Solved

lose outside connections to server

Posted on 2007-11-14
25
256 Views
Last Modified: 2010-04-21
This is a Windows Svr 2003 /sp2.  It has dual Nics on two different networks.  The server is running as a intranet file server and as an internet/intranet mail server.  Remote desktop is enabled.  The server is connected to the internet via NIC 1 to a switch with the local network users, this is connected to a router and a cable modem.  All of the appropriate ports are forwarded on the router to send and recieve mail and forward Remote desktop to the server.
The second NIC is going to a DSL router again with all the correct ports forwarded.

Sympthom: everything works fine.  then suddenly.  The server will not accept traffic on one of the NICs from the web.  local users can still use the network.  But I can use remote desktop from within the network.  to the server but not from outside.  I logonto the server on the other nic and disable then reenable the NIC in question.  everything works again.  

Puzzleing things it does this with both NICS  
0
Comment
Question by:Tip32a
  • 9
  • 6
  • 6
  • +2
25 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20286779
Do you have default gateways set on both NIC's. Windows does not deal well with that. Only one NIC can have a default gateway. Additional routes may have to be added manually to achieve your goals if this is the case.
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20286874
Robwill has it, If you could post the output of
route print
at the command line we can verify
0
 
LVL 2

Expert Comment

by:cshanea0
ID: 20286884
robwill has it right, we have an exchange server sitting on 2 networks, the nic that is sitting on the internet should have the default gateway set and if you have multipul subnets on your local network then you will need to setup routes to each of those on the server.  to check out your routing table use either netstat -r or route print.  also, keep in mind that when you add routes on the server you will want to use the -p (sets the routes as persistant) switch so that the routes are not lost when you reboot the server.  the above example is assuming you want internet communication with the server to go through the outside nic.
0
 

Author Comment

by:Tip32a
ID: 20286894
NIC 1 is                                                    
IP  192.168.50.3
SN 255.255.255.0
GW 192.168.50.1

DNS1 68.9.16.30
DNS2 68.13.16.30

NIC 2
192.168.25.200
255.255.255.0
192.168.25.1

Currently DNS is 192.168.25.1

0
 
LVL 2

Expert Comment

by:cshanea0
ID: 20286974
is this correct:
Nic 1 is connected to your users and local area network
Nic 2 is connected to your DSL router and to the internet.
how are people accessing the server from the internet? via ports in the firewall that nic 2 is connected to? i'd guess 192.168.25.1.  another question is the subnet 192.168.50.0/24 the only inside network that is accessing the server or are there others?  a "route print" might help figure out some of this.
If the above is correct and you have NO other inside networks at your location, then you should simply remove the Gateway from Nic 1 again this is only if internet traffic is comeing in over Nic 2.
0
 

Author Comment

by:Tip32a
ID: 20286980
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10004 ...00 30 48 30 xx yy...... Intel(R) PRO/1000 EB Network Connection w
 I/O Acceleration
0x40003 ...00 30 48 30 zz aa...... Intel(R) PRO/1000 EB Network Connection w
 I/O Acceleration #2
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.25.1   192.168.25.200     10
          0.0.0.0          0.0.0.0     192.168.50.1     192.168.50.3     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.25.0    255.255.255.0   192.168.25.200   192.168.25.200     10
   192.168.25.200  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.25.255  255.255.255.255   192.168.25.200   192.168.25.200     10
     192.168.50.0    255.255.255.0     192.168.50.3     192.168.50.3     10
     192.168.50.3  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.50.255  255.255.255.255     192.168.50.3     192.168.50.3     10
        224.0.0.0        240.0.0.0   192.168.25.200   192.168.25.200     10
        224.0.0.0        240.0.0.0     192.168.50.3     192.168.50.3     10
  255.255.255.255  255.255.255.255   192.168.25.200   192.168.25.200      1
  255.255.255.255  255.255.255.255     192.168.50.3     192.168.50.3      1
Default Gateway:      192.168.50.1
===========================================================================
Persistent Routes:
  None
0
 
LVL 2

Expert Comment

by:cshanea0
ID: 20287000
the idea behind the previous post is what a gateway does is tells the server where it should go to get to networks it is not connected to.  if you have 2 different nic's then the server can get confused as to which nic it should send responses to requests out of.  think of it this way, someone on the internet sends a packet to your server and it gets it on Nic 1, it is confused and sends the response back out Nic 2, the pc of the person on the internet is now confused as it just received a packet from an unknown source and ignores it.  by getting rid of the gateway on Nic 2 you are telling the server that all traffic destened for anything its not directly connected to (i.e. 192.168.25.0/24 and 192.168.50.0/24) should be sent out Nic 1 to the router 192.168.50.1.
hope that makes sense,
Shane
0
 

Author Comment

by:Tip32a
ID: 20287011
Initially the way the server was meant to be configured is as follows.
NIC1 was meant to be enabled 24/7/365 it connects the server to the internet,  the local staff to the server on the intranet,  and has a commercial firevall router.

NIC2 was meant to temporarly connect a second network "student" network so the teachers can do grading after hours.  
Somehow the staff wanted the student network connected more often.

So with all else being equal I would like NIC1 to be the one left on and to connect to the web, pass mail traffic etc.  NIC 2 would be connected as needed to allow the second network to access the files on the server.

0
 
LVL 2

Expert Comment

by:cshanea0
ID: 20287023
from your route print you only seem to have the 2 networks
nic 2: 192.168.25.0/24
and
Nic 1: 192.168.50.0/24
if internet traffic is coming in over the DSL Router on Nic 2, then simply remove the 192.168.50.1 and you should no longer see problems where users can't connect.
0
 

Author Comment

by:Tip32a
ID: 20287030
Shane,
I do understand.  I think!  So on the "other" nic do I set the gateway to the gateway of the "primary internet" NIC or beave the gateway blank.

Tom
0
 

Author Comment

by:Tip32a
ID: 20287057
I removed the gateway 192.168.50.1 and will wait to see what happens.

It usually only takes a few hours before it dies.  Unfortuneately!  If it does die now I have no way back in.
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20287058
on the network 2 Nic ( the one with temporary use) remove the default gateway then you can put in a route on the server to get to that network specifically out NIC2 and all other internet traffic flows out NIC 1

route add <remote IP address> mask 255.255.255.255 192.168.25.1 metric 1

and if it works the way you want make it persistent by putting a -p at the end.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 23

Expert Comment

by:debuggerau
ID: 20287075
Windows should have warned you about having multiple gateways, so I doubt that it is news.
So after removing the gateway address from NIC2 by deleting '192.168.25.1' the warnings will be your last.

But it doesn't discount incorrect drivers poor network configuration or a 19" error (User error)

Students are not malicious are they?
0
 
LVL 2

Expert Comment

by:cshanea0
ID: 20287089
i missed your 2nd to last responce before i posted... is the studen't network accessable from the internet?  i think i might have goten confused as to which nic internet traffic is coming in from. as it can't come from both. yes, simply remove the Gateway address 192.168.25.1 from the "temporary" nic 2, leave it blank.  this will tell the server that any time it has to talk to users on the internet that it must go through 192.168.50.1 and if it needs to talk to someone on 192.169.50.0 just send it out the nic 1 and if it needs to talk to a pc on the 192.168.25.0 network to just send it out NIC 2 with no gateway.
0
 
LVL 2

Expert Comment

by:cshanea0
ID: 20287106
sorry wingatesl but your route add statement is a little off, just having an ip and a subnet on the interface will add an entry for that network into the routing table, and if he did enter what you had above, the subnet 255.255.255.255 would have told the server that in order to get to the ONE <remote ip address> to go to 192.168.25.1.  a mask of all 1's (255.255.255.255) tels the server your talking about one host, not a network.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20287114
>>"NIC1 was meant to be enabled 24/7/365 it connects the server to the internet,  the local staff to the server on the intranet"
If this is the case you should leave NIC 1 as is.
The student/s or users connecting from NIC2 will be fine without any additional routes, assumng they are all on the same subnet as NIC 2 (192.168.25.x). No gateway should be added to this NIC.
The clients that are connecting to NIC 2, it sounds as if they have access to a different DSL connection. If so assign them that router's LAN IP as their default gateway, but do not assign it to the server's NIC.

One other point. Do you have any slow name resolution issues? The ISP's DNS as a rule, should not be listed in the NIC configuration, only your internal DNS servers IP's should be added. The ISP's DNS should be added to forwarders in the DNS management console only.
0
 
LVL 2

Accepted Solution

by:
cshanea0 earned 500 total points
ID: 20287125
hit submit before i ment to, Tom, you should not need a route add statement unless you have other inside networks off of the 192.168.25.0 that you will need access to and it doesn't sound like you do.  simply remove the one gateway address and leave it blank from the interface config. that should do what you need.

Shane
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20287134
@cshane : The route was correct for my intent. A single host on the other end of the 25.1 router. A VPN connection, etc. It was meant to be an example only. If the other network is directly connected to the NIC then no gateway or route is required. That was so he could use the Other connection for access to specific IP addresses.
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20287140
As an example

    ISP1------server------isp2------------(1.1.1.1 remote site requiring connectivity)
the route is correct
0
 
LVL 2

Expert Comment

by:cshanea0
ID: 20287163
ah, ok, i see where you were going, on my implimentation we have 18 branch locations, each with there own subnet, so i have 18 routes added, one for each additional subnet on the inside of my network so i need full class c subnets on each route, not specific hosts.  sorry just looking at it from my own little world.   ;-)

Shane
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20287167
No dynamic routing? EIGRP, RIP?
0
 
LVL 2

Expert Comment

by:cshanea0
ID: 20289271
yes were using eigrp but the server doesn't listen to the eigrp broadcasts.  so i had to setup static routes on the server. or was that question for tom?
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20289276
no it was for you
0
 

Author Closing Comment

by:Tip32a
ID: 31409281
Shane,  Thank you for the quick and accurate responce.  The server has been up for longer now than it had been in some time.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20290682
RobWill: "default gateways set on both NIC's"
wingatesl: "Robwill has it"
cshanea0: "robwill has it right"
RobWill: "The student/s or users connecting from NIC2 will be fine without any additional routes"

Thank you Tip32a  :-(
--Rob
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now