I will check back tomorrow. Thanks for all the suggestions.

Make sure there are no firewalls, such as Norton Internet Security on the systems.
Switches and cards should always be left to Auto negotiate.
As a last resort, before toasting the machines, you can try reseting the Winsock LSP catalog:
Assuming you have XP SP2, go to command prompt, and type "netsh winsock reset catalog"

That will set your TCP/IP settings back to Windows defaults. The only issue is that sometimes you will have to reinstall AV software, or software that uses the network.

Since you have a server and are running your own DNS, I would suggest that you setup DHCP on your local network. That way, the clients will query the DHCP server when they need an address, and the DHCP server will give an address and also point the clients at the DNS servers and Gateways that it is supposed to use. I am a strong believer that static mapping is almost never a good idea. Networks, for the most part are pretty much plug and play. If you have to staically map addresses or mess with negotiation settings on your NIC's, something is seriously wrong.

Hi Bert,

One thing that might tell you what's happening on those machines is to do a packet trace on one of the offending PC's when it has this problem. That could tell you a lot about the DNS queries, TCP connections and retries, ARP's, broadcasts and so on.

There's a free program called Ethereal that you can pick up at http://www.ethereal.com that would do the trick. It's pretty easy to install and I could give you some pointers on how to do the capture and help you read the results.  A good practice is to get a trace when it fails and a working trace and compare the two.  We would also need a place where you could upload the files so I could download them.

Gary

Rebuilding the machines is one option obviously and is somethimes the most expedient way to move forward.

Is there a reason why you use static addressing rather than DHCP?
Are all of your machines on the same subnet or are there internal routers/vlans involved at all?

www.yahoo.com is a remote site that will respond to pings.
Have you tried performing a tracert to a remote site? Compare a good machine to a bad machine. Where do the boxes that give you trouble stop? Again, perform this on a good machine and compare.

Is there any difference for these machines at different times of the day?  ie when the internal network is busy/not busy?

Concerns me a little that these machines have backup copies of the hosts file but this would not make the issue intermittent.
do a 'route print' on a good machine and and a bad machine. Apart from the local aspect, are the default gateways (the 0.0.0.0 first entry) the same?

little thing about switches... and previous problems i had.

Duplex.

A few years ago i had problems with some computers in my network (6 cisco catalyst 40 ports) because of the duplex setting. It seems that while both the switch and Nic where configured 'auto sensing' the network connection became very unstable. Setting both the Nic and Switch at full duplex solved the problem. Sisco will report switching errors, dont know about your switch though.

Arp tables.

Another thing is the arp address allocation on switching ports. for a switch to be 'intelligent' it collects and remembers the media addresses connected to the ports (mac) in whats called an arp table. The problem i had was small office hubs connected to the ports. It seemed like the switch was unable to allocate that many addresses to one port and just started to broadcast over the whole net. still confinced this could never happen, but the practice showed different.

Packet handling.

Some switches are able to do packet handling. setting wrong priorities on important packets 'can' influence connection stabillity.

BroadCast / Unicast (1.1.1.1).

Make sure that your network connections are not flooded. If u are using Ghostcast (norton ghost) or other broadcast applications (like some process automation systems) make sure it is done in another network or that your switch is configured to tunnel the traffic (if no other means are possible)

my guess would still be option 1. for u said 'repairing' your configuration in windows temp. solves your problem in wich case u are doing an IP refresh (spoof). Another thing might be that for some reason the refresh wich is triggered with the ending of the dhcp lease doesnt go well.

The best way to find out is to use netmon or another traffic annalyser to find out what happens. but please make the difference between the fysical connection, or the fact that it runs an unconfigured connection.

If it is a fysical problem (no connection at all, then concentrate at the settings switch -> nic (speed and duplex) )

Else Analyse the network trafic to see what goes wrong..

Gl

greets Chris Gralike    

Hey everyone,

Thanks for all the posts. I just got to the office, so I will respond to each. A few are over my head, so bear with me. Plus, wouldn't you know it, the server monitor just bit the dust, and I had to go buy a new monitor. At least I bought an LCD 17 inch, pretty fancy for a server monitor.

I will post back in a few. Thanks.
Bert

PS I think we are working on another "War and Peace." This would probably be a whole lot easier with my IT guy here who put together the LAN. But, he's not so I am all there is for now.

Bert,
Your intermittent problem seems to be ralated to routing of some description. Have you tried this command:

netsh winsock reset

I would say 99.9% it is a routing subsystem fault, but what has caused it is another question. Issue this command from the command prompt (Start|Run|cmd<ok>)
Run this command and let me know if it helps any.

Forgot to say, restart your PC afterwards.
Also appologies for spelling in related!

There are no software firewalls except the Cisco PIX/Firewall. Somehow Windows firewall will activate itself after doing some configuration,  but I generally shut it down. At the moment all cards are set to Autosense, although I should tell you that I DON'T KNOW WHAT THE PORTS ARE SET AT ON THE SWITCH or how to check them. I know, I hate all caps as well, but just wanted to make sure you knew.

I have reset the Winsock and LSP catalot with software and with the command prompts.

The server has DHCP enables, but all of the computers are set to static IPs. I don't know why, this is just how it was configured by our IT people. All of the "good" computers have static IPs as well. Would that possibly still affect the bad computers? Since DHCP is enabled on the server, could I just change the computers to DHCP? And, would I have to change all the computers on the network to DHCP or just the computers that are intermittently connecting?

I will try a packet trace using the program you said. I do have the ability to upload the files to a website once I have done this.

When you say "rebuild" are you referring to reformatting all of them? This would be a last resort and only after my IT guy looked at the problem. I asked him once, and he kind of blew it off. I sent him the "War and Peace" TA and he said he would read it but didn't. To be fair, if I called him for the express purpose of fixing this, he would, and I would pay him.

All machines are on the subnet as far as I can tell. They are all connected directly to the switch, and there are no hubs or anything. I will try a tracert as well. To answer your question about the time of day, it doesn't matter, and I do a lot of troubleshooting after hours, and it doesn't matter. Remember, these machines ALWAYS connect to the network and can communicate with each other and the server and run programs that require databases on the server with no problem.

The default gateways are all first and all connection settings are the same with the exception of the IP address having a different octet at the last position. All of the default gateways are the same as the router. Not sure how to do a 'route print.'

As for Duplex, I should be up front and tell everyone that I don't know what the switch is set at. It was pretty much "Plug and Play" from the beginning. I don't know how to check the switch which is a Netgear. We used to have a hub which was much slower, but we didn't have this problem. I wish I could say the problem started since we installed the switch (by the IT guy so it should be close to right), but it could have happened many weeks after. I don't know.

I know nothing about Arp tables. I don't know how to make sure that my network connections are not flooded. If they were, would I have problems on the LAN as well?

Bert,

Here's another tool that I ran across. It says:

# These tests will determine:
# The slowest link in the end-to-end path (Dial-up modem to 10 Gbps Ethernet/OC-192)
# The Ethernet duplex setting (full or half);
# If congestion is limiting end-to-end throughput.

# It can also identify 2 serious error conditions:
# Duplex Mismatch
# Excessive packet loss due to faulty cables.

It can be found at these 2 links.

http://netspeed.stanford.edu/
http://miranda.ctd.anl.gov:7123/

After you run the test, click on "more details" for additional info. Kinda hard to read though.

Gary

SEL,

No problem with the spelling; that is the least of my worries.

I have tried the netsh winsock reset as well as the similar command where you make a log file. It doesn't help.

This is going to sound like a real cop-out, but I tell you the truth. It could be the problem is with the switch. In the past I have had a few weird and wonderful problems with netgear dumb switches, while others work fine. If you could even borrow another switch from someone or temporarily reinstate the old one to rule it out. I have had similar problems before with netgears and another real cheapo make where very similar things happened; local comms were fine, while remote comms were up the left.

Does the switch have multiple VLAN's configured. (i.e. are there different subnets connected to it or just one)  

The ARP table  (or MAC table) has a list of each port the hardware address of the device(s)  connected to it, and that's how it know which port to forward the frames to. If it doesn't know which port the device is on, it floods the frame to all ports, and if it gets a reply, it will put that port/MAC into the table.

Remember since this is a switch at layer 2, IP address aren't in this picture.

If you have DHCP running on the DNS server (and it has the correct values to dish out) you can turn it on any PC you want. They don't have to all be using it. (and may not be able to depending on the size of the pool). It may not work if they have to match a MAC address in the dhcpd.conf file which is sometime done as and added security measure.

Gary

I would agree with SEL.  If you could swap out the switch with another, it would help to rule it out.   It still doesn't make sense that it only happens to PC's  the the physician touches.

Gary

Well, this is ironic. I have been wondering about the switch the whole time. Maybe the ports that go to those computers are configured wrong, but that would be a weird coincidence.

Actually, since a good baseline 24-port 3com is only $130.00, may as well just buy it.

SEL, how long do I let Ethereal run or does it stop on its own?

Oh and, by the way, I tried two of the PCs on DHCP, and that didn't help them.

So far,

The good machine is 90% TCP, 8% UDP and 2% ARP while

The bad machine is 75% UDP and 23% ARP with 2% TCP.

Is that bad?

Actually, that was the title of my question -- i.e. the switch? But, I'm not going to run out and buy a new switch without the Experts opinion.

I wouldn't let ethereal run for more than a few minutes in this scenario as you'll end up with too much info to wade thru. BTW, it wasn't me who sugested Ethereal; it was grsteed. Also, from the traffic distribution it looks like your computer is trying to get the physical addresses of Internet hosts, which means that you are seeing all traffic as local. I remember something about this ages ago; I will ook into it and get back to you

That was me that mentioned Ethereal.  ;-)  

What you should do is since it was failing even basic ping test, you should start the capture, and then do the ping test until it fails, then stop the capture.  The idea is to get the failure in as few packets as possible so you don't have to wade through a bunch.  On a busy system, it can overwhelm you fast.

Gary

Look at the ARP queries in ethereal and see what they're looking for

Sorry about the miscommunication. There are a lot of messages to wade through.

I am not sure if I am doing the Ethereal program correctly as there doesn't seem to be much information to wade through at all. Good machine = almost all TCP, Bad machine = mostly UDP and some ARP with almost no TCP.

Which ping are you referring too.

Again, I appreciate all the help. I don't think there are any VLANS on the switch.

Thought of something else; go to Network connections, Right click the LAN connection, properties, select TCP/IP, properties, advanced, select the WINS tab and make sure the LMHOST check box is not checked.

"Bad machine = mostly UDP"

I would expect that if it were a DNS issue since it uses UDP.

As far as mot much to wade through, That's pretty normal for an end user PC. Different story on a server.  ;-)

I will check that.

I uploaded the results of the Ethereal test. It was without the ping, which I will gladly do if I know how.

Go to:

http://www.ibackup.com

Username: experts
Password: switch1

LMHosts is checked on all machines. I unchecked it on the machine that didn't work, and it didn't make a difference. Do I need to reboot?

Also, if it is a DNS problem, it would pretty much have to be on the bad machines, correct? A problem with their doing doing names correct? I always think the key is finding a problem that would make the machines not connect that would also be a problem that could be caused by one user. It's frustrating because this user doesn't download anything (doesn't know how), doesn't play games, etc. while I have five or six staff that download everything from Jewel Quest to cute screensavers and do Ebay on their lunchbreak (not that that would cause a problem), and their machines are fine.

Gary,

Thanks for the idea. This is an analysis from my computer which, of course, works. I think the problem would be that there is no way to run the test form the computers that don't connect, as one needs to connect to that website to run the test. It wouldn't be helpful to run it while it is working, would it? I'm just asking. Thanks.

TCP/Web100 Network Diagnostic Tool v5.3.4e
click START to begin
Checking for Middleboxes . . . . . . . . . . . . . . . . . .  Done
running 10s outbound test (client to server) . . . . . 687.02Kb/s
running 10s inbound test (server to client) . . . . . . 647.17kb/s
Your PC is connected to a Cable/DSL modem
Information: Other network traffic is congesting the link

click START to re-test

Bert,

I picked up the good/bad files. Can you tell me (so I don't have to read War and Peace) what the ip's are for the problem PC and DNS servers? I see a half a dozen address in the 192.168 range.  Also what's the Router ip?



I'll look this over, but could you do one using ping.  Go to start > run > cmd and enter   ping www.google.com

Also when you export the data to Plain Text, select All Packets under Packet Range and Packet Sumary Line, Packet Details, and All Expanded under Packet Format.

The IP for the router is 192.168.1.1

PC 1 192.168.1.14
PC 2 (bad file) 192.168.1.24
PC 3 xxx.xxx.etc.42
PC 4 xxx...21
PC 5 xxx...57

DNS1 64.65.196.6
DNS2 64.65.208.6

And, I can't believe you don't like to read Leo Tolstoy

I will ping google.

And, should I export using captured or displayed?

Captured.

Don't mean to be a pain, but the bad capture has over 2800 packets!!

Can you tell me what computers are at 192.168.1.143, 192.168.1.14, 192.168.1.27? Are these bad computers or good ones?
What application is on this computer using port 8473? It is broadcasting to the network; also this computer seems to be not responding to ARP requests. You have ruled out the possiblity of conflicting IP addresses, haven't you?
On this bad computer the only traffic that is working properly is this application running on 8473. You must find out what this is. Is it possibly the application you mentioned earlier that you said continued to work? Is this application only on the bad computers?

Also, any prticular reason why you have IPX running? Do you hve apps that only understand it, or are you running a novel infrastructure as well as your microsoft one?

PS, I'm going to bed now as it's almost 3AM here and I have to be up in 6 hours. Nite nite and I'll pick it up in the morning

PSS, srub that statement aout not responding to ARPs; it is... D'oh!

SEL,

First, I upload those with pings. I couldn't do Packet Range. These will have less packets as I only did about one minute instead of ten. Sorry, every analysis I have ever done finished on its own.

All of the IP addressed I gave are the bad PCs: 14, 24, 21, 42, and 57. Yes, I have ruled out IP addresses being the same. In fact, you can't make them the same or you get an error message.

You will have to tell me how to find out 8473. I have no idea how to do that. Again, I am a pseudo-networker, a little above Networking for Dummies, but not much.

SEL,

Again, I have no idea what IPX is and how to know if it is running. I feel bad because if my IT guy were here he would know all these terms. If you educate me on IPX and 8473, maybe I can answer. But, thanks, and do get some sleep.

Just an FYI, as far as I know there is no 143. I saw a lot of 192.168.1.43 which is my computer. Is this the one that could have the application on it? My computer, unlike the workstations in the exam rooms, is loaded with software. But, my computer ALWAYS accesses the Internet.

I don't remember a statement about an application working; I think I may have said that all of the computers always access the server and the LAN but not the Internet. Sorry, if I was confusing.

One more FYI:

I was trying to help by comparing my PC, 192.168.1.43 which I referred to as the Good PC with the Bad computer. That computer's IP address ends in 24 if that helps anyone.

Ok, just some initial observations on the last bad-ping trace.

The .24 PC sends out multiple DNS requests for www.google.comand and gets no answer. That we kinda knew already. It also sends NetBIOS requests and gets no answers. That is to be expected.

The requests correctly go to the router 192.168.1.1 and the MAC for that matches good requests. It tries both DNS server addresses 64.65.196.6 and 64.65.208.6.

I don't see any problem with the request packets compared to a similar test on my PC.

So it looks like the problem is leaving here just fine. ;-)  

What we still don't know is whether the request is getting through the switch/router and out or if it's getting lost on the way back.

I'll keep sifting through it for a while.

Grsteed,

I sincerely appreciate all of your efforts. I love Experts, I just wish I could offer 5,000 points rather than 500, but then I guess that would not work with comparing everyone or whatever.

I did do a netstat command, and both my PC and the .24 PC are using UDP 8473. Not sure what that means.

Two things:

One, awhile back when I was trying to get my computer online fax (RingCentral.com) to work (it ended up being their problem), I tried to tweak the firewall a bit. I am not sure if I screwed something up. In my 2nd post above (3rd post overall) are some before and after firewall settings. It would seem to me though that the firewall would either allow it or not -- not intermittently.

If this helps, it seems like the intermittent connectivity is becoming less intermittent and more not connecting. I only say that because in War and Peace someone said that a switch can start to go and get worse. It seems like you and SEL seem to be the most invested here so if both of you or one of you gives the word, I would purchase a 3Com or whatever switch you suggested. I imagine the 3Com is online. For your information, we have BestBuy, Circuit City, and Staples for retailers of this type of equipment. I guess I would want to make sure I would know how to configure the switch or at least look at the settings.

The thing that ALWAYS get me is that if it were the switch or the ports of the switch, I would be much more likely to 'buy' it if it were a computer in Room 4 (my exam room), two of my partners, and maybe my computer. It just seems so strange that it is his five computers.

I am heading out of the office, but I will check from my home PC to see if you posted, then check back tomorrow. Not that you have nothing better to do than get my LAN to work, but I will be able to check posts all day tomorrow as I am in the office all day.

Thanks.

Sorry, one more thing if it helps.

We don't use email in the exam rooms, but when the computer on the nurses' station doesn't connect to the Internet, their email doesn't work either. I doubt that is strange as they both require connecting to the Internet, just thought I would mention it. And, another thing, while we are on email, they only thing that my physician partner does that no one else does, is to check his email constantly on Adelphia.net. But, I can't see how that would change anything.

Here's another thought.  Have you tried power cycling the switch/router to see if access is restored, at least temporarily? Also booting the PC into safemode w/networking?  I'm just wondering if the PC is doing something to "confuse" the switch or router.

Also, you would only need IPX protocol if your were using Novell networking. Not used much these days so you could probably turn it off in your Network Configuration.


Gary

I have tried rebooting (turning off the power if that is what you mean) to both the switch and router. That hasn't helped at least not before.

Are you saying to go into safemode with networking to see if it connects? Will a browser work in safemode? I can't find IPX protocol on my PC.

Just wondering? What would happen if I uninstalled and reinstalled TCP/IP in the connection settings?

btw - port  8473/tcp    is used by/registered to Virtual Point to Point  whatever that is.

I don't think it's anything in your PIX config as that would affect ALL users.

I still don't have enough hard evidence that it's the switch.  It would be nice to replace it and see if you could borrow one or maybe get one with at return policy. As far as configuration, fo an unmanaged switch it's pretty much plug-n-play.

Gary

Is IPX on the bad PC's?  SEL said he noticed something it the original capture. I didn't look at that one very closely.

You should be able to use the browser in safemode w/networking.

Re-installing TCP/IP wouldn't hurt.

Gary

Gary,

Yeah, I finally figured out 8473 as well. We do have a VPN to the hospital?

Again, I would gladly buy one, but I agree with you.

I have no idea where to find IPX.

Safemode allowed browser as you said, but it didn't work.

I will re-install TCP/IP after the next piece of info is dissected.

This may be helpful! I swear I have done this before with no results, but I must admit I only gave it about thirty seconds to reboot. I rebooted both the switch and router and left them off for about five minutes then turned them both back on (plugged them in).

Three of the bad PCs worked immediately. The other two didn't, but did after I rebooted them. Is this helpful?

Thanks.

That's interesting.  Do they continue to work if you do "normal" things like browsing the Internet?  I'm wondering if some application or program gets run that causes them to stop sending data.  If they stop working again, you might try going to Start > Run and enter MSCONFIG. Choose Selective Startup and uncheck Load Startup Items. Reboot everything again and see if it's stops working again.

The thing about the Ethereal captures is that they are from the PC's perspective. What we really need to know is if that data is getting to the switch and on to the router. That's harder to confirm without and external Network Analyzer that you could put between the PC and switch or the seitch and the router.

If IPX is configured, it will show up in the Network properties for your adapter in the same list as TCP/IP, Client for Microsoft Networks, and Print and File sharing.

OK, here is why it's frustrating. All five worked (two after reboot). I tried them now, and none work. That is without touching the PCs, just 15 minutes going by.

By the way, if you still want me to do the MSCONFIG thing, did you mean they should start working again or stop working again?

If I need to use a network analyzer, then I will need to have my network person come in. I am sure he has one. And, I am sure he has a spare switch lying around the shop somewhere.

Just a point of clarification. When they stop reaching the Internet,  can they still access servers on your network?  I think you said yes but want to make sure. That's the bizarre part because it means the network card is still passing data AND through the switch, just not to the outside world.

Here's something else to look at when it fails again on the PIX. Login an get go to enabled mode. Issue the command
clear arp

and then try to access the Internet again on the bad pc, then on the PIX

show ip arp | incl <bad-pc-ip>

If it shows up in the arp cache again (with the correct hardware address) then data is getting that far.

Gary

 

grsteed,

If I do borrow or buy a new switch, would I just be able to connect those five PCs and try it for awhile? Or would I have to plug in all 14 PCs? I have already tried putting a bad PC cable into a good PC port, but they both stayed the same.

I checked the startup programs yesterday, and none of them looked particularly ominous. But, it wouldn't be very hard to start without them. Also, could there be a service turned off that shouldn't? I think I looked through them. That doesn't seem like it would cause an intermittent problem though.

With the MSCONFIG thing, since they stopped working, Uncheck the Load Startup Items, Apply and reboot (power cycle)
everything to get back to where it is working. Then see if it stops again.

Gary

Gary,

I will try the PIX thing. As you can see, I got into enabled more quite a bit in the past. But, it has been awhile. I have to do it from command lines as for some reason I can't access from a browser. What are the commands to access the PIX?

Yes, the bad PCs can ALWAYS access the server. Trust me, I would have our network guy out here in a heartbeat if they couldn't since the Electronic Medical Record's database resides on the server.

If you had another switch you could just try the 5 bad ones. The problem is getting it connected to the router. Unless you could connect just the borrowed one to the router with the other one disconnected as a test.

To access the PIX you should be able to go to Start > cmd and enter telnet. It will ask you for the IP of the PIX.  Unless you have telnet denied.

Thanks. I tried the startup thing. It didn't work.

Yes, I could do the other switch after hours when it isn't necessary to have the entire LAN running. The worst thing that could happen is NAV couldn't do its thing from the server,  but that is no big deal.

I just can't came up with an idea.

1. Is it possible to connect just one bad PC directly into the router? If so, I could see if it worked and stayed on thereby making the switch the culprit.
2. If that is not possible, I have an el cheapo switch by Linksys with four ports that I could plug into the router with just one or two (it's a four port) and see what happens.

I will look for your answer from home. I've got to get going and buy some dinner. Hopefully, you will be around tomorrow.

Good idea!!!  

You can connect the PC directly to the router if you use an Ethernet Crossover cable. This link shows how to make one if you don't have one.

http://www.makeitsimple.com/how-to/dyi_crossover.htm

I'm gonna call it a night too.  My brain hurts!   ;-)

Gary

Gary,

I will connect directly to the router tomorrow. I think I will purchase an Ethernet Crossover cable rather than make one. Those instruction at that link look harder than anything I did at medical school : ). If that works, then I will connect a couple into my four port router. I would say if both of these plans work, then we would have to assume it's the switch or at least its configuration.

I just hope I am able to pick out an Ethernet Crossover cable from a Cat5e cable. I don't mean to sound judgemental, but I haven't always got the best advice from the sales people at Best Buy or Staples.

I'm not going to do any other troubleshooting until I try these two steps tomorrow evening.

Sounds good!

Here's a few links for them priced low to high.

http://www.circuitcity.com/ssm/Belkin-CAT5e-Crossover-Patch-Cable-A3X126A-10-YLW-M-/sem/rpsm/oid/98124/catOid/-13013/rpem/ccd/productDetail.do
http://www.staples.com/webapp/wcs/stores/servlet/StaplesProductDisplay?ts=1136245001476&prodCatType=1&storeId=10001&productId=14973&catalogId=10051&langId=-1&cmArea=FEATURED:SC3:CG58:DP1426
http://www.bestbuy.com/site/olspage.jsp?skuId=6801213&type=product&productCategoryId=cat08023&id=1091099783812

When you try your 4 port switch, go back to standard (straight thru) cables.

Good luck!!   Off to bed!!

Gary

Just a thought, and I haven't read the entire book, so I don't know if this has been mentioned, but have you tried resetting the Internet Explorer settings to defaults? Maybe the good doctor is a little more curious than you give him credit for, and has changed something.

Go to IE>Tools>Internet Options>Programs>Reset Web Settings, and then Advanced>Restore Defaults

Also I would try downloading Firefox (Might have to D/L on another PC, and transfer on a USB drive or CD) to rule out any problems with IE.

Another thing I notice that hasn't been mentioned that is still a possibility; have you tried running a spyware scanner on the computer? 2 free ones are available here:

http://www.safer-networking.org/en/download/index.html

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Worth a mention and could cause these problems if the malware in question has replaced core networking dlls.

SEL,

Yes, I ran one of Spysweeper before. And, you won't believe this. These PCs have been in service for over two years. Two of his PCs had NO spyware (I haven't seen that on a two-year PC) and only two on his 3rd computer. I haven't done one on his personal PC.

Markie,

Thanks for the suggestion. I have already tried downloading Firefox. Actually, I can download things from the problematic PCs when they are intermittently working. Of course, Firefox worked for awhile, then it bit the dust as well. The more I think about it, the more I think it is a switch problem. What I will do is hook up two or three this evening to a cheap switch or with the other cable that Gary mentioned directly to the router. If those stay on, then I think we will have something.

I doubt he changed the settings. To give you an idea, he has been known to unplug the PC to turn it off. No, I don't think he has done that on these PCs.

We wait with baited breath

OK, guys here goes:

First of all, the irony:

I did my experiment with the Linksys router. Of course, that meant disconnecting the super Netgear switch. After the experiment, I came back to my office to post here and, guess what, it's disconnected, DUH. So, here I am on one of the BAD computers, typing away.

So, here is what happened. I painstakingly undid the cables from the switch which went to the computers in the rooms (3) plus the nursing station. Easier said than done, given that we have an octupus to the 3rd power under the receptionists desk. I have tried to get my partner (owner) to spring for rerouting the router and switch to a closet and labeling and reconfiguring all the cables, but he won't. But, I degress.

So, I plugged in the four cables noted above and wahlah, for the first time, all four of those PCs fired right up. And, they have all worked for over an hour. Now, for the really good part. I then attached Leo's personal office computer into the 5th port of the switch (it is a 5-port switch, I just checked), and not only did his computer not have a connection, it stopped three of the other four from working and one worked intermittently. I must also say that his cable connects the weakest to the switch if that makes sense. Just for completeness, I used a brand new Cat5e cable and connected his PC directly to the switch, and it still wouldn't work. And, it still caused the others to stop working. Disconnecting that cable fixed all the other computers.

Could his cable be causing the switch to malfunction and, if so, why just those particular computers? Are five ports too much to use?

Is it really a 5 port switch or a four port switch with one WAN port, which would connect to the Cable/DSL modem.  That's the only thing I can think of that would cause that situation.

Try connecting his cable to another port and nothing on the port that breaks it.

Good point. I did look at the switch. It's a 10/100 5-port workgroup switch. I wish I could give you the model number, but it's in a 2 font, and it's under the desk.

I tried plugging my cable into, and the same thing happened, so I am going to assume it is either a different type of port or it won't take that much traffic.

The more I mess with it, the more I cause trouble. I have had to reboot it every time I do anything to it. I just rebooted the router and the switch and now all four computers save the 5th are working.

My question is does this mean it's the switch or is there something weird about these five PCs on that switch? I guess the only way to find out is to purchase a different switch. I also want to make sure, if I buy a switch, that it is definitely going to plug and play to autonegotiate, and I make sure all of the cards are autonegotiate.

Another question is, when you set up a LAN with a few computers, does it make sense to have all the same network adapters or does it matter? It seems like no since when you purchase a computer, it comes with its own card although you can usually choose the card or switch it out.

I would love to get feedback from anyone and everyone as to whether or not this definitely names the switch as the problem.

Thanks.

What model is it?  (EZXS55W) How is it connected to the router and PC's.    ( I should really have put all this in one post ;-)

A cable could cause a malfunction if it was shorted internally.

Here's what I would try:  Connect one of the 5 switch ports to the router, and connect up 4 PC's and see if they work. If they do, then remove one PC and add his.

Gary

Gary,

Yes, it is the model number you gave. You lost at least 50 points for making me crawl all the way under the desk and try to read those numbers. : ) Why can't they make them a little bigger.

All I did was take the cable from the router that used to go to the uplink port on the switch and disconnect it from the switch and plug it into the Linksys 5-port? switch. Great idea about plugging the suspect cable into another port. I disconnect the nursing PC and put in his cable and his PC worked fine. It's amazing how easy it is for human error to enter into these things. Remember, I had tried a different cable before to see if it worked (it didn't because it was in the 5th port so I disconnected it from the switch, but it was still plugged into his PC. So, when I tried his old cable running from the attic into the switch as the fourth cable, I was frustrated when it didn't work, but then I remembered the the other end was connected to his PC. So, I connected it and, wahlah, he is up and running.

So, I think we can feel rather comfortable with the fact that by connecting four of the five bad computers to the 5-port switch, they work fine and it's not the PCs but something to do with how the Netgear 24-port switch works when ALL of the PCs are connected.

Bear with me, I don't have email right now to see when I get a message. I am checking every few minutes. Maybe I will configure it temporarily to a good computer now. Sorry for the long post. I think War and Peace would only be Gone With The Wind if I wasn't so long winded!

Gary,

I have never done this before, but is it possible to run a Cat5e cable from the Linksys switch to the Netgear switch with the other computers hooked into it? Is this what they call a subnet. That may temporarily solve the problem. Maybe I could connect Leo's PC directly into the Netgear switch without a problem.

If this is possible, what does it do to your speed?

Bert

Ok I think I know what's happening with the 5th port. According to the manual at this link

http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&packedargs=c%3DL_Product_C2%26cid%3D1115416836711&pagename=Linksys%2FCommon%2FVisitorWrapper

It says it has "Ports Five 10/100 RJ-45 Ports, One Shared RJ-45 Uplink Port"  That usually means that one port can be the uplink OR another PC port, BUT NOT BOTH.  So you coul have 5 PC connected together, or 4 PC and an uplink.

That's probably why it took down all of them when you connected the 5th one.

Thanks for the link. I see that now. What do you think of my "subnet" idea? And, I have to admit I am perplexed as to why these four or five PCs can't simply be put into the other switch unless there is just something weird with the configuration and speed between the cards and the switch.

Yes you could connect the Linksys to the Netgear by doing the following.  

Connect the Linksys Uplink port to any port on the Netgear port.  Then connect the Netgear Uplink port to the Router.

Adding the Linksys isn't really a "subnet".  Subnets are defined by the network address/mask and can include multiple switches/hubs connected to a router port.  It is also know as a broadcast domain since routers don't (normally) forward broadcasts.  

With hub's it used to be considered an Ethernet Segment (aka Collision domain) but with switches, each port is it's own segment, so the idea of collision domains has gone by the wayside especially with most everything  using  Full Duplex.

Gary

It is still a bit of a mystery.  What's with those PC that causes the switch to mess up.  I'll be curious to see it have the Linksys in there effectively isolates them from the NetGear and the problem goes away.

Gary,

Sorry, it took so long to get back. I was doing some troubleshooting and got carried away. I want to try one more thing before heading home.

It is quite the chore and quite a decent bit of money to redo the runs of cable. I'm not sure if there are all Cat5e anyway, although there are close.  This LAN has been here for ages. I have askedm any times, and the quote isn't that bad to run all new cables and change the plates on the wall just to get that out of the equation. Put a decent switch on a wall somewhere with labelled cables. I find it ridiculous to unplug the cable from the computer, then crawl on my hands and knees to see which of 24 or so ports' light went out.

At least the cables are alread there so the runs wouldn't be from scratch. With a tangled mess beneat the desk and all sorts of questionable cables and ends, you have to wonder if it's the switch or the cable or whatever.

Well, it sounds like a "non-standard" installation.  ;-)

 I you can get them to spring for it,  I'd say go for it!!!


Gary

Thanks, I will. I just wrote a two page rant about that very thing. How many doctors stay from 5:00PM to 1:00AM three or four nights trying to troubleshoot a computer system. Obviously, once our network person reran all the cables and moved the switch (hopefully a new one just to be sure) to a wall somewhere, he wouldn't leave until all the PCs worked. And, my guess is with all new cables run to new wall jacks to a nicely installed switch, the problem would vanish.

I am going home. I will keep you posted. Thanks for all your help. And, don't worry, no matter how long it takes, I always finish my TAs.

Probably my only post of the night; have to get home to watch the Rose Bowl.

I bought a switch today, which should arrive tomorrow or the next depending on shipping.






3Com® Baseline Switch 2226 Plus    


OK, well, I can't stay too long; I have to go watch the Rose Bowl. I decided to purchase a switch. I can't find prices on 3Com's site, I just know it's more. The sales person at 3Com told me the one I was purchasing from Page was used. I don't think that is true. But, I think it was because the 3Com person thought I was referring to the PWR model and not the Plus model. Anyone think this is a good switch? Should it serve my purpose. At least it sounds rather easy to plug and play and configure through the browser as well as monitor packets and all. (If I read it correctly).

Directly from 3Com
3Com® Baseline Switch 2226 Plus
Product #: 3C16475BS

http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3C16490

From Page Computers3Com®
Baseline Switch 2226 Plus
Product #: 3C16475BS-US
Price: $210.70

http://newsite.pagecomputers.com/store/Product_Technical.asp?catalog%5Fname=Networking&category%5Fname=18g18c127s2323&product%5Fid=797195

Thanks again.

Looks like a good choice to me.  With Auto-everything and web management it should be a breeze to install.

Gary

Thanks Gary. I have to admit, though, watching that incredible Rose Bowl game was more fun than troubleshooting the network until 3:00AM. Well, maybe not.

I just received the FedEx tracking email, and it seems that I should receive the switch tomorrow at 4:30PM. So, tomorrow evening or Saturday will be the earliest I can install it. I will get back to everyone then. I am sure you can't wait. : )

By the way, just in case anyone was dying to know, Port 8473 is the UDP port our instant messenger which runs on the network only and not over the Internet. There is a UDP 8473 and a TCP 8474. On a more important note, I looked for an IM I could use over the LAN (as a physician's office with HIPAA and everything, we just couldn't use something like Yahoo or MSN) for weeks. PopMessenger is very inexpensive and very good if anyone's looking for themselves or the customers.

Hi Gary and SEL and everyone else who has been helping:

I just installed the 3Com switch. It may not be the total solution, but I am getting some information together that may be helpful to you network guys. Will anyone be around tonight?

I'll be around for a while if you're still there.

Gary

Hey Gary!

Well, the $200.00 experiment is working modestly at best. I knew I was in trouble when FedEx wouldn't leave it at my house twice.

I changed all the Cat5s over to the new switch. That only took about 10 minutes, but I finally spent a little over an hour labeling every cable so I know exactly which computer goes to what port. The other advantage of the 3com besides have a fairly killer switch is that it has a "Discovery Program" that allows you to configure the ports and analyze problems. The Netgear may have had the same thing, but I lost the documentation. Maybe I should have used the same IP address: 192.168.1.10.

So, of course, everything worked great at first. Then one by one the not so "fantastic five" would stop working. That was the point where the $200.00 seemed like a lot of money.

There are a few things you can do by looking at the browser. It shows just how many packets are being sent and received as well as which port is working and what speed its on. There is this thing called Port Mirroring which is supposed to provide some information, but I think 3Com doesn't want novices to know how to use things as the instructions are about one paragraph.

The only thing I have tried so far besides rebooting the router after and then rebooting the five PCs was to change each PC to different speeds and match them on the switch. Of course, that would work for a few minutes and then nothing. These Internet connections will go on and off in a matter of minutes. But, it's important to know that sometimes they will stay on for hours.

One other thing that I haven't mentioned that may be helpful is the Internet connection is NEVER lost while you are actively using the connection. I was on call today and one of our employees brought her kids over, and they played video games on the Internet for hours, and the PCs never disconnected.

I have been at the office since 8AM this morning, so I am heading home. I will be here all day tomorrow. Even though I won't be able to do any troubleshooting or analyzing tonight, please respond and let me know what you think. And, if you want a used (I should say refurbished) Netgear switch for very cheap, let me know : )
--Bert

Bert,

Sorry to hear you still have the same problem.  When you put in the Linksys, didn't the problem go away? I thought that was the result and that's why you went for the new switch.  Did you ever get a chance to put a PC directly to the router?

You mentioned that "the Internet connection is NEVER lost while you are actively using the connection".  That's interesting because it sounds like some sort of inactivity (idle) timeout is causing the disconnect.

I still find it interesting that you say when the disconnect happens, that you still have connectivity locally, which is still going through the switch. I'm trying to figure out what, if anything the PIX/router could be doing, but it's baffling that it's only affecting those 5 PC's.

Here's another test you could do.  Take a good and bad PC and swap the IP addresses on them.  I'd like to see if the problem stays with the PC or the IP. Although it seems possible that both end up with the problem, since the number of bad PC's has been increasing since the original post. Pick a good PC that isn't critical.

The PIX and router are the same box, right?  Could you post the configs again? I saw what you had in the "War and Peace" but there were changes going on, so I'd like to see what you have now. (minus sensitive info)

Also, issue the 'show tech-support' command on the router. It'll be a long listing so you may want to post it on the web site where you put the packet traces.

I feel bad that spending money on a new switch didn't solve your problem. Any chance you can return it? If not maybe you could sell the NetGear on ebay and recoup some of your money. At least with the 3Com, you have some management capabilities. btw - Port Mirroring allows you to monitor the traffic on another port (like the uplink or a suspect PC) with an external Network Analyzer (sniffer).

At least you've done a good job cleaning up the network.  ;-)

Gary

Gary,

First, I know I have said thanks after almost every post, but I really appreciate how much time you have put into this. I wonder if you experts do this because of the points, the fun of troubleshooting or that you just want to help out or all three. I suspect it's the latter. The thing I don't like about EE is I posted a question about a browser which took a two sentence answer and it was worth 500 points. So, this one should be worth ten times that. Of course, maybe what comes around, goes around and your next TA will be where is the start button. Don't laugh my partner has asked that question and on Vista, there won't be one : )

To answer your question about the Linksys port, when I took four of the five computers and connected to the Linksys 5 port switch, they all worked continuously. The Linksys switch was connected directly to the router which is the same box as the PIX. It is a Cisco PIX firewall router.

The idle possibility is fascinating. Again, strange that it's only the five computers. I should tell you that the problem is not increasing, I just forgot that it was happening on Leo's computer as well. I doubt the info on what PC connects to which port including the router, server and printer would be helpful, but I could upload it.

Yes, the local connectivity works. That is kind of strange. As I posted earlier, the computers that are not working on the Internet (the same ones we have been alluding all along) are mission critical on the network locally. We would have the entire Microsoft IT staff on the problem if that were the case, because we have to use several programs on the server daily.

I will change the IPs. That's a good idea, although my feeling is it won't work, but I will try it. It's simple enough.

I will posts the configs again. I will let you know if I can't get into the router. I did it many times in the past, but I haven't in awhile. As far as the 'show tech-support' thanks for the heads up on the long listing. I was going to upload it anyway, because some times I don't know what things are sensitive. Last time I had to get support to delete some of the addresses. I was very nervous, because some of this stuff was related to our VPN into the hospital. I am sure they would have loved that.

I have to run to Home Depot (and actually do something physical and not virtual/electronic). I will be back shortly, and I am on call : ( so I will be here for the next six to eight hours.

Bert

By the way, this TA has now surpassed War and Peace. Ironically "Upgrading and Reparing PCs" by Scott Mueller is even longer so I guess we will have to use that as the comparison. Of course, it is these useless posts of mine that make the TA so long. But, it keeps it interesting at least.

OK, so I have posted the PIX config and the Show tech-support on ibackup.com

If you don't recall the username and password and for the benefit of others who may not want to scroll up, it is:

username: experts
password: switch1

I think I got most of the sensitive information out. If you see anything that shouldn't be posted on the Internet, either let me know or feel free to download the file, delete the information and upload the file again.

Thanks.

Gary and all,

OK, so it gets stranger, but at least we have more information I believe. Using the web interface, I disabled all of the good computers and the printer and SERVER. I still don't know much about DNS, but I would think that would take the DNS out of the picture. Obviously, I left the uplink from the router on, although I wouldn't have put that past me.

For the past hour I have clicked on URL after URL on all five of the bad PCs. Each has continued to display the new websites without a problem and with no glitches.

So, what does this mean? Is there one cable from a "good" machine that is causing those five to act up? Now, do I have to do like the Msconfig thing when you disable one startup program at a time to troubleshoot a Windows problem? (I am not suggesting doing that, just using it as an analogy) If it is one of the PCs, is it a combination of them or just one?

Well, I tried everything. I hooked up the good computers one by one and, finally, one stopped working. I disconnected the one I had connected, but it didn't work. I tried changing the duplex speeds of the ports so that they well as the same at every speed, i.e. 10Base 1/2 Duplex, 10Base Full Duplex, etc. I put them all back to autonegotiation and tried changing the uplink. Nothing worked. I tried a few other things as well, but I can't even remember.

I must admit I am about to give up. It may be time to part with the $65.00 per hour and let the professional come in. If anyone has any other ideas, please let me know. I imagine everyone has grown tired of this dilemma.

As before, I tried putting all five onto a different switch (this time the Netgear) and then connected that to the 3com. Mixed results. Still problematic. My new question is -- is there a difference between simply running a cable between the port on the Netgear switch to the 3Com as opposed to running the switch from the router to the uplink port on the Netgear and then running a cable from the Netgear to the Uplink on the 3Com?

Bert,

This is truly perplexing. At this point I don't think it's a switch issue ( i.e. speed, duplex, etc.) The 3com should be auto-sensing to what ever the PC is set for. If they are set to Auto-Negotiate, then it should go to the maximum 100/Full Duplex or whatever the PC card is capible of.

When connecting the switches in cascade the following should work:

 3com uplink (Actually any port since it should auto-MDI/MDIX )> Any Netgear port,  Netgear uplink > Router
 Netgear uplink > Any 3com port,  3com uplink (Actually any port since it should auto-MDI/MDIX ) > Router

The fact that it works with the other "good" PC's disconnected, confirms that it's not a switch issue in my opinion. It sounds like the "bad" ones work with any switch, as long as the others aren't connected.

At this point I'm thinking it has something to do with NAT on the PIX, though I can't put my finger on what it is speciffically looking at the PIX configs. (I'm no PIX expert btw, but have worked with them some)

Speaking of NAT, you have what looks like the default (nat (inside) 1 0.0.0.0 0.0.0.0 0 0) configured.
I think this setting would use PAT (Port Address Translation) by using the outside IP (public) with a different Source TCP port for each connection. In other words, everyone would end up (on the ouside) using the same Public IP with the TCP port being used to differentiate them.

There are some timeouts associated with that as follows,

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

The definitions for those can be found here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1026093

The conn value is 1 hour after which an Idle connection will close. 5 minutes is another value that is used a lot. Do these times match what you are seeing?

How many IP's do you have from your ISP?  The interface is using a mask of 255.255.255.0. Do you have all 255 addresses (a full class C) ?  

I'm still looking at the PIX configs. Any PIX Experts out there??

As far as DNS, the address that you are using (64.65.196.6,  64.65.208.6) are external, so removing all the other PC's/SERVER wouldn't affect it.

Gary,

By the way, I read one article in Microsoft that said it could be due to TCP/IP needing to rebuilt. So, I added TCP/IP protocols then used Have Disk and used C:\Windows\inf to install. Of course, it didn't work.

Three quick questions before I try some of your suggestions. By the way, I don't know PIX either which is why I bought Cisco PIX Firewalls by Richard Deal --> WAY over my head.

Questions:

1. What about trying a cheap router from Circuit City? How difficult would that be to configure for the IP address of my ISP? I mean would that implicate the Cisco router configuration if it worked?

2. Since I messed with the Cisco PIX router some a few months back (again it would have been helpful to know the exact dates this started), what would happen if I changed the router to default settings? How difficult would it be to change?

3. Based on your thoughts on the router, do you think my IT guy (who of course knows the LAN rather well) would be able to configure the PIX pretty quickly?

I was hoping when I gave him War and Peace he would read it, and if he read Upgrading and Repaing PCs (this TA), it just seems he would be able to weed through things and give some valuable tips based on his knowledge of our setup.

I look forward to your comments.

Great ideas! I will try them after hours. Not on call, so plenty of time to play around with them. Just so you know, when I was talking about a different router, I wasn't talking about replacing the Cisco router which, of course, is a very good router plus we need it for our VPN.

I just thought a cheap router would give us some info. Should I call Cisco and see if just have 10 licenses? If it were a license issue would it cause the LAN connections to stop as well?

My understanding, based on the following from Cisco is that no more than 10 internal IP can traverse the PIX.

Software Licenses

10-User License
The Cisco PIX 501 10-user license supports up to 10 concurrent source IP addresses from your internal network to traverse through the Cisco PIX 501. The integrated DHCP server supports up to 32 DHCP leases. As your needs grow, both 50 user and unlimited user upgrade licenses are available, allowing you to extend your investment in Cisco PIX 501 equipment.

50-User License
The Cisco PIX 501 50-user license supports up to 50 concurrent source IP addresses from your internal network to traverse through the Cisco PIX 501. The integrated DHCP server supports up to 128 DHCP leases. As your needs grow, a 50-to-unlimited user upgrade license is also available, allowing you to further extend your investment in Cisco PIX 501 equipment.

Unlimited User License
The PIX 501 unlimited user license supports an unlimited number of devices from your internal network to traverse through the Cisco PIX 501. The integrated DHCP server supports up to 256 DHCP leases.

Thanks, I will call. It looks like you are the only one hanging in there. I had a difficult time last time with Cisco, but maybe if it's for purchasing more licenses, they will be more eager to listen.

One quick FYI which may mean nothing. When I am configuring the switch and looking at the port settings, they all say Flow Control is enabled. But, when I look at the port configuration screen, eight of the sixteen connections say they are disabled including the uplink from the router.

Bert,

Flow Control is not used or enabled by default on some equipment (including Cisco). There's some differences of opinion among vendors on how it should be used. Not anything to worry about.

Here's a link that talks about it.

http://www.networkworld.com/netresources/0913flow.html

Gary

OK! This will be a long post (like most of mine aren't?) but a very good one. And, Gary, you're brilliant. I think you nailed it. When all of the computers are on, the five intermittently come on. When I turn off about six of them, they all work mostly. Let me quote a few paragraphs from Cisco Pix Firewalls (Unique name) by Richard A. Deal CCNA, CCNP, CCDA, CCDP. (I think that makes him qualified).

Connection Licenses

{Quote} The licensing scheme that Cisco uses for connections is different based on the model of PIX that you purchase. For example, the 501 PIX uses a model based on number of machines, whereas the other PIXs use a model based on number of connections.

PIX 501 Connection License: The PIX 501 uses a connection license based on the number of machines that you want to allow access through the PIX. There are two licenses:

-- 10-User
-- 50-User

In either situation, the PIX 501 keeps track of the machines that send traffic through the PIX bases on their addressing information. Once the PIX reaches the license limit, it will not allow any more machines to send traffic through the PIX. One annoying problem with this function is that the process the 501 uses to keep track of machines is not dynamic. In other words, the PIX doesn't restrict connections based on the total of 10 or 50 machines, but an absolute restriction.

With absolute restriction, once the PIX has seen the first 10 or 50 machines, it will not let traffic travel through the PIX for any other machines, even if the first set of machines are not transmitting traffic. Therefore, if you have an office with 60 PCs and a 50-user license, only the first 50 PCs that send traffic through the PIX will be allowed--the last 10 PCs will have their traffic dropped by the PIX. You can get around this by rebooting the PIX, which will cause it to erase its table of learned addresses, but you are still stuck with the absolute limit.

Therefore, you need to carefully consider your licensing needs with the PIX 501. If you need more than 10 or 50 user connections, you are better off buying a 501-50 or a 506 or higher. As you will see in the next section, the other PIXs (including the 506) are more lenient in their licensing. {End Quote}

This seems to explain my situation, although there are some interesting questions that contradict it a little. I hope you can explain them:

It explains the five PCs, but according to Cisco and this book, once the first ten ports were established by IP address, the remaining five PCs should have been excluded permanently. But, they were intermittent. Also, I rebooted the Cisco PIX a number of times during the troubleshooting which should have reset the table and since I mostly tried to open up Internet connections on the five PCs, they should have then been allowed to travel through the PIX while five of the others should not have. Maybe the others would broadcast immediately with packets?

It was interesting, because as I freed up ports, the five would work a lot better, not perfectly though. When I turned on more ports, they would work far less. THE MOST INTERESTING THING was when I went to a GOOD machine and changed the IP address. It would then not let me access the Internet until I changed it back.

Maybe there is a combination of the absolute restrictions and a screwed up configuration of the router. Or, maybe its absolute restriction isn't so absolute.

This is our second PIX 501 (our first broke after two years). In my TA labeled 11 out of 14....one of the experts asked me why I didn't seem to like my IT guy. I actually do, but it is things like this where twice we have been sold these 10 license routers for a LAN with 16 connections. I am not sure if the uplink or printer counts?

I guess in the computer and network world, Cisco, is just it. I, myself, do not like Cisco at all. I have never dealt with a company with worst support. I emailed licensing@cisco.com and was basically told I could not purchase another router because I did not have a support contract on this one. I was told they don't support "used" routers or one that wasn't bought from an "authorized dealer," which it was. When he said used, he meant that I purchased it used.

I found online a PIX 501-50 for about the same price as the 501-10 (around $500.00). I also saw an upgrade license for around $250.00, which Cisco told me they don't have.

It seems like the PIX 501-50 would solve the entire problem or the license upgrade, but I don't want to jump to conclusions and waste $250.00 to $500.00. I do think this is the fix, though. Can anyone out there tell me why a certified Information Technologist would set up our LAN with a ten license PIX?

By the way, I realized that the router doesn't control traffic on the network, just traffic going in and out to the Internet.

Thanks. Bert

Bert,

That's Great News!!!!    I was running out of ideas!!    ;-)

It does seem like it affects those 5 PC's more than the others. I would have thought that it would just allow the first 10 no matter which ones they were.

I don't know what to recommend for you at this point. It's seem like the upgrade may be be the way to go, but I'd get another opinion if I were you. Now that we know it's an issue with the PIX, It might get better visibility (and more experts) if it was posted in the Hardware > Routers forum.  There's a guy there (lrmoore) that seems to know the PIX well, based on responses I've seen from him.  Don't think he's looking here.

I agree with you about cisco.  They can be very unhelpful if you don't buy their TAC contract or don't have the newest gear.  Luckily, there are lot's of folks out there know this stuff.

You asked a while back why I do this. The answer is All of the Above!!!  ;-)  

Glad I could help!

Gary

This one was worth way more than 500 points and should get a grade of A+++. Thanks Gary and I appreciate the help from SELSupport as well.

When I post in Hardware/Routers, do I reference this question or both questions? Do you think anyone will read all of them? Or should I just tell them to read near the bottom?

What do you do with the points? I have often wondered that?

A few comments:

While my partner uses the Internet in his rooms, he is far less likely to use it than I do in my rooms. The receptionists are on the eBay quite a bit. But, then the server isn't active much. Would email count as far as sending packets through the router?

Bert,

Thanks for the extra points!!   They're like brownie points, but help add to my credibility.  ;-)   Seriously, they do add up and can give you an Expert rating eventially. I still have a long way to go for that.

I would say to reference the bottom ones on this question, since we went through a lot of other stuff that's not really relevent.

Now that we know what's happening, I wonder if we could bypass the license issue by setting up a proxy server on your internal network.  That way, web traffic would go to that machine, and that machine would access the Internet through the PIX. The Pix would only see that one machine for all web traffic. It would require a change to the IE Connection Setting to point to it.

The email is probably already doing that if you use Exchange on your server or some other local Mail server.

The 10 user license for the 501 PIX uses a "model based on number of machines" so it seems like a possibility.

Cheers,

Gary

Gary,

Last comment, I promise. When I post to the routers section, how do I get the attention of Irmoore? I saw his email address in his profile. I don't know much about the etiquette on here. Still learning. Is emailing him to tell him about a question considered inappropriate? It said EE business only. If it is inappropriate, when would it be appropriate? Or do you think he will just see it anyway? Plus, I am sure there are lots of other experts there, but he does have some good qualifications, which is an understatment.

By the way, I will pass the proxy server idea by my "associate" IT person.

Thanks.

Oh, and we don't have internal email. It all goes to our ISP. Actually, it's kind of bizarre. We have one ISP for our SMTP and one ISP for our POP3.

Bert,

I saw the "EE Business Only" thing too so I don't think it's appropriate to email directly. I think he will see it anyway and respond accordingly, or others will.

As far as the email thing, POP3 would indicate that each machine would access the POP3 server directly. The SMTP usually is for a local mail server that would receive/send mail to the Internet. Not sure why you have both. That may be another thing you could ask the "associate"

Gary

Thanks, I will just post it there. As to the POP3 and SMTP being different, I know why we have both, but it's much too long to post here and probably not appropriate either. It is rather interesting, though. Heading home. Take care. Bert

Gary,

I hope you are around. I posted the new question at the following address. It isn't getting much action. Should I have done it differently or had a better question name? Any suggestions? I like your idea about the proxy server,  but short of purchasing a new PIX, what about just purchasing more licenses at the URL below?

http://www.pcmall.com/pcmall/search/search~newsearch~true~Platform~Linux,Mac,Macintosh,PC,Universal,Unix,~IncImage~on~Manufacturer~cisco~calledfrom~3~CurDSN~Advance~Search~pix.asp

New question:

https://www.experts-exchange.com/questions/21690366/What-would-be-the-best-way-to-increase-the-licenses-for-the-Cisco-PIX-501.html

I tried finding the answer to the following question on Microsoft and on E-E as well as Google, but I couldn't find an easy answer.

Does a switch have one IP address? I am asking because if it did, could I connect the Netgear 24-port switch into the 3Com 24-port switch? Then I could connect enough PCs to the Netgear so that the 3Com would only "see" ten or less connections which the router would then see.

Bert

Bert.

I was watching the other question you posted and it's not getting as much action as I thought it would. Maybe a shorter name like "PIX 501 License Issue" or something similar might get their attention. I find that the longer names get cut off and you have to mouse over them to see the whole thing.

Upgrading the license would be cheaper than buying a new PIX as Harbor suggested. This link has some sources other than the PC Mall link you posted.

http://ostg.pricegrabber.com/search_getprod.php/masterid=2268042/fd=1

To answer your question, a switch usually only has one IP address so you can connect to it for management, but it is not needed for the switch to operate. Switches operate at level 2 (MAC addresses) and therefor do not do anything with the IP addresses of the PC but pass them on to the router. So regardless of how you set up the switches, the router sill see see all of the address that need external access.

Setting up the Proxy Server may still help/alleviate this problem. There are many to choose from but here's a link that has a 5 user trial version free,

http://www.software602.com/

It's under their 602 Lan Suite.

If you decide to install it, put it on a machine that has a fast (100 Full Duplex) card and one that will be on all the time, or at least when others are there. It would be interesting to see what happens if you pointed the 5 bad ones to the porxy server.

You also have to set their browsers to use it after you set it up. For IE, go to Tools > Internet Options> Connections tab, then LAN settings. Check the Proxy Server box and put in the address of the PC that's running proxy along with the port number that they tell you to use when you install it. You should also check the box to bypass local addresses. If you go to advanced you can enter the prefix for you network (e.g. 192.168.1)

Hope this helps.

Gary

Gary,

Thanks for the help. For once, I was maybe one-half step ahead of you. I tried the swith thing again (figuring since it was 192.168.1.10) it would help with the problem. But, it didn't.

I then tried the proxy server. I was a bit nervous, because I had never done one. I went to www.youngzsoft.net and they have a pretty good one. I have a question about it. They kept saying pick a good machine preferably Win2K, but then they keep talking about the server. I think they referred to "server" because it would become the proxy server. But, I ended up downloading and installing the software to our actual server. Is that OK, because it works.

Here is some interesting news. As you suggested, I pointed all five of the "bad" PCs to the proxy server. And, guess what? They all work! At least for now. Now, the weird thing is -- there was one "bad" PC I wanted to keep pointed to the gateway mainly because it uses Outlook Express. All the others use Outlook. For some reason Outlook worked even on the proxy server,  but O.E. didn't, and the instructions they gave were a bit confusing. For now, I am allowing the two nurses to use web mail.

But, when I changed a "good" computer to the proxy server (it worked) so I could change the "bad" computer to the gateway so the email would work; it wouldn't connect to the Internet -- even after rebooting for like ten minutes. What this means is what the book said and what Cisco says about rebooting clearing the IP addresses isn't true here. Supposedly, the table would be refreshed, and the first ten again....

That worried me, because that would mean even if we did get more licenses, we may still have the same problem because the router seems to have blocked those five IP addresses and won't forget them. I wonder if the router just needs to be completely cleared?

One other question please. As I posted at the other TA or maybe here at some point, since we have a total of 16 connections to the switch: 14 PCs, one router and one printer, does that mean I need to free up six connections of just make sure that at least four of the PCs are pointed to the proxy server? I mean does the router count the printer? And, does it count its own uplink?

I wonder if we need a whole new router, which sounds crazy. And, I wonder about our IT guy not realizing this would be a problem. Also, what is the downside of just having the proxy server besides some problems with email?

Thanks.

Gary,

I think I may have answered my own question. Because if we purchased the 50-license pack, we could then probably change the IP address of the "bad" computers. Then, I would need to remember the bad IP addresses so I didn't assign them to any other PCs. This is why it would be nice if I could just talk with someone at Cisco. Not necessarily for free support but to be able to purchase licenses which must give them a profit and to make sure that the licenses will fix the problem.

I thought of one more troubleshooting scheme sort of along the lines of the above paragraph. I think we tried changing IP addresses on the bad PCs before, and it made no difference. But, they would have still been over the 10-user limit. So, I wonder what would happen if I put one or two more PCs on the proxy server, freeing up a couple of ports and then changed the IP address of one of the bad PCs. If it worked steadily, it would assure me that after purchasing more licenses, changing the IP address of all five PCs should work. There must be a way to clear the PIX.

That's a good idea about the shorter name for the question. At this point, it seems like it would be cumbersome to change the name and point it to the longer named question which points to two other questions. I also wonder if there is some interest until they see how long the two other TAs are. Is there a way to edit the name of the question? I am guessing no.

If I could give you more points, I would. I feel like you came up with the licensing idea AND the proxy server idea. Maybe I should have put it as a new question. Well, it's been a long day. Gotta head home. This thing has taken up tons of my time, but I think I/We are nearing the end. And, this is a lot of stuff after the question has been answered and ended, but I think it will give a lot of information to anyone else with this problem.

Bert

Bert,

I had a message typed up and lost it by closing the window. Doh!!!

Installing the proxy software on your Main server may be OK, but I would watch the network performance. When using a Proxy , the network traffic goes in and out of that system twice for each webpage that's requested. (receives the original, send it to the destination, destination responds to proxy, proxy send it to client)  You should monitor it.

The IP's of the router, printer and switch uplink shouldn't be in the table on the router since they aren't, or shouldn't be sending traffic to the Internet. you can check with the "show xlate" and "show local-host" commands on the router. The corresponding clear commands ("clear xlate" and "clear  local-host") should remove them.

Did you also get the CCMailserver software from that link. Is that what you used for the Outlook/OE clients?  Unless you changed the Account Settings for them they would still be going through the router.

Upgrading the PIX to a 50 user license would be easier overall, since as you mention, you won't have to worry about good or bad addresses since they should all work. If money is not an object, that may be the way to go.

No worries about the points.

Gary

Gary,

I am not sure why the IP of the router wouldn't be sending things to the Internet. Could you explain that to me?

No, I did not get the CCMailserver software. For some reason, they didn't seem to address Outlook in the FAQs, just O.E., Eudora and others. And, for some crazy reason, Outlook still works on the machines pointing toward the proxy server even though they are configured for the router. I tried to change the account settings in O.E., but the directions, which included examples which were confusing didn't help. But, I changed that to web mail for now; and it's a good reason to make the leap to the other licenses.

And, could you comment on your last comment. I am still a bit worried about spending the $250.00 for the licenses (I sure wish I had the money back from the switch), because for some reason the PIX seems to "remember" the bad ones no matter how many times it is reset. Again, new licenses along with new IP addresses may work. How much does a support contract cost for Cisco and why don't they offer a one time charge -- or maybe they do. I would sure like to hear from a support engineer something like, "Yes, generally, rebooting will clear the table. In your case, what is happening is due to X and after you get the new licenses we are going to gladly sell you, you can make sure that will not be a problem by doing Y."

Bert

Of course, I could get away without any support from Cisco if I received the answer from Hardware/Routers. Maybe I should close that question and just ask if anyone has heard of a similar problem with the Cisco 501, and what I should do to correct it.

Bert,

The IP of the router doesn't originate traffic to the Internet, so it shouldn't  be listed in the xlate or local host table on the router. Per the license "The Cisco PIX 501 10-user license supports up to 10 concurrent source IP addresses from your internal network to traverse through the Cisco PIX 501" Also it wouldn't make sense for the router to be using one of the 10 addresses, since that would really make it a 9 user license.

The switch IP shouldn't be listed since it doesn't originate traffic to the router. The Printer may if you have remote people sending to it, (From the VPN perhaps)

Regarding my last comment above, It seems to clearly be an issue with the 10 user license. If you had 50 available, I don't think you would have any bad IP's. That would be the question to ask. If you only have 10, why does it not just accept the first 10? Why do some IP's have problems even if they got there first. And why doesn't rebooting the router forget about the bad ones. Maybe you could close the other one since it's not getting much action.

For Cisco support, are you registered with a CCO account? If not you could do so by going to http://www.cisco.com/ and click on Register at the top. Fill in the form and submit. Then you can log in and submit at TAC call by going to Technical Support and Documentation, the click on Create a New TAC Request under Contact Cisco for Support. (I hope this works if you don't have a contract number)

Gary

"Maybe you could close the other one since it's not getting much action."

Could you elaborate on this? I didn't understand it. Thanks.

Bert

The other question that Harbor replied to.

Perhaps, opening a new question that asks specifically what is happening with the IP's on your PIX with a 10 user license and why.

Gary

Gary,

Good idea. At the risk of going on too long after the question, I do have another piece of interesting feedback. I really wanted to get the nurses' computer working, because their email is important. I pointed another computer to the proxy server to free up a license for the nurses' computer, but it didn't work. I rebooted the router, but it didn't let go of the IP. So, I changed the IP, and it didn't work. It was as if it were remembering the port the computer was on or the MAC address (doubtful). But, when I rebooted the router again, it seemed to forget the machine, if not the IP address which my guess is would be not useful forever. But, the nurses' computer worked great.

This may give more info to the whole troubleshooting process, but I think it also means that when I add the new licenses, I will need to change the IP addresses of the bad machines and reboot the router.

I will start a new question as you suggest. Could you give me one piece of advice as an expert? As you probably have seen, I tend to give a lot of information in each post. Is it more helpful for the experts if I ask a concise answer, then follow-up on their questions or just give a good description so they have a better idea of the problem?

Do only experts answer questions here or can members as well?

Bert

Bert,

I sure wish I knew what was happening with this. I don't understand how the router can 'remember' a machine after it's been rebooted. That should clear ALL tables and start fresh. I wonder if somethings happening on the PC side that's cached like a webpage.   Maybe instaed of trying to get to a web page, you could try to ping (Start > Run > cmd  enter ping<ip-address> ). And instead of using the name, which requires a DNS lookup, use one of these addresses   64.233.179.9  64.233.161.9 which are 2 Google servers.

It doesn't seem like you should have any bad addresses if you have enough licenses, but can't know for sure until we know why they are bad.  

As far as posts, I think short concise questions get better response. With longer posts sometimes there may be multiple questions within the question and it makes it harder to respond to.  

Any member can comment.   Like me since I'm not an expert yet.    ;-)

Gary

Well you should be an expert!

Gary,

Look at this question! I guess I should have searched more but, then again, I didn't know it was the PIX then.

https://www.experts-exchange.com/questions/21433322/Pix-501-loss-of-connectivity-for-certain-client-machines.html?query=Cisco+Pix+absolute+licenses&clearTAFilter=true

Granted, they answer it quickly, and Irmoore gives some details but, even though the author states it is an intermittent problem; that part is not addressed. The quote from the book and your quotes from the Cisco website, clearly state that the PIX 501, unlike other PIXs, has "absolute" licenses and not dynamic. Absolute meaning it accepts the first ten and keeps them and supposedly blocks any other machines. (until reboot or so it says)

I closed out the question and asked another one. I think it is much better. Tell me what you think.

https://www.experts-exchange.com/questions/21693486/PIX-501-licenses-work-intermittently-and-not-absolute-as-Cisco-claims.html 

{I am not sure if I am supposed to put the URL of a new question in a closed question. I am always very nervous that I will do something inappropriate in here. There are a lot of rules I don't know about, but I am trying}

I knew I would forget to ask this. I promise no more questions -- I think.

Would our VPN connection count as a license?

Bert

I don't know if this matters or not, and I hope this applies to the above question. I also don't know how our computers got set up with fairly random static IP addresses.

Maybe it wouldn't add to the functionality but would having a more sensible IP address sytem make things easier?

For instance, maybe maing the server 192.168.1.1 and the next PC xxx.2 or even having room 1 be xxx.1 and room 2 be xxx.2 and so on.

Would the server or room 1 be able to be 192.168.1.1 if the default gateway is the same IP address?

But, overall, it would still be simpler to do xxx.1 through xxx.17