Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cannot login to NW5 after removing IPX

Posted on 2001-06-12
10
Medium Priority
?
281 Views
Last Modified: 2012-05-04
The only server in the tree is a NW5 with SP6a, Border Manager 3, SP3.

After removing IPX binding on internal LANs NIC on server, the clients can no longer login to the tree. They are able to ping the server but the NW client (ver 3.3) cannot see the tree or server.

We've tried to add the servers name/ip to the nwhost file
We've also tried to load slpda.nlm at the server and configure Service location tab at the clients.

Any ideas out there?
0
Comment
Question by:1610
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 6

Expert Comment

by:d50041
ID: 6182794
Did you check the protocol order on the clients?? Perhaps you need to have NWHOST listed first with IPX deleted as an available protocol.
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 6182813
Also - when installing the clients, you are prompted for the Protocol to use (either IPX or IP or both) - if you originally selected IPX without IP, then you will have to reinstall the client software and select IP.  Even if you have TCP/IP installed on the workstation, unless you told the NetWare Client to use IP, it won't be able to connect to a Pure IP environment.
0
 
LVL 1

Author Comment

by:1610
ID: 6184655
Thanks for your response!

The clients are installed with IP only.
I haven't checked the Name resolution order, but I think the client puts the nwhosts first as default, then it uses SLP...? (This problem occurs on a site fare away, so I'm not able to check it)

In both ways, shouldn't it work with the settings in nwhost or the settings in Service location?




0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Expert Comment

by:Jsrb01
ID: 6196350
Is your BM config allowing authentication of IP packets in?Unload IPFLT.NLM. Then try.
set tcp ip debug = 1 ... see what requests (if any) are getting to the private interface, and what it's doing with them.


0
 
LVL 1

Author Comment

by:1610
ID: 6209570
Jsrb01 - thank you for your respons. I'm not any good on BorederMangaer or filtering of packets, but I will try what you suggest.

Is the filtering relevant, when I tell you that the server and the client is on the same LAN, in the same zone and no routers between them?

0
 

Expert Comment

by:Jsrb01
ID: 6219628
1610- Yes it could be relevant if you are authenticating via TCP/IP. BM(or netware for that matter) Can be configured to filter ANY packets from anywhere. Regardless of hops, etc. So if you sent a NCP login request to your private NIC, and filtering was enabled to prevent that, it would discard the packet, and the login request. It sounds like when you removed your private IPX interface binding, IPX was the only allowed protocol on your internal NIC/network.

You stated that your clients are all using IP only. And the problem occured when you removed the IPX binding? Why were you running IPX?

Why are you running BM?







0
 
LVL 1

Author Comment

by:1610
ID: 6223453

This server is running strictly as a firewall / gateway in the network. The reason IPX was active, was because of the ArceServe Manager. The earlier versions of ArcServe was operating on IPX, now it's able to use IP.

The users don't really have to log on to the server, only admin for administrative tasks.

I know the filters are set up to filter everything, with exceptions turned on. What packets do I need to allow?
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 6224693
technically, ARCserve Manager (ARCserve 7 for NetWare) cannot use IP.  The reason I say this is because you can have a host entry in your nameserver for your ARCserve server and ARCserve Manager can't see it.  However, if you put the exact same entry into your HOSTS file on your local workstation THEN ARCserve Manager can see it.

Go figure.

0
 

Accepted Solution

by:
Jsrb01 earned 800 total points
ID: 6225877
The exceptions may already be there. First you need to confirm the problem is filtering. Have you unloaded IPFLT.NLM yet? If you do, and you are able to login, then filtering is most likely the problem.

If the below filters do not help, isolate the BM server on it's own segment with one client. Then SET TCP IP DEBUG = 1 on the console, and try to login.

(This is what it looks like when I block my Soldier of Fortune server packets)
RECIEVE:pktid:17128 192.168.0.254->192.168.0.6 ttl:128 (UDP) UDP:Source Port:1038Destination Port:28910
(DISCARD)- Reason(Filtering)

You will need to add whatever it's filtering during your login to the exception list.

Personally, I would jsut add an exception that states - <ANY> traffic from your local (192.168.0.0-C)subnet is allowed to you private interface, and vise-versa. Remember , the more filters you add, the more resources IPFLT will consume.

From TID: 10050135(allowed packets nw5)
TCP 524 - NCP Requests - Source port will be a high port (1024-65535)
UDP 524 - NCP for time synchronization - Source port will be a high port
UDP 123 - NTP for time synchronization - Source port will be the same
UDP 427 - SLP Requests - Source port will be the same (427)
TCP 427 - SLP Requests - Source port will be the same (427)
TCP 2302 - CMD - Source port will be a high port
UDP 2645 - CMD - Source port will be the same (2645)




0
 
LVL 1

Author Comment

by:1610
ID: 6226571

Jsrb01 : Thanks, you cleared things up a great deal for me. I will try this, but I will not able to for at least a week.

Then I will get back to you all.

Regards
Lene

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Whoever said that “a picture is worth one thousand words” observed a fact that can dramatically affect your marketing success. Most people tend to learn visually, so many publishers commonly acknowledge the effectiveness of visual learning by using…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question