Heres a hard one...

I have a small networking environment. The architecture goes as follows: I have a SBS 2000 along with other shared computers behind NAT, have a PIX firewall and an ADSL modem connecting to the Internet.
Heres the problem... From time to time the SBS Server is getting disconnected from the MODEM (i.e. Ping from the Server to the modem will not give me any replies, while from any other workstation to the modem and to the server and vice versa will reply very well). As well, any incomming mail will not arrive to the final destination which is - the server.
In a normal situation, I have good communications between all the devices in the network (i.e. server, workstations and the modem) and emails are getting to destined users.

I'll appreciate any help...

LVL 15
Who is Participating?
PennGwynConnect With a Mentor Commented:
What do the PIX logs show?


Just an idea...

What are your port speed settings on all your equipment?  Just wondering if it might help forcing all the nics at 100Mbs Full Duplex for example (i.e on the server and modem if possible).

It might be a port speed negotiation issue.....

Cyber-DudeAuthor Commented:
Thank you Stuart for your reply...

Well, the speed inside the LAN is, naturally, 100mbps for all devices. Modem speed is at 10mbps but, it is connected directly to the PIX Firewall (At the WAN leg). Im not sure whether this is the source of the problem; I can Ping from any other station to the server, as well to the modem and vice versa...
Also, the LAN is connected through a Switching system thus eliminating any physical issues.

But I'll check on to it.

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Joseph NyaemaIT ConsultantCommented:
I think the SBS server is busy handling other traffic when you are trying to ping.
Traffic could also be from a worm like Slammer if you are running SQL-Server.
You can use the monitoring tools in ISA to find out what is happening to your traffic in terms of applications and users.
You can also use perfomance monitor to monitor the traffic.

Also have you installed all the latest patches for Win2K, ISA, and SQL?
EmpKentConnect With a Mentor Commented:
Place a hub between you ISA and your PIX and subsequently your PIX and router and run a sniffer application such as Ethereal to determine where the ICMP path is being terminated.

eg: Does the request leave the ISA server? Does it get to the PIX, Does the PIX forward it, etc.

Also, check the IDS settings and the logs of the PIX. Perhaps IDS is enabled on the inside interface and it thinks there is an attack occuring from the ISA server. Since this behaviour is intermittent, there must be something changing in the environment.

Cyber-DudeAuthor Commented:
Thank you both Nyaema and EmpKent...

Well, I ren some monitoring tools. The only thing was significant is that the server ren into some broadcast traffic which was somthing like 0.05% of all traffic. This problem is being dealt with as we speek. Also, the peak network traffic utilization reached somthing like 25% of total network backbone. Most of the time it was 5% or less. If it was a virus, I think utilization would reach a much higher and frequent peaks. Also, take in mind that if the server was too busy replying Pings I sent from the server to the modem, than I would not be able to reply Pings I sent from other NICs in the network to the server.

We are not running an ISA Server (SBS Standart Edition) due to the known consequences and implications. Leaving the IDS issue out of the question.

Sorry, I missread but it does not eliminate the IDS possibility.

Foremost would be to determine where the ICMP cycle gets disrupted. It will determine which box is the culprit and significantly reduce your hassles.

Network utilisation is a nonissue if the other devices on the network continue to function normally.

Joseph NyaemaConnect With a Mentor IT ConsultantCommented:
Is the pix firewall configured to redirect port 25 to your SBS?
I have heard some issues about PIX firewalls to do with publishing servers and multiple connects.

If the above applies to you, then maybe you should check for IOS upgrades or issues on the Cisco site.

It might be something worth checking.

What model of the PIX do you have?
Cyber-DudeAuthor Commented:

We checked for any IDS system installation and add on running on the PIX Firewall and all was disabled. ICMP traffic for the outbounce is disabled and for the inbounce things looked normal. Any other suggestions? Thank you.


The PIX Firewall is indeed configured to redirect port 25 traffic to the SBS, as well it is configured to use IP address pool we got from the ISP and publish ONE IP address referring the mail server. We will check your point there and we will publish our findings soon. Thank you.

Thank you for your reply. I'll look on to it (ref. publish the Cisco log file).

Cyber-DudeAuthor Commented:
Heres an evolvement...
Our ISP provides us with TCP/IP address pool. As well, we found out that ECI modems are potecially problematic in that kind of architecture. We will assemble an Alcatel modem soon and I'll let you know how it went...

Cyber-DudeAuthor Commented:
Thank you all for trying... The problem layed on the Modem it-self. It is an ECI modem which was not capable in handling IP address pool thus filled buffer sooner than expected. We replced the modem with an Alcatel modem and all problems solved.

Once again, thank you all for helping...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.