Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Dual gateway routing problem (500 points)

Posted on 2006-03-25
14
Medium Priority
?
589 Views
Last Modified: 2010-03-19
Hi,

We have a leased line and want to move over to broadband.  At the moment the mail comes to the leased line ip address.  To test forwarding on the Adsl router, I pointed a domain to the adsl static ip with NAT to 192.168.10.201 and configured IIS on that server.

Leased Line
Cisco Router (5 static ip's with Subnet 248)
    |
Sonicwall Router with VPN and Firewall
192.168.10.3
    |
Intel 510 switch  ->  192.168.10.(20-30)
192.168.10.1
    |
ST Fiber Converter
    |
    |
ST Fiber Converter
    |
Intel 510 switch  ->  192.168.10.(40-50) + Servers 192.168.10.200 - 210
192.168.10.2
    |
Adsl Gateway Router (13 static ip's with Subnet 240)
192.168.10.203

Computers without NAT can change the gateway between Adsl and Sonicwall ok.

Since the gateway was changed on the server with NAT via the Adsl router, this server can no longer change its gateway back without preventing the entire network from reaching the 192.168.10.3 gateway.

I am not yet ready to move everything onto the Adsl network but want to be able to change between both for the short term at least.
I am thinking the different subnets may be part of the problem but the internal lan gateways are all default class c masks.

The only problem with leaving this server on the Adsl gateway is it prevents the Sonicwall VPN clients from reaching files on this server.  If I could solve this I wouldnt mind leaving the gateway on the Adsl.

Anyone any idea why I cannot change this gateway back?  I have left it for 20 minutes leaving the network down hoping something would update and start picking it up again, but leaving ping to the gateway 192.168.10.3 only ever gets an occasional reply and does not start routing properly again.

Any advice appreciated.

Jess
0
Comment
Question by:jessmca
  • 7
  • 6
14 Comments
 
LVL 8

Author Comment

by:jessmca
ID: 16288104
This is the minimum configuration, I am stuck with the fiber link between two buildings so between the two switches cannot easily change.

0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 16288434
I'm not sure how much help I can be, but I think you can have multiple gateways enabled on a NIC in Win 2000, XP, 2003.  It's under advanced TCP/IP properties.
0
 
LVL 4

Expert Comment

by:chawcheskew
ID: 16312123
go to network settings, edit the properties of the network card, edit properties of tcp/ip, and go to advanced.  Add both 192.168.10.203 and 192.168.10.3 to the default gateway and you should see it start to work...  If that doesn't, post a comment back and I will try to talk you through setting up some routing.

0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 8

Author Comment

by:jessmca
ID: 16313027
Sorry for not posting sooner.

Rebooting the server sorted things again.  Any ideas how a windows tcp problem coiuld bring down the whole network?  It was as if it was drawing all traffic to itself overriding the real gateways.?!?!?!

0
 
LVL 4

Expert Comment

by:chawcheskew
ID: 16314212
It would be helpful to be more specific about the problems you saw when you say "bring dowh the who network"...  It likely is the DNS server for the network, and if systems could not communicate with it, and vice versa, it could have easily caused internet to no longer be accessible, and many network resources for reasons of location services (DNS) and authentication etc.
0
 
LVL 4

Expert Comment

by:chawcheskew
ID: 16314237
Once you have made changes, try pinging addresses on the local network, the firewall and the dsl box, and try pinging google.com.  See what the results are once having tried that.
0
 
LVL 8

Author Comment

by:jessmca
ID: 16324537
Hi chawcheskew,

When I said "bring dowh the who network" I meant all ethernet traffic was unable to reach the internet.  Computers on the same switch could reach each other by pinging their ip address, but not see the ip address of any compiuter not directly connected to the same switch.  DNS only worked onbviously on the machines that could communicate with the DNS server and only for domains on the dns server or its cache.  

Windows has screwed up :(
Imagine that :)

I just dont know what has caused it to and may just hope that it doesnt happen again

My advice, if something isnt working as it should that does'nt make sense, reboot windows.  Fixes so many problems.  
0
 
LVL 8

Author Comment

by:jessmca
ID: 16324635
Even better, computers directly connected to the other switch which the gateway to the Internet was onm could reach it ok when the switch with the dodgy windows box on it was disconnected, but then linked again, stopped computers from reaching the gateway.  

So the windows box must have been reporting itself as the gateway for the whole network, possibly spamming the network with addresses from the full class c changing the switches arp tables and stopping things working.

If you can think of a better possible cause, you can have the points.  The problem was found pulling cables and testing pings to the gateway until I limited it to when one cable was plugged in again.  Restarting the windows box fixed the problem which has not returned thus far anyway.  Touch wood  :)
0
 
LVL 4

Expert Comment

by:chawcheskew
ID: 16325067
While it is supposed to be impossible, I have had one case where I had duplicate mac addresses, and that caused a similar situation, though, it sounds more like a layer 3 problem since the problem status changes as you change layer 3 configs.

What is the subnet mask used by the hosts on the two switches?  What about the DSL box, the Windows server, and the Firewall, what are their masks?

Can you check the windows server and see if it has any Routing enabled.  From what I see it doesn't seem that would be appropriate, but it is possible that routing could be enabled on the Windows box.

I'm still brainstorming and will get back to you.

p.s. excellent detail on the troubleshooting!  Thx!
0
 
LVL 8

Author Comment

by:jessmca
ID: 16325953
All masks are the same /24 on all devices.
No additional routing services on the windows box, it is used for file sharing and IIS is running for the website.

There is a cisco router connected directly to the other switch which is in a different building.  This is a leased line connection.
The switch with the servers is in the new building which has an Adsl modem / router connected via a Unix gateway / firewall box.

There is nat on the Unix box to the windows server that went wonky.  Since restarting, everything has worked ok so the problem could be recreated and will hopefully remain that way.  :)

As traffic on both buildings which are connected via fiber link between two Intel 510 switches were effected imediately, I believe it was a layer 2 problem and duplicate mac addresses wouild certainly fit with what happened.  How did this happen in your case?  

If the windows server started reporting its ip address as the gateway, which was its old gateway as I had changed this to the Unix servers ip address.  If the switches ended up with both mac addresses to the same gateway ip?!?!?

It was the fiber link between the two switches going down that triggered this off.  I did try restarting the swtich closest to the windows server to no avail.

Would be interested in this duplicate mac address problem you experienced as this could be getting nearer to the answer. :)

Jess


0
 
LVL 8

Author Comment

by:jessmca
ID: 16325963
Could not be recreated I meant :)
0
 
LVL 4

Accepted Solution

by:
chawcheskew earned 2000 total points
ID: 16329097
When I did have the mac issue it created intermittent problems.  Similar to what you had, pinging with multiple dropped packets etc.  I see why you suspect layer 2 problems, but I'm still drawn back to the layer 3 changes that triggered the issues.  you might check the switch logs for STP state changes.  We had some HP Procurve switches that caused wierd issues with links and logical loops until LACP was turned off.  If you are not able to regenerate the same error, Your OS may have made some odd error or something else.

Since layer 2 access is all that should be required to communicate across the fiber and to all machines in your network, I lean more towards a layer 2 issue now.  If that is the case, then a layer 3 change causing a problem like that would most likely be a fluke error.  Unless your switch logs turn up any information, I don't know what else to suggest.

regards,
0
 
LVL 8

Author Comment

by:jessmca
ID: 16330433
Hi chawcheskew,

I recall when changing network cards and allocating the same ip address, windows throws a warning that the ip address is linked to another card it has stored in registry somewhere.  While this card was not changed and never had the gateway ip address allocated to it, it used to be the gateway.

When the fibre link failed, it could no longer reach this ip address and perhaps in looking for somehow linked it to itself.  

Anyway, I think your last post is as close as we will likely  get.

Thanks for you efforts, you deserve the points.

Jess
0
 
LVL 4

Expert Comment

by:chawcheskew
ID: 16332857
thanks for the points!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

575 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question