Solved

Wierd IP Problem

Posted on 2002-05-29
13
288 Views
Last Modified: 2008-03-03
I am having a very strange problem.  I have a mail server with about 9 different email domains on it, each has its own IP address.  This server sits in the DMZ, with a PIX515 firewall in between it and our network.

On occasion, sometimes a couple of times a day, I lose connectivity to ONE particular ip address on the server from our network.  I can ping the ip address fine from the server itself, and I can ping any other bound ip on the server from my workstation, I just can't ping that ONE from my workstation (neither can any other pc on the network).  It is only one IP address, and a reboot fixes the problem.

This was happening on an NT 4.0 server, and since I wanted to upgrade it, i used this an excuse to do that.  So, I put a clean install of Windows 2000 server and rebuit it.  Still does it.  I also tried binding that particular IP address to a different NIC, it didn't help.

Any ideas at all?
0
Comment
Question by:tduplantis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 8

Expert Comment

by:scraig84
ID: 7041839
Is it one particular IP every time or is it random which IP on the server has the problem (but only one at a time)?  Is it possible there is a duplicate on the network somewhere or that this IP intersects with a DHCP scope?  Can you ping it from another machine inside the DMZ?
0
 
LVL 4

Author Comment

by:tduplantis
ID: 7041875
There are two servers on the DMZ, I checked the other one and there is no duplicate IP's on the DMZ.  But, the more I think about it, it sounds like that could be the problem, I just don't know where the other IP can be coming from.  Maybe the pix, but there are no global address pools setup there.

I even tried moving the IP to a different NIC, so its most definately associated with ONLY that IP address.  I havn't tried to ping it from another server on the DMZ, but I have thought about it.  When it goes down, the whole building can't get mail or send, so I'm always to quick to reboot instead of trying that heh.  I will next time though.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7041914
Yeah that would be good.  By pinging it with a local box we'll confirm that the problem is on the server (or local segment) rather than a firewall issue.

Are you seeing anything in the event logs?  You also may want to check the server's route table once the problem starts.  Also, after pinging from a different server, assuming it doesn't work, check that server's local arp cache (arp -a) to see if it at least is responding to arp requests or if the MAC is correct (if it's a duplicate, you'll often see the other device's MAC instead).

Another thing to check - is this a hub or switch on this segment?  If switch, is it manageable?  If so, it would be a good idea to look at the MAC/port table before and after the problem to see if that MAC is suddenly not in the table or on the wrong port.  I would actually check this BEFORE trying to ping it from anyplace.  On this note, I'm interested to see if a ping from another server works, if that possibly fixes the problem and the workstations will start to access it again.  Could be an ARP aging issue on the switch.
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 
LVL 4

Author Comment

by:tduplantis
ID: 7042082
I will look into those things.  I have made a copy of the routing table and the arp table on the server having problems.  I also made a record of the arp table on the PIX.  I'm not so sure that if I can ping from the other server on the DMZ, that it rules out the firewall.  As a matter a fact, I'm thinking that I will be able too, its stuff on the OTHER side of the PIX that can't ping this particular IP address when it starts to act up.

If the other server on the DMZ cannot ping it, that most definately rules out the firewall.  

Oh, these two servers are on an unmanaged 100MB hub too, so no luck there heh.
0
 
LVL 56

Expert Comment

by:andyalder
ID: 7043114
NT doesn't like that many IP addresses one a single box,  I thought the limit was 9 but yours is behaving as if 8 was the limit. Maybe the limitation is carried over to win2k as well.

Why do you have a different IP address for each domain name on the SMTP server? It's a very strange thing to do.
0
 
LVL 4

Author Comment

by:tduplantis
ID: 7043131
Well, I could setup my mail server with one IP address and then use virtual domains.  Thing is, it was setup up this way before I came on and to change it now would mean everyone in the company would have use a different username to log into their appropriate domain.  For exampe, my username is tduplantis, right now i can go to web mail (we use both web mail, and pop3) and enter tduplantis, then my password.  If i changed it to use virtual domains, I would have to use tduplantis@rpc.net as my username.  The bosses dont want to do that for some reason.

I have another server with at least 18 ips binded to it, and we having no problems with it.  This is a windows 2000 server also.
0
 
LVL 56

Expert Comment

by:andyalder
ID: 7043163
If it's outlook web access this might help, one IP address but multiple OWA sites using host headers so no need to change the usernames, http://support.microsoft.com/default.aspx?scid=kb;en-us;Q261953
0
 
LVL 4

Author Comment

by:tduplantis
ID: 7043176
We are not using Outlook Web access.  The mail server we have is Imail 7.07.
0
 
LVL 56

Expert Comment

by:andyalder
ID: 7043223
Still applies, change each virtual site's properties from having a seperate IP address to using host headers. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q149426 (ignoring that it's mainly about the GUI limit in NT3.51) says it's a resource issue without saying what resource is imposing the limit. Might even be able to have more IP addresses if you use 1.1.1.1, 1.1.1.2 rather than 192.168.1.1, 192.168.1.2 etc.

http://www.ipswitch.com/support/IMail/guide/imailug7.1/Appendix%20C%20cmd_line3.html says just to say "-i VIRTUAL" instead of putting "-i <address>" in which suggests to me it sets it up using host headers for you.
0
 
LVL 4

Author Comment

by:tduplantis
ID: 7044815
Thanks Andy, I read the MS arcticle, is that for NT 4.0 or Windows 2000 though?  I'm not sure windows 2000 has the same resource limitation.  I don't believe this is a server issue.  I can ping the IP address fine from another server on the DMZ.  What i did notice is this.  The first paste is the arp table from my PIX firewall when everything is fine....

inside 10.1.254.161 00e0.1e89.45d1
DMZ 192.168.1.64 0090.27ac.78aa
DMZ 192.168.1.142 0090.27ac.78aa
DMZ 192.168.1.133 0090.2798.9eb3
DMZ 192.168.1.143 0090.27ac.78aa
DMZ 192.168.1.73 0090.27ac.78aa
DMZ 192.168.1.128 0090.2798.9eb3
DMZ 192.168.1.130 0090.2799.8cd7
DMZ 192.168.1.131 0090.2799.8cd7
DMZ 192.168.1.132 0090.2799.8cd7
DMZ 192.168.1.129 0090.2799.8cd7
DMZ 192.168.1.134 0090.2798.9eb3
DMZ 192.168.1.135 0090.2798.9eb3
DMZ 192.168.1.136 0090.2798.9eb3
DMZ 192.168.1.137 0090.2798.9eb3
DMZ 192.168.1.67 0090.27ac.78aa
DMZ 192.168.1.72 0090.27ac.78aa
DMZ 192.168.1.75 0090.27ac.78aa
DMZ 192.168.1.74 0090.27ac.78aa
DMZ 192.168.1.66 0090.27ac.78aa
DMZ 192.168.1.69 0090.27ac.78aa
DMZ 192.168.1.70 0090.27ac.78aa
DMZ 192.168.1.146 0090.27ac.78aa
DMZ 192.168.1.141 0090.27ac.78aa
DMZ 192.168.1.145 0090.27ac.78aa
DMZ 192.168.1.140 0090.27ac.78aa
DMZ 192.168.1.139 0090.27ac.78aa
DMZ 192.168.1.68 0090.27ac.78aa

Here's what it looks like after it stopped working:

inside 10.1.254.161 00e0.1e89.45d1
DMZ 192.168.1.64 0090.27ac.78aa
DMZ 192.168.1.145 0090.27ac.78aa
DMZ 192.168.1.73 0090.27ac.78aa
DMZ 192.168.1.140 0090.27ac.78aa
DMZ 192.168.1.139 0090.27ac.78aa
DMZ 192.168.1.133 0090.2798.9eb3
DMZ 192.168.1.143 0090.27ac.78aa
DMZ 192.168.1.146 0090.27ac.78aa
DMZ 192.168.1.72 0090.27ac.78aa
DMZ 192.168.1.74 0090.27ac.78aa
DMZ 192.168.1.129 0090.2799.8cd7
DMZ 192.168.1.69 0090.27ac.78aa
DMZ 192.168.1.70 0090.27ac.78aa
DMZ 192.168.1.66 0090.27ac.78aa
DMZ 192.168.1.67 0090.27ac.78aa
DMZ 192.168.1.142 0090.27ac.78aa
DMZ 192.168.1.130 0090.2799.8cd7
DMZ 192.168.1.136 0090.2798.9eb3
DMZ 192.168.1.71 0090.27ac.78aa
DMZ 192.168.1.135 0090.2798.9eb3
DMZ 192.168.1.131 0090.2799.8cd7
DMZ 192.168.1.134 0090.2798.9eb3
DMZ 192.168.1.75 0090.27ac.78aa
DMZ 192.168.1.144 0090.27ac.78aa
DMZ 192.168.1.137 0090.2798.9eb3
DMZ 192.168.1.68 0090.27ac.78aa
DMZ 192.168.1.141 0090.27ac.78aa
DMZ 192.168.1.132 0090.2799.8cd7


Notice the 192.168.1.128 is missing?  Well, I manually added it and it worked.  Now I just need to figure out WHY this particular IP address is dissappearing from my PIX's arp table.




0
 
LVL 56

Accepted Solution

by:
andyalder earned 100 total points
ID: 7044968
It can still be the network card or its drivers that are at fault, remember NT/2k's default arp cache time is 10 minutes where as PIX has a 4 hour cache life. So if something went wrong with the server 20 minutes ago, (lets assume it responded with a corrupt arp reply), pix would still remember this but maybe not show it but the other server would have cleared the corruption by now. You can write a little batch file to run on the other server that pings this address every few seconds to prove I'm wrong thinking it's an intermittent server problem.

Interesting that it's the .128 address, which wouldn't be valid with a /25 subnetmask.

I guess you've tried the latest version of OS on the PIX, and presumably the label on the bottom shows "800-05622-02 A0" or greater. A different make of NIC in the server would be interesting as would reducing the PIX arp cache timeout.


Is it a pix on the outside of the DMZ as well or a single pix with 3 interfaces?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7045424
Do you have an unrestricted license on your PIX?
What is the subnet mask you are using on the servers and on the PIX interface?
What kind of switch do you have between the servers and the PIX? Have you tried clearing the arp cache on that?
0
 
LVL 4

Author Comment

by:tduplantis
ID: 8543642
Sorry, I thought I accepted this long ago... i forgot what i did not to fix it !!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month7 days, 8 hours left to enroll

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question