Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

Request Timed Out - ICMP Traffic blocked - No Firewall

Hi,

I have a Win XP Pro PC on our corporate network which does not respond to pings or any other traffic initiated from any other PC. (Request Timed Out.)
Any traffic initiated from the PC itself works perfectly fine. It can surf, ping and the whole works.
At first it seems like a simple matter... "Must be a firewall!!! " 
Not so fast!  :D
The user can send Instant Messages with windows Messenger and i receive them, but if i type something back, it is just rejected.
I cannot netmeeting into the machine, so the user called me with netmeeting, and then shared his desktop (once again proving oneway communication)
When i connected to the machine i checked the Builtin Windows Firewall setting - Which is disabled.
I also suspected a common desktop firewall package named BlackICE - Which is also NOT installed on the machine.
I did not find any other suspicious software, but i continued to do the following:
I started a continous ping from my machine to the user's machine - Request Timed out constantly.
Then i started to, one by one, kill all tasks in Task Manager until i was left with only the basic core Windows XP tasks... still no reply from the PC.
I suggested to the user that we will have to re-image his PC which he agreed to, but i do not beleive that this can be the only solution. Before i do that i want to get to the root of this problem.


I rebooted his pc while leaving the ping running on my machine, and while its rebooting i get a total of 6 replies on the ping, before it is blocked again.... (probably just after networking was initialised and just before the stupid piece of software started interfering)

Any Ideas??

Thanks!!
Jacques
0
jacauc
Asked:
jacauc
1 Solution
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Are you pinging by name or IP??  Check the DNS on the machine in question and make sure all the networking settings are correct on that box.  Are they Static or DHCP?  Does this problem present itself when pinging from any other machine or instant messaging??  You may have an old DHCP address "stuck" in your DNS.  You can try using ipconfig /flushdns on both machines and clean out the DNS Cache on the DNS Servers.  Make sure the IP is correct in the A record.

Steve
0
 
jacaucAuthor Commented:

I'm pinging by IP address

I compared all the network settings again just now (with those on my machine), and they're all the same.
We are using DHCP yes.

When i ping from the "problem" machine everything works.... same with IM
from any other machine i cannot ping or IM to this user.

I did the ipconfig /flushdns just now, as well as a release and renew.

IP is correct in A record.

Thanks!

P.S.. you're welcome to get more technical as i am a network specialist myself
-- never seen this one before though..

;)
0
 
jacaucAuthor Commented:
I found another piece of strange software on the PC called "Plaxo" and uninstalled it. (and rebooted)
Actually thought for a second that this MUST be the culprit.

No luck.... Same scenario still prevails...   :(
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jacaucAuthor Commented:
hehe... sorry for all the unneccessarry posts... :P

Just wanted to say too:
I did run an updated Adaware SE and cleaned everything i found,
and the PC runs Symantec Antivirus 9.0 which is updated and didn't find any virus.

The More info the better i guess...
Thanks again!!!!
0
 
rafael_accCommented:
Have you tried to reset your TCP/IP Stack? See these articles on how to do this:

· http://support.microsoft.com/default.aspx?scid=kb;en-us;299357&Product=winxp
· http://www.jsiinc.com/SUBJ/tip4700/rh4785.htm

You could also try:
1. Entering in safe mode and see if the problem is the same (this would help diagnosting the problem)
2. One more solution could be to repair the windows instalation using the os CD.

Cheers.
0
 
jacaucAuthor Commented:
Thanks,

I will reset the IP stack to see what happens a bit later today.

On answering the 2 other suggestions:
1. I do not want to attempt to do safe mode as i can not go to the PC itself very easily - it is on one of the Oil Rigs offshore and its quite a process to book the helicopters to go there. (also don't want to have the user do that over the phone)
I Might have a flight there sometime this week, and if so, i'll do the safe mode then.

2. I would not be able to repair the windows installation with the CD, as we are supplied with Customized (for the company's needs) Windows XP Image CDs  by MS that is used on all of the 77,000 pcs in the corporation.  We do not have access to standard XP CDs and i doubt if it would work on our customized images anyway.


quite a bit of a stitch hey?
:D

Thanks!
0
 
jpierson_jeromeCommented:
Are you absolutely sure that the Windows Firewall is not running?

0
 
jacaucAuthor Commented:
Yip :D
Ya, just double checked again.
0
 
jacaucAuthor Commented:
hehehe...
me again.
some more info:

-The PC is on XP SP1
-Still can't do the safe mode thing though   :(
 

-I did execute the IP Stack fix and here is the log for that:

reset   SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
            old REG_MULTI_SZ =
                SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
                SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{25115E84-9075-46FD-B920-87143931327B}\NetbiosOptions
added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{70EDEAC2-D171-4A57-AE00-37D012193ECE}\NetbiosOptions
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E72B531-C3EB-49F0-8EBA-88EFF4B215F9}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7F20C956-070E-4B25-B408-859F98ADABBD}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset   Linkage\UpperBind for PCI\VEN_8086&DEV_2449&SUBSYS_30138086&REV_03\4&172A2BDD&0&40F0.  bad value was:
            REG_MULTI_SZ =
                DNE

reset   Linkage\UpperBind for PCI\VEN_10B7&DEV_5057&SUBSYS_5A5710B7&REV_00\4&8AA62D3&0&0021.  bad value was:
            REG_MULTI_SZ =
                DNE

reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000.  bad value was:
            REG_MULTI_SZ =
                DNE

<completed>

0
 
rafael_accCommented:
ok. and? did you get any change? Is it working now? any progress?
0
 
jacaucAuthor Commented:
Nothing.   :(
Same thing still happening.
0
 
jacaucAuthor Commented:
Increased the points for this question a little (now that i have some again)

;)
Cheers
J
0
 
rafael_accCommented:
Just to say something ... not realy related to the question itself.

Don't waste your points !!! You will not get a faster answer if you do it, anyway! Besides that, the most of us are here to help and not realy for the points !!!!

I feel better with myself when I do help someone ... Not when I get the points! Know what I mean ??

Now, about your question ... no answer yet!!! If I get any idea, I'll let you know.

Rafael.
0
 
rafael_accCommented:
So ... Is there any router in your network? Are there more than 1 subnetowrks?
0
 
rafael_accCommented:
What message are u receiving when trying to ping?!
0
 
jacaucAuthor Commented:
Yes, theres LOTS of subnets, routers and switches and VLANS on our network (EVERYTHING Cisco) , but they way i narrowed it down to being a PC issue is the fact that i do get replies while the PC is rebooting... if it was a telecomms issue, then i'm pretty sure this wouldn't have happened? (and i can ping the PC right next to it)

When i ping: i just receive the usual  "Request timed out." message
-As the Subject of this topic explains

Still getting the exact same problem!

PLEASE help someone!

Cheers!
...and THANK YOU for the comments so far!

J

0
 
rafael_accCommented:
Sugestions:

1. type "ping /?" to see the syntax for this very usefull command :). Now, try pinging the machine using different packet sizes, use a large timeout, etc.
2. Try pinging using both ip address and dns name.

Let us know.
0
 
jacaucAuthor Commented:
Yup... One of the first things i tried.
ping -l 2 ipaddress -w 32000    - where ipaddress is the ip of the host giving problems

Still...
Request timed out.

We have a VERY extensive DNS/WINS/DHCP implemetation so in my experience here, we have NEVER had any problems with DNS. As a matter of fact - to boast i little ;)  - we are currently on 436 days without an unscheduled server outage (with a total of almost 50 servers on site here)

hehe....
but ya... anyways... I have been doing networking for years, and i am aware to use IP addresses in these kinds of troubleshooting, to make sure its not a resolution issue.

Thanks for the input anyway.
J
0
 
rafael_accCommented:
Hi again!! OK ... I'm running out of ideas :)

1. Have you tried the pathping and traceroute utilities!?
2. Have you tried switching NICs, cables as a desperate last resort?
3. Maybe this is just another windows bug!!? :)

Anyway I have to agree with you that this is a very weired behavior ...
Cheers.
0
 
jacaucAuthor Commented:
Once again... the continued suggestions is appreciated.

:)
You Learn something new every day... I have NEVER heard of/used the pathping utility before.. (hehehe... didn't even know it existed)
I tried 'pathping ipaddress' and i got the follwing results:

Tracing route to problempc [problempcipadress]
over a maximum of 30 hops:
  0  mypcname [myipadress]
  1  coreswitch [coreswitchipaddress]
  2     *        *        *
Computing statistics for 50 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           mypcname [mypcipadress]
                                0/ 100 =  0%   |
  1    0ms     0/ 100 =  0%     0/ 100 =  0%  coreswitch [coreswitchipadress]
                              100/ 100 =100%   |
  2  ---     100/ 100 =100%     0/ 100 =  0%  mypcname [0.0.0.0]


Unfortunately i had to remove the actual PC Names/Ip Adresses to maintain privacy.
All PCs on our network have Public IP addresses and we have information protection policies that prevent us from disclosing information like this (...will get my ass fired)


Disappointingly, i can not swap out the NIC, as all our PCs have onboard NICs
Sorry for all the trouble so far... seems like this problem is a bit deeper than expected.

If by friday i havent been able to resolve the issue, i will have to go ahead and re-image the PC.

Strange Mysteries of Windows!!!

Cheers!
Thanks!
J
0
 
jacaucAuthor Commented:
I have decided to re-image this machine as i'm also running out of ideas.
Its working properly now.. so it was defnitely a machine problem and not a switch/router issue.

Thanks for All the input/suggestions anyway!!

Gave the points to Rafael for his continous effort to try and assist!

Thanks again!
Cheers
J
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now