CHI-LTD
asked on
how to prove issue with firewall, domain or DNS?
odd issue.
we use sophos on our clients, win7.
also use webfiltering software that uses a local proxy server at our main site and softwatre locally on machines outside of HQ.
2x weeks in sucsession we have lost internet for about 1-2hrs sae day of week.
i have disabled sophos, webfiltering and local proxy at both sites but i am still getting isses with the internet. intermittant though, only some sites not showing content and some sites not displaying at all..
i think its either firewall (managed by 3rd party) or DNS with our ISP.
last week the managed co said no changes were made to the firewall.
How can i prove this?
we use sophos on our clients, win7.
also use webfiltering software that uses a local proxy server at our main site and softwatre locally on machines outside of HQ.
2x weeks in sucsession we have lost internet for about 1-2hrs sae day of week.
i have disabled sophos, webfiltering and local proxy at both sites but i am still getting isses with the internet. intermittant though, only some sites not showing content and some sites not displaying at all..
i think its either firewall (managed by 3rd party) or DNS with our ISP.
last week the managed co said no changes were made to the firewall.
How can i prove this?
For DNS problems, you can analyse it yourself (use the nslookup command). For other problems, you need a clean laptop, and outside this infrastructure (preferably directly connected to the modem). If the laptop also has this problem, you know it's out of your hand. If the laptop has no problems while the others do, it's either a network device, or the software causing it.
ASKER
yes proved it was something to do with our environment by testing a machine on a different lan/wan.
The problem resolves itself at HQ site @ 12pm and the other site at 12:30. Happend last week also..
The problem resolves itself at HQ site @ 12pm and the other site at 12:30. Happend last week also..
I use Netgong (formerly called IPmonitor). Netgong is basically a ping tool. You can have it schedule a ping as often as once per minute to numerous devices and it will log connectivity, record disconnects, and can be configured with alerts, all in a nice little graphical interface which can produce a simple html report. By pinging a local device, router, ISP's gateway, and an Internet IP you can determine between which devices the connection is lost. By using names instead of, or as well as, IP's you could also test DNS. Great little tool with 30 day free trial period.
http://netgong.tsarfin.com/
http://netgong.tsarfin.com/
ASKER
very odd. i have a simialr proglem again today. this time i have 2x machiens on my lan (not using local proxy server) that cannot get through to https://www.experts-exchange.com
i can ping it and tracert the site but just wont load...
Ideas?
i can ping it and tracert the site but just wont load...
Ideas?
Using experts-exchange is not a good example, at least not for today (I was on 2 locations today, noticable intermittent outage).
I had the same issue; internet fine but unable to load EE a few times earlier today. Suspect they may have had some minor issues.
ASKER
hmm, very odd though as my other user here not via proxy was getting issues to sage.
but also had similar problems last week.
but also had similar problems last week.
When it happens try a more robust site like Google.
Try http://www.google.com
If it fails try: http://184.150.183.212 (Google by IP)
If the later works it is a DNS issue.
If having problems with Sage you may have DNS issues.
Do you have your own internal DNS server?
Try http://www.google.com
If it fails try: http://184.150.183.212 (Google by IP)
If the later works it is a DNS issue.
If having problems with Sage you may have DNS issues.
Do you have your own internal DNS server?
ASKER
i could access google fine at the time.
yes local DNS boxes...
yes local DNS boxes...
With local DNS clients and server should point only to your internal DNS servers, do not add a router or ISP as secondary. Adding an ISP could result in local failures such as Sage.
I would also try changing your DNS forwarders as a test, perhaps Google's 8.8.8.8 You may have a slow or dormant DNS server in the forwarder causing delays and timeouts.
I would also try changing your DNS forwarders as a test, perhaps Google's 8.8.8.8 You may have a slow or dormant DNS server in the forwarder causing delays and timeouts.
ASKER
all clients are pointing to local DNS servers.
i tried 8.8.8.8 the opther day and it worked. what can i test locally?
i tried 8.8.8.8 the opther day and it worked. what can i test locally?
Do you mean 8.8.8.8 solved the problem? If so then the primary DNS forwarder is either off-line or having performance issues. ISP's sometimes update DNS servers without advising.
Locally make sure nslookup servername and nslookup internaldomain.local return the correct information.
Locally make sure nslookup servername and nslookup internaldomain.local return the correct information.
ASKER
it did when i had this problem last week.
ah, just remembered we have changed our DNS server settings to dynamically update...
ah, just remembered we have changed our DNS server settings to dynamically update...
and....... ??
ASKER
wondered if dynamic dns changes are causing problem?
Could be.
If you set to 8.8.8.8 and it worked I would set statically. I suspect with dynamic it reverts back to your ISP.
If you set to 8.8.8.8 and it worked I would set statically. I suspect with dynamic it reverts back to your ISP.
ASKER
as an additional dns server within DHCP servers?
It sounds like the change you made was on the PC itself? Fine as a test but whether static or dynamic through your DHCP server the, PC, and the server as well, can ONLY have your Internal DNS server/s listed.
I was referring to the forwarders in the DNS management console.
When you try to access any DNS name the server is used to resolve it. If it is a local name such as a PC it checks its own database. When it gets a name, such as www.google.com it either checks the Internet root servers or uses a DNS forwarder to 'ask it' to resolve the name. The forwarder is most often an ISP's DNS server but can be Google's, another ISP or service provider. The reason for using an ISP is it should be the fastest to respond, but often isn't, resulting in delays and even failures. Changing to 8.8.8.8 on the PC worked, so try it as the forwarder.
To do so, on the server, go to the DNS management console, click on the server name, in the right hand window double-click on Forwarders (not forward lookup zones), under the forwarders put 8.8.8.8 and using the arrows move it to the top.
Then on the server and connecting PC run ipconfig /flushdns
If interested you can test public DNS servers' performance.
https://www.grc.com/dns/benchmark.htm
I was referring to the forwarders in the DNS management console.
When you try to access any DNS name the server is used to resolve it. If it is a local name such as a PC it checks its own database. When it gets a name, such as www.google.com it either checks the Internet root servers or uses a DNS forwarder to 'ask it' to resolve the name. The forwarder is most often an ISP's DNS server but can be Google's, another ISP or service provider. The reason for using an ISP is it should be the fastest to respond, but often isn't, resulting in delays and even failures. Changing to 8.8.8.8 on the PC worked, so try it as the forwarder.
To do so, on the server, go to the DNS management console, click on the server name, in the right hand window double-click on Forwarders (not forward lookup zones), under the forwarders put 8.8.8.8 and using the arrows move it to the top.
Then on the server and connecting PC run ipconfig /flushdns
If interested you can test public DNS servers' performance.
https://www.grc.com/dns/benchmark.htm
ASKER
okay its happening again, similar day and time of day. odd...
A bit more background info:
The remote site has only windows 7 PCs that point to DNS servers at 2x other main sites, so uses the permanent VPN for this, but the traffic is routing directly out from this site to the web, not tunnelling over the VPN out, i think.
Changing the DNS server settings for one of the clients to an ip address of each of the DNS servers we have i found only one of them worked. Using 8.8.8.8 also worked.
trace routing when using 8.8.8.8 and 192.168.2.22 DNS worked but different routes.
Ideas?
A bit more background info:
The remote site has only windows 7 PCs that point to DNS servers at 2x other main sites, so uses the permanent VPN for this, but the traffic is routing directly out from this site to the web, not tunnelling over the VPN out, i think.
Changing the DNS server settings for one of the clients to an ip address of each of the DNS servers we have i found only one of them worked. Using 8.8.8.8 also worked.
trace routing when using 8.8.8.8 and 192.168.2.22 DNS worked but different routes.
Ideas?
ASKER
but can ping and tracert to google.com fine using either of the local DNS servers
So there are no private DNS servers on your site? That would have been good to know.
DNS to your remote site DNS servers can only be done using the VPN's, it cannot be routed via the Internet.
Chances are your VPN service is interrupted or 'sleeping' and DNS fails.
The best solution is to add a read only domain controller, with DNS, at the local site.
Though you do not have to have a DNS server locally and can support a site using remote DNS servers, the downside is any interruption in the VPN service and you loose the ability to resolve public FQDNs.
DNS to your remote site DNS servers can only be done using the VPN's, it cannot be routed via the Internet.
Chances are your VPN service is interrupted or 'sleeping' and DNS fails.
The best solution is to add a read only domain controller, with DNS, at the local site.
Though you do not have to have a DNS server locally and can support a site using remote DNS servers, the downside is any interruption in the VPN service and you loose the ability to resolve public FQDNs.
ASKER
We have 4x remote DNS servers. 2x at each site. I have narrowed this down to 3x of them not working, and only one of them is.
However some minutes later the machines i hadn't played with in terms of setting different DNS IP addresses worked fine.
However some minutes later the machines i hadn't played with in terms of setting different DNS IP addresses worked fine.
Usually with remote DNS servers the problem is a brief disconnect of the VPN or latency.
Are the PC's on the site with the DNS servers having any issues?
I always recommend if more than a couple of PC's at a site that they have a local DC. It can be a read only, or even an old server but it allows for faster name resolution and the ability to maintain internet access if the VPN is down.
Are the PC's on the site with the DNS servers having any issues?
I always recommend if more than a couple of PC's at a site that they have a local DC. It can be a read only, or even an old server but it allows for faster name resolution and the ability to maintain internet access if the VPN is down.
ASKER
No the machines are all standalone behind a layer 3 switch and cisco firewall.
its intermittent. if i nslookup or gpresult it shows correct DC..
its intermittent. if i nslookup or gpresult it shows correct DC..
>>"No the machines are all standalone ..."
I was meaning at the other sites where there are DCs, do they have any issues with accessing web sites like the problematic site?
At least we can assume the original question is resolved; "how to prove issue with firewall, domain or DNS". It seems to be DNS. The next issue is why.
>>"trace routing when using 8.8.8.8 and 192.168.2.22 DNS worked but different routes"
Yes as 8.8.8.8 is an internet based DNS server, and the other is an internal accessed via the VPN. They would be totally different.
>>"Changing the DNS server settings for one of the clients to an ip address of each of the DNS servers we have i found only one of them worked"
It sounds like a misconfiguration issue or a latency problem.
Are there any errors in the Event logs of the DNS server under DNS (or in the DNS management console -same log)
Why don't you set up DNS Benchmark, add all 4 of your internal servers, and run the test. See if there is any significant difference between the 4.
https://www.grc.com/dns/benchmark.htm
I was meaning at the other sites where there are DCs, do they have any issues with accessing web sites like the problematic site?
At least we can assume the original question is resolved; "how to prove issue with firewall, domain or DNS". It seems to be DNS. The next issue is why.
>>"trace routing when using 8.8.8.8 and 192.168.2.22 DNS worked but different routes"
Yes as 8.8.8.8 is an internet based DNS server, and the other is an internal accessed via the VPN. They would be totally different.
>>"Changing the DNS server settings for one of the clients to an ip address of each of the DNS servers we have i found only one of them worked"
It sounds like a misconfiguration issue or a latency problem.
Are there any errors in the Event logs of the DNS server under DNS (or in the DNS management console -same log)
Why don't you set up DNS Benchmark, add all 4 of your internal servers, and run the test. See if there is any significant difference between the 4.
https://www.grc.com/dns/benchmark.htm
ASKER
I see. No this site works fine.
ASKER
okay so today i noticed i had the same problem on my PC which hasnt any web filterign softweare enabled/ruinning, so goes directly out to the internet through our L3 switch, firewall, router, ISP - and again noticed bbc.co.uk wasnt loading correctly.
so ran the following:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\user>nslookup
Default Server: DC1.domain.local
Address: 172.19.10.17
> bbc.co.uk
Server: DC1.domain.local
Address: 172.19.10.17
*** DC1.domain.local can't find bbc.co.uk: Server failed
> www.bbc.co.uk
Server: DC1.domain.local
Address: 172.19.10.17
*** DC1.domain.local can't find www.bbc.co.uk: Server failed
>
C:\Users\user>ping www.bbc.o.uk
^C
C:\Users\user>ping www.bbc.co.uk
Pinging www.bbc.net.uk [212.58.246.92] with 32 bytes of data:
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Ping statistics for 212.58.246.92:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 7ms, Maximum = 7ms, Average = 7ms
C:\Users\user>nslookup
Default Server: DC1.domain.local
Address: 172.19.10.17
> bbc.com
Server: DC1.domain.local
Address: 172.19.10.17
Non-authoritative answer:
Name: bbc.com
Addresses: 212.58.246.103
212.58.244.18
212.58.244.20
212.58.246.104
> bbc.co.uk
Server: DC1.domain.local
Address: 172.19.10.17
Name: bbc.co.uk
Addresses: 212.58.244.20
212.58.246.104
212.58.244.18
212.58.246.103
>
which you can see failed to resolve the domain...
Why?
so ran the following:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\user>nslookup
Default Server: DC1.domain.local
Address: 172.19.10.17
> bbc.co.uk
Server: DC1.domain.local
Address: 172.19.10.17
*** DC1.domain.local can't find bbc.co.uk: Server failed
> www.bbc.co.uk
Server: DC1.domain.local
Address: 172.19.10.17
*** DC1.domain.local can't find www.bbc.co.uk: Server failed
>
C:\Users\user>ping www.bbc.o.uk
^C
C:\Users\user>ping www.bbc.co.uk
Pinging www.bbc.net.uk [212.58.246.92] with 32 bytes of data:
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Ping statistics for 212.58.246.92:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 7ms, Maximum = 7ms, Average = 7ms
C:\Users\user>nslookup
Default Server: DC1.domain.local
Address: 172.19.10.17
> bbc.com
Server: DC1.domain.local
Address: 172.19.10.17
Non-authoritative answer:
Name: bbc.com
Addresses: 212.58.246.103
212.58.244.18
212.58.244.20
212.58.246.104
> bbc.co.uk
Server: DC1.domain.local
Address: 172.19.10.17
Name: bbc.co.uk
Addresses: 212.58.244.20
212.58.246.104
212.58.244.18
212.58.246.103
>
which you can see failed to resolve the domain...
Why?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so would you use a forwarder then on all DC's?
ASKER
ASKER
would you apply it to all DCs?
ASKER
think is its intermittent, i don't need to restart DNS or delete cache...
your link is the same issue, it needs to be applied on all internal DNS servers, which usually means DCs. The DNS service then needs to be restarted.
ASKER
thanks
ASKER
seems to be the only resolution..
Call the ISP when the issue happens so they could validate and ensure there are issues with their infrastructure. During the outage, connect a PC to the Internet link by removing it from the firewall. If issue persists then it is ISP, if not then it is firewall related.