Solved

Request Timed Out - ICMP Traffic blocked - No Firewall

Posted on 2004-10-02
21
372 Views
Last Modified: 2013-11-29
Hi,

I have a Win XP Pro PC on our corporate network which does not respond to pings or any other traffic initiated from any other PC. (Request Timed Out.)
Any traffic initiated from the PC itself works perfectly fine. It can surf, ping and the whole works.
At first it seems like a simple matter... "Must be a firewall!!! "
Not so fast!  :D
The user can send Instant Messages with windows Messenger and i receive them, but if i type something back, it is just rejected.
I cannot netmeeting into the machine, so the user called me with netmeeting, and then shared his desktop (once again proving oneway communication)
When i connected to the machine i checked the Builtin Windows Firewall setting - Which is disabled.
I also suspected a common desktop firewall package named BlackICE - Which is also NOT installed on the machine.
I did not find any other suspicious software, but i continued to do the following:
I started a continous ping from my machine to the user's machine - Request Timed out constantly.
Then i started to, one by one, kill all tasks in Task Manager until i was left with only the basic core Windows XP tasks... still no reply from the PC.
I suggested to the user that we will have to re-image his PC which he agreed to, but i do not beleive that this can be the only solution. Before i do that i want to get to the root of this problem.


I rebooted his pc while leaving the ping running on my machine, and while its rebooting i get a total of 6 replies on the ping, before it is blocked again.... (probably just after networking was initialised and just before the stupid piece of software started interfering)

Any Ideas??

Thanks!!
Jacques
0
Comment
Question by:jacauc
21 Comments
 
LVL 16

Expert Comment

by:samccarthy
ID: 12207384
Are you pinging by name or IP??  Check the DNS on the machine in question and make sure all the networking settings are correct on that box.  Are they Static or DHCP?  Does this problem present itself when pinging from any other machine or instant messaging??  You may have an old DHCP address "stuck" in your DNS.  You can try using ipconfig /flushdns on both machines and clean out the DNS Cache on the DNS Servers.  Make sure the IP is correct in the A record.

Steve
0
 
LVL 3

Author Comment

by:jacauc
ID: 12207524

I'm pinging by IP address

I compared all the network settings again just now (with those on my machine), and they're all the same.
We are using DHCP yes.

When i ping from the "problem" machine everything works.... same with IM
from any other machine i cannot ping or IM to this user.

I did the ipconfig /flushdns just now, as well as a release and renew.

IP is correct in A record.

Thanks!

P.S.. you're welcome to get more technical as i am a network specialist myself
-- never seen this one before though..

;)
0
 
LVL 3

Author Comment

by:jacauc
ID: 12208035
I found another piece of strange software on the PC called "Plaxo" and uninstalled it. (and rebooted)
Actually thought for a second that this MUST be the culprit.

No luck.... Same scenario still prevails...   :(
0
 
LVL 3

Author Comment

by:jacauc
ID: 12208055
hehe... sorry for all the unneccessarry posts... :P

Just wanted to say too:
I did run an updated Adaware SE and cleaned everything i found,
and the PC runs Symantec Antivirus 9.0 which is updated and didn't find any virus.

The More info the better i guess...
Thanks again!!!!
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12209324
Have you tried to reset your TCP/IP Stack? See these articles on how to do this:

· http://support.microsoft.com/default.aspx?scid=kb;en-us;299357&Product=winxp
· http://www.jsiinc.com/SUBJ/tip4700/rh4785.htm

You could also try:
1. Entering in safe mode and see if the problem is the same (this would help diagnosting the problem)
2. One more solution could be to repair the windows instalation using the os CD.

Cheers.
0
 
LVL 3

Author Comment

by:jacauc
ID: 12210477
Thanks,

I will reset the IP stack to see what happens a bit later today.

On answering the 2 other suggestions:
1. I do not want to attempt to do safe mode as i can not go to the PC itself very easily - it is on one of the Oil Rigs offshore and its quite a process to book the helicopters to go there. (also don't want to have the user do that over the phone)
I Might have a flight there sometime this week, and if so, i'll do the safe mode then.

2. I would not be able to repair the windows installation with the CD, as we are supplied with Customized (for the company's needs) Windows XP Image CDs  by MS that is used on all of the 77,000 pcs in the corporation.  We do not have access to standard XP CDs and i doubt if it would work on our customized images anyway.


quite a bit of a stitch hey?
:D

Thanks!
0
 
LVL 1

Expert Comment

by:jpierson_jerome
ID: 12210710
Are you absolutely sure that the Windows Firewall is not running?

0
 
LVL 3

Author Comment

by:jacauc
ID: 12210727
Yip :D
Ya, just double checked again.
0
 
LVL 3

Author Comment

by:jacauc
ID: 12210732
hehehe...
me again.
some more info:

-The PC is on XP SP1
-Still can't do the safe mode thing though   :(
 

-I did execute the IP Stack fix and here is the log for that:

reset   SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
            old REG_MULTI_SZ =
                SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
                SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{25115E84-9075-46FD-B920-87143931327B}\NetbiosOptions
added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{70EDEAC2-D171-4A57-AE00-37D012193ECE}\NetbiosOptions
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset   Linkage\UpperBind for PCI\VEN_8086&DEV_2449&SUBSYS_30138086&REV_03\4&172A2BDD&0&40F0.  bad value was:
            REG_MULTI_SZ =
                DNE

reset   Linkage\UpperBind for PCI\VEN_10B7&DEV_5057&SUBSYS_5A5710B7&REV_00\4&8AA62D3&0&0021.  bad value was:
            REG_MULTI_SZ =
                DNE

reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000.  bad value was:
            REG_MULTI_SZ =
                DNE

<completed>

0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12211470
ok. and? did you get any change? Is it working now? any progress?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 3

Author Comment

by:jacauc
ID: 12214705
Nothing.   :(
Same thing still happening.
0
 
LVL 3

Author Comment

by:jacauc
ID: 12217880
Increased the points for this question a little (now that i have some again)

;)
Cheers
J
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12220875
Just to say something ... not realy related to the question itself.

Don't waste your points !!! You will not get a faster answer if you do it, anyway! Besides that, the most of us are here to help and not realy for the points !!!!

I feel better with myself when I do help someone ... Not when I get the points! Know what I mean ??

Now, about your question ... no answer yet!!! If I get any idea, I'll let you know.

Rafael.
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12220939
So ... Is there any router in your network? Are there more than 1 subnetowrks?
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12220942
What message are u receiving when trying to ping?!
0
 
LVL 3

Author Comment

by:jacauc
ID: 12224423
Yes, theres LOTS of subnets, routers and switches and VLANS on our network (EVERYTHING Cisco) , but they way i narrowed it down to being a PC issue is the fact that i do get replies while the PC is rebooting... if it was a telecomms issue, then i'm pretty sure this wouldn't have happened? (and i can ping the PC right next to it)

When i ping: i just receive the usual  "Request timed out." message
-As the Subject of this topic explains

Still getting the exact same problem!

PLEASE help someone!

Cheers!
...and THANK YOU for the comments so far!

J

0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12228256
Sugestions:

1. type "ping /?" to see the syntax for this very usefull command :). Now, try pinging the machine using different packet sizes, use a large timeout, etc.
2. Try pinging using both ip address and dns name.

Let us know.
0
 
LVL 3

Author Comment

by:jacauc
ID: 12234453
Yup... One of the first things i tried.
ping -l 2 ipaddress -w 32000    - where ipaddress is the ip of the host giving problems

Still...
Request timed out.

We have a VERY extensive DNS/WINS/DHCP implemetation so in my experience here, we have NEVER had any problems with DNS. As a matter of fact - to boast i little ;)  - we are currently on 436 days without an unscheduled server outage (with a total of almost 50 servers on site here)

hehe....
but ya... anyways... I have been doing networking for years, and i am aware to use IP addresses in these kinds of troubleshooting, to make sure its not a resolution issue.

Thanks for the input anyway.
J
0
 
LVL 11

Accepted Solution

by:
rafael_acc earned 335 total points
ID: 12235791
Hi again!! OK ... I'm running out of ideas :)

1. Have you tried the pathping and traceroute utilities!?
2. Have you tried switching NICs, cables as a desperate last resort?
3. Maybe this is just another windows bug!!? :)

Anyway I have to agree with you that this is a very weired behavior ...
Cheers.
0
 
LVL 3

Author Comment

by:jacauc
ID: 12236722
Once again... the continued suggestions is appreciated.

:)
You Learn something new every day... I have NEVER heard of/used the pathping utility before.. (hehehe... didn't even know it existed)
I tried 'pathping ipaddress' and i got the follwing results:

Tracing route to problempc [problempcipadress]
over a maximum of 30 hops:
  0  mypcname [myipadress]
  1  coreswitch [coreswitchipaddress]
  2     *        *        *
Computing statistics for 50 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           mypcname [mypcipadress]
                                0/ 100 =  0%   |
  1    0ms     0/ 100 =  0%     0/ 100 =  0%  coreswitch [coreswitchipadress]
                              100/ 100 =100%   |
  2  ---     100/ 100 =100%     0/ 100 =  0%  mypcname [0.0.0.0]


Unfortunately i had to remove the actual PC Names/Ip Adresses to maintain privacy.
All PCs on our network have Public IP addresses and we have information protection policies that prevent us from disclosing information like this (...will get my ass fired)


Disappointingly, i can not swap out the NIC, as all our PCs have onboard NICs
Sorry for all the trouble so far... seems like this problem is a bit deeper than expected.

If by friday i havent been able to resolve the issue, i will have to go ahead and re-image the PC.

Strange Mysteries of Windows!!!

Cheers!
Thanks!
J
0
 
LVL 3

Author Comment

by:jacauc
ID: 12265407
I have decided to re-image this machine as i'm also running out of ideas.
Its working properly now.. so it was defnitely a machine problem and not a switch/router issue.

Thanks for All the input/suggestions anyway!!

Gave the points to Rafael for his continous effort to try and assist!

Thanks again!
Cheers
J
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now