[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

IP address keeps bouncing

Posted on 2006-06-02
15
Medium Priority
?
907 Views
Last Modified: 2008-03-10
I’m hoping someone can point me in the right direction. The problem we are having is for some reason, the company’s IP is bouncing between out internal and external web addresses, and when that happens, the user at the workstation has to perform repair on the network connection to re-establish connectivity on the network.
For example, the internal address 10.6.2.9 to the webserver will shift to 67.X.X.X (which grants access into the company) at the workstation. After repair, it goes back to normal. This doesn’t happen to everyone at the same time, but will happen 5 or 6 times a day. On our internal network, you can’t come in from an external address, so the shift to 67 networks will stop Internet access.
A little background info: Outside world comes in via Cisco 3600 to PIX firewall; Windows 2003 server environment; three DNS servers; two WINS; seven sub-nets.
Extra info: recently moved FSMO roles Schema, Domain naming, PDC Emulator from one domain controller to another and ran DCPROMO to downgrade former boss server.
0
Comment
Question by:soothin
  • 4
  • 4
  • 2
  • +4
15 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16820177
sounds like you have multiple dhcp server running on the same subnet...or a router using the dhcp helper command pointing to a dhcp server on another one of your subnets, or a managed switch not fully configured that has dhcp turned on.

NOTE: You could statically assign multiple subnets to a single nic on your webserver...so that it would serve requests to both subnets.

not really a best practices scenario though...lol


please be clear what you mean by ip addresses "shifting".

67.x.x.x............I think you mean 169.x.x.x   This means that a dhcp server could not be reached.  Check your dhcp server and see how many addresses are available.  You may need to adjust your lease times.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16820243
I'm thinking you have the same hostname resolving to the inside and the outside address on your DNS servers. where are your hosts supposed to get that 10.6.2.9 address? Is it possible that one DNS server has that one and another has the outside one?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16820260
But yes, please clarify- is the user's address changing, or is the web server's name resolving to a changing address changing?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 13

Expert Comment

by:prashsax
ID: 16820564
I agree to xuserx2000. It does seems like multiple DHCP server.

Do one test, Pause your DHCP server for sometime.

Then from one of the machines,


ipconfig /release
ipconfig /renew

See, it it get any IP address. If it does, then you have multiple DHCP servers running in your LAN.

And because of it, your client receive that IP address from it. Check your router or firewall, if they are running DHCP services.


0
 
LVL 3

Accepted Solution

by:
rickyclourenco earned 1200 total points
ID: 16820609
I agree with MikeBern, it sounds like a DNS resolution issue, and correct me if I'm wrong with understanding the situations

You are saying that, if I navigate to www.MYCOMPANY.com  it will point to 10.6.x.x, then for some reason it will eventually start navigating users to the 67.x.x.x address, which they cannot access, because it is the EXTERNAL address for the server, but when you repair their connection, it resolves to the INTERNAL address again 10.6.x.x.....let me know if this is correct

If the above is the case, you need to check ALL of your DNS servers, and make sure you have the proper HOST entries for 'www.MyCompany.com', in which case you will add a Host Entry for 'WWW' under Forward Lookup Zones -->  MyCompany.com --> add Host 'WWW' <---point that to the internal address...

Correct my understanding of the scenario if it is not correct...
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16820631
>On our internal network, you can’t come in from an external address

You know that you can fix that with source NATting, right?

Cheers,
-Jon

0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 800 total points
ID: 16822972
Also make sure your w2k3 nics are pointing to themselves as dns servers, and no other dns servers are entered. Your dhcp server should also only deliver the internal dns servers to it's clients, and no external ones.
0
 
LVL 1

Author Comment

by:soothin
ID: 16844307
You guys are going to have to forgive me, I’m new to this company, and I’m still trying to understand the setup around here.

Both addresses are valid, the internal and external. Internally, users access the webserver via 10.6.2.9 (recorded in DNS as www and ftp).
The 67 network, external users access the website (not an entry in DNS)

You are saying that, if I navigate to www.MYCOMPANY.com  it will point to 10.6.x.x, then for some reason it will eventually start navigating users to the 67.x.x.x address, which they cannot access, because it is the EXTERNAL address for the server, but when you repair their connection, it resolves to the INTERNAL address again 10.6.x.x.....let me know if this is correct
----Yes this is absolutely correct and “www” under Forward Lookup Zones points 10.6.2.9

As rindi has described, after performing an ipconfig /all on my workstation, it look as though a third dns server is pointing to an external address.
On the server itself, the DNS server has a third, but completely different external DNS server address bound. Also, the alternate DNS server has two completely different external IP address bound as DNS server. Not sure why they’ve done this. Researching right now.
0
 
LVL 3

Expert Comment

by:rickyclourenco
ID: 16844409
You should setup DNS internally, do not use outside DNS servers anywhere.  Setup DNS on a MS Server (if not already done), then setup DNS forwarders, which forward any external requests to the External ISP DNS servers...this way you control all of the DNS, and then you will not have the issue of resolving to outside IP addresses etc......

http://www.petri.co.il/install_and_configure_w2k_dns_server.htm  <-- setup Windows DNS Server
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16846660
>which they cannot access, because it is the EXTERNAL address for the server

Once you turn on source NATting they can almost certainly access it - maybe you might want to do that so folks stop complaining, and *then* track down the actual source of the problem.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:soothin
ID: 16851656
Well, The--Captain, they have it set this way by design and they do not want to be able to come back in externally. Who am I to argue, I'm just a small HUB in a world of ROUTERS (just connecting a few gaps here).

12 hours ago, removed all external IP, and made sure the DNS servers pointed at themselves. So far, seems to be working perfectly. Just giving things time to settle down a bit before I shout JOY! JOY!
0
 
LVL 3

Expert Comment

by:rickyclourenco
ID: 16853078
Sounds good there Soothin, that should work.

BTW The-Captain...NAT'ing has NOTHING to do with this situation, and not being able to access the server via its EXTERNAL address....if you are internal to your firewall it will not let you navigate to its own outside address and then come back in....thats like saying you can VPN into your company from you Desk at work....its just doesn't work, by design
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16855681
>its just doesn't work, by design

>NAT'ing has NOTHING to do with this situation

It may not be causing the problem, but it can certainly be used to work around it until the real problem can be addressed (although maybe it already has been)

ricky - just curious - do you know exactly why it doesn't work when you try to access an internal server from an internal client via a NATted external IP?

I do, and it makes you look very silly to say it just doesn't work by design.  

It doesn't work because the firewall translates the destination IP back to an internal IP, and then, when the server responds back (sourced from its internal IP), the initial client says "go to hell <internal IP>, I'm trying to talk to <external IP>".

The way to fix this is by turning on source NATting on the firewall (do you even know what source NATting is?)  Source NATting will re-write the *source* of the packets, so that when internal client tries to access internal server via its external IP, the firewall also translates the source of the packet to make it look like the firewall originated the packet - then the server tries to talk exclusively to what it thinks is the firewall, while the firewall merely reverses the translation again and send the packets back to the client.

So, yes, it will work if you know how to configure your equipment properly - please stop asserting things are impossible just because you do not understand, or have only seen things done a certain way.

>thats like saying you can VPN into your company from you Desk at work

I can.

Cheers,
-Jon

0
 
LVL 3

Expert Comment

by:rickyclourenco
ID: 16858241
i didn't notce the SOURCE in front of NATING thats the reason I respnded to what you had said, I didn't want him to get thrown off of the true path of the solution by throwing NATING into the mix, it would jsut complicate the situaiton rather than just fixing DNS and DHCP, which was the most direct way to resolve the issue...

You are definitely a firewall expert compared to me, thats not my gig, so glad you knew all about source nating an d VPN'ing from you desktop, if anyone needs to VPN from their desktop, into their own company...call The Captain ;-)

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16859299
>if anyone needs to VPN from their desktop, into their own company...call The Captain ;-)

LOL!

Cheers,
-Jon
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question