Solved

Intermittent Internet-Could it be the Router?

Posted on 2003-11-15
8
415 Views
Last Modified: 2008-03-03
I need some input!!

Problem :
Intermittent loss of internet access.

Observations :
With known ping-able sites, sometimes get the 4 replies, sometimes get destination host unknown, sometimes get 4 request timed out, sometimes get a couple replies followed by timeouts.  Same results, regardless if using names or ip addresses.

Traceroute reports the router x.x.x.10, then followed by all Request timed out.

After a 'rest', everything just comes back.

(sub-observation : makes it kinda tough to test when many locations are now rejecting pings and tracerts - is there a list of KNOWN good ping-able locations?)

Environment :
1 w2k server sp4, dns, active directory
~40 clients - mixed w2k prof., win 95/98/xp
HP procurve switches
Adtran TA850 router, pulling 4 channels for fractional T1 for internet access
Server IP x.x.x.1
Router IP x.x.x.10

Thought there was a dns issue, so reconfigured dns on server - actually a fresh install of w2k(also corrected some other issues)
Thought it might be the switch/hub, 'cause the fan was blown and it was running really hot - replaced.
Thought there might be problems with clients - reconfigured to make sure there weren't any conflicting settings.
Thought it might be cable from router to switch - replaced.
Thought it might be cable from server to switch - replaced.
Thought it might be my drinking problem - drank more.
Thought there might be a problem with the T1 providers circuit - requested a test, all tested ok.
I can ping to my public IP address from home (different provider) and never a problem with ping results (although, the tracert does time out, but I suspect that is because some router on the path is denying tracert requests ??????????????)
None of the above altered the situation for the better or worse - no change.

Tried to recall what could have possibly changed.  About a month ago, we took some kind of hit where we lost the T1 - voice and data, as well as the battery backup that the router, phone system, etc. is plugged into.  Router lost the configuration.  Provider reconfigured the router, and we had voice and data again.  I didn't notice the severity of the intermittent internet access - not really sure if it was an issue, or if it is indeed worse now.

All of the above things I tested/replaced/rebuilt, COULD have been the culprit, so I suppose the router COULD also be the culprit.  Does anyone feel, with any certainty, based on the above information, or am I just grasping at straws, thinking its the router - other than the fact it is the last, and as of yet only unreplaced, piece in the connectivity 'channel'?  Is it possible (again with any certainty) that the router could have sustained more damaged than was originally thought?  What about the firmware?

If not the router, what else could it possibly be?  I'm at my wits end - help.

Thanks
0
Comment
Question by:raprealm
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9756395
sounds like you have an infection of Welchia /MSblast on the inside network
Rebooting the router clears the cache and translations, until it gets overwhelmed again.

If you can, block outbound icmp and you will at least stabilize the network connections.

If the router is doing nat, look at the nat translations. If you see hundreds of entries from one host, you know that host is infected.
0
 

Author Comment

by:raprealm
ID: 9757479
further questions -

All clients are running norton av, are up to date and reporting clean.
With the clean install of w2k on the server, it doesn't seem likely that the server is infected does it?

I don't actually reboot the router - the internet connections (and the ability to ping successfully etc. just comes back on its own.

The router IS doing nat.

If I block outgoing icmp, I won't be able to ping - is that correct?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 9757493
Just being up to date on AV won't cut it. You need to check for MSBLAST
You won't be able to ping, but everything else will work. This is only temporary to see if this really is the issue. 1 or 2 infected systems send out thousands of icmp packets looking for more hosts to spread to. This overruns the router memory trying to create all those nat translations ...
If you have a hub, you can use a sniffer (http://www.ethereal.com) to see what is really going on in the network.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:raprealm
ID: 9757533
interesting ...........

Hasn't this virus been around awhile?  Doesn't NAV pick it up?
At night, most all (if not all) machines are shut off - still the same problem at the server, going out to the net.
I will check etherreal.com
If this ends up being a virus, I think I'll puke!
0
 
LVL 13

Assisted Solution

by:Gnart
Gnart earned 250 total points
ID: 9757573
I had a similar situation awhile back.  It drove me nut and I blamed it on the ISP's connection.  It turned out to be my router was failing (hardware problem - red face).
4/5 ping successful is somewhat a norm on a busy network.  Do you PING from inside the router to see if you have a problem with intermittent ping to a know site - if that occurs most likely the router need to be replaced or repair.  You should also check for virus by monitoring traffic on your router and also monitor packet drop and retransmitted for a trouble some router.

cheers
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9761398
Just a comment in terms of pinging things. I would suggest that when you are testing stuff, it you simply want to test your link, then ping the router at the other end of the link (assuming that it responds to ICMP echo requests). This avoids any potential for the packet loss to be anywhere else on the Internet in general.

If you must try pinging hosts on the Internet then try with a larger timeout (in windows, use the "-w" option) to make sure the pings are catually getting lost, not just taking longer than one second (the default timeout).
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now