TCP/IP connections semi-broken - many symptoms - Possible damage by CISCO VPN Client

Once upon a time, before I installed the Cisco VPN Client on one of our LAN computers running Windows XP SP2, that computer could be used to: browse the internet with IE6 and Firefox, be accessed by RDP over the local LAN, and otherwise access network resources.  Then, for reasons we are not clear of, the CISCO VPN client ceased working, the internet sites could not be accessed by IE and Firefox, other computers on the LAN could not connect to the computer.  In addition, it will not respond to Ping by IP address and it certainly will not respond to Ping by name - the name is not resolved and we see "unknown host".  We have uninstalled the CiscoVPN Client completely. This made no difference. We have used both DHCP and static IP addressing - no difference.  When we ping various website, such as www.fool.com, we get the Name resolved, but no replies (request timed out).
--- It looks to me like there is something blocking selected, and maybe arbitrary, network and internet  access which involves routing and blocks all avenues for external activity to access and control the computer.  
---
Other computers on LAN are not affected - problems are local to the one computer.
---
What do I need to do to recover network and internet accesses on this computer?
LVL 1
grant-ellsworthAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Netman66Commented:
Try this first (from a CMD prompt as Administrator):

netsh int ip reset c:\reset_ip.txt

Reboot the PC and see if it works.  If not, proceed with the next step:

Again, at the CMD prompt as Administrator:

netsh winsock reset

Reboot.

Let us know if everything is fine.
0
grant-ellsworthAuthor Commented:
Nice try, but no cigar. I ran "netsh int ip reset ...".  It made the situation even worse.  As follows:
Before I ran the utility, I could get to other mahcines on my LAN using the NETBIOS names and map drives, etc..; after the ip reset, I can't even do that.  I can ping to internet locations by fqdn and ip addresses, but the browser won't load the pages - browser is IE6 and Mozilla Firefox.  From the network, pinging the computer fails - both by ip and by netbios name.

Note: "netsh winsock reset" was not recognized as a command. Also, for reference, the "netsh int ip reset" changed static ip to dhcp - fortunately, we do have dhcp server.

Now, for the very interesting part:  I booted the machine into safe mode with networking.  Now, all those broken functions seem to work - that is, I can now map a network drive, ping the victim from the network by name and by number.

Any clues on what to look for or what to do now?

This looks like whatever the original ciscovpn client did to isolate and strangle communications on this machine got left behind when I uninstalled the ciscovpn client.
0
trinak96Commented:
Try this from Cisco site, manual uninstall, including registry entries and services.
http://www.cisco.com/warp/public/471/vpn3K_uninstall.html#un
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Netman66Commented:
Yes, the "int ip reset" would put the stack back to defaults (DHCP).  This is easily changed and wasn't something worth mentioning.

The Winsock Reset should have worked - these are XP Sp2 machines, correct?

you can try: netsh winsock reset catalog

It shouldn't need the entire command, but let's see.

0
grant-ellsworthAuthor Commented:
Well, the DHCP setting was no big deal.  It's just that I wasn't expecting it.
I erred! The computer with the issue is WinXP SP1 - defintely - but with a lot of patch ups. The error message for the winsock reset was: command not found: winsock reset.
0
Netman66Commented:
Yeah, for SP1 it's a manual thing.

Follow this:

http://support.microsoft.com/kb/811259

use the section for XP without SP2
0
grant-ellsworthAuthor Commented:
For trinack: Manually uninstaling the cisco vpn client remnants did not help.  Also, not all of the pieces referred to were left lying around; but some were there and all remnants were deleted.
0
grant-ellsworthAuthor Commented:
For netman66: I followed the instructions you referred me to for re-installing tcp/ip on winxp sp1.  It didn't make any difference.  I also found that neither netdiag nor msinfo32 reported any problems with the winsock stack before I did the re-install.
------------------------------- Revieing the situation --->
Currently we can do the following from the affected computer:
1.  ping various internet sites by name and get replies
2.  connect using netbios names to resources on the LAN
BUT
1.  We cannot bring up a website in a browser - it tims out and we see "page cannot be displayed"
2.  Ping the affected computer from the network - it's always request timed out --- except for a few moments after reboot
3.  Establish a netbios connection to map drive or other resouces on the affected computer

If I boot in Safe Mode, I have almost normal access to network and interent resources from the affected computer; and I can ping / get a reply from the affected computer
=============
I tried an experiment:  I disabled the RUN key and all the startup groups and rebooted --- it did not change the behavior.  So, I conclude that there is a driver which is not loaded in safe mode which is screwing things up in normal mode.  Any clues for this one? Or am I chasing a ghost?
0
Netman66Commented:
In Device Manager, on the View menu select "show hidden devices"

See if there are any hold-overs from the Cisco VPN client in the Networking stack.

Other than MTU size, I can't see that this Cisco client caused all this problem.

0
grant-ellsworthAuthor Commented:
Maybe the vpn client is an unwitting participant ...

Device manager hidden devices showed nothing I could connect with the Cisco VPN Client - and I did recognize what most of the others were.

Maybe I'm barking up the wrong tree in this zone ... but ... some questions come to mind that may be germane to fixing this vexing headache:

1.  Does the VPN Client mess with the Security Policies - if so, which ones?
2.  Is there a Policy that would prevent the browser from retrieving web data - i.e. loading websites?
3.  Is there a Policy that would prevnt the local computer's IP stack from responding to a Ping?
4.  Is there a policy that would prevent the local computer browser from resolving netbios names on the network?

What I see happening is this:  I cannot get the computer to ping another computer by its netbios name - i.e. ping server; however I can ping the ip of server - i.e. ping 192.168.0.2.

But, when I boot into Safe mode, I can ping the other network machines by name and use the browser to acces the internet websites.

When I've booted this computer in safe mode, I can ping it from other machines and get a reply - by name and number.  When I've booted this computer in "Normal" mode, I can ping and get reply from it only very briefly after boot.

If this isn't the best zone to pursue this problem, can you suggest where I should file the question and, perhaps, how I should frame the question now?
0
Netman66Commented:
The only other thing I can think of is IPSec policies.

You can check the NIC to see if Filtering is enabled.
Alternately, you can disable IPSec altogether to see if that works.
Stop and Disable the IPSec service in Services.

0
grant-ellsworthAuthor Commented:
I checked the NIC Security settings. There were none.  Then I tried enabling ipsec with no blocking specified.  That didn't help.  Then I stopped the IPSEC service and put it on manual status, rebooted the computer - that didn't help.

Semss like we're stumped.  where do we go from here?
0
Netman66Commented:
You could try running:

SFC /scannow

Have your CD ready.  This will do a system check and repair anything obvious.  The CD you use must be one at the current patch (SP1) level.

Other than that, I can't think of anything I've neglected.  If you have an XP Pro SP2 CD you could run an inplace upgrade (winnt32.exe) and see if this fixes things.

0
Netman66Commented:
And a shot in the dark here, but change the patch cable and port that it's plugged into.

Do you have any VLANs configured and perhaps this is plugged into one that has no routing?
0
grant-ellsworthAuthor Commented:
Re: SFC  /scannow - I was sorely tempted to do this.  But I have enough patching on top of the sp1 baseline that I wonder what will be destroyed in the process.  I  think I have an xp sp1 disribution CD which I could try if I can get past the angst of too much destruction.

I also am strongly tempted to apply the sp2 upgrade - I know I have that CD - my angst here is similar to the above - tht is, will I be overlaying a problem with another making it even more difficult to fix without going for the ultimate ... FDISK
-----------------------------------------
The fact that this computer "works" when I boot into safe mode and responds  to pings for a few moments when booting into normal mode (before the responer completely shuts up) tels me that there are some sets of params and items being loaded in normal mode that are not loaded in safe mode.  Now if we could only know which ones affect the functions that don't work when the computer is booted into normal mode ...
-------------------
I did the shot in the dark 2 days ago.  and I don't have any VLANs .
-------------------
Let's take this one step at a time:

1.  How can I prevent the Winxp sp1 omputer from replying to a ping when I don't have IP Sec filtering enabed and IPSEC service running?

2.  How can I prevent IE from browsing to and presenting web pages while not using the resricted sites?

3.  How can I prevent the computer from identifying Netbios resources for use  with network browsing?
(no use of ipfiltering)

All this on computer with no firewall.
0
Netman66Commented:
Check the HOSTS file to ensure it's generic.

Ping the loopback (127.0.0.1) to ensure the IP stack is indeed working.

Recheck all  your network settings - no ISP DNS allowed!  Make sure GW and Subnet Mask are correct.

Run Proxycfg from a CMD prompt.  If it does not state direct access, then rerun proxycfg -d.

Let me know.
0
grant-ellsworthAuthor Commented:
Hosts file was very generic
LMHOsts had one entry - proved to be necesary to access our server from this computer.
Network settings are correct.  Worked in safe mode without issue.
Proxy_Type_Direct diplayed.

Next?
0
Netman66Commented:
Buy a MAC?? LOL....

Not sure.  Any way to remote this machine?

0
Netman66Commented:
How about swapping out the NIC for a different one/brand?

0
grant-ellsworthAuthor Commented:
Alternate nic: I don't have any spare nics and this <expletive deleted> dell box is outa slots.

Yes - you can get to it via a remote tool if I can get it launched and started while the machine is in safe mode.  However, I think we've really fileted and flayed the donkey.  

If I can find the drivers for the installed NIc, I could try remove/reinstall for the NIC; but I don't think that'll help since the symptoms clearly indicate that something is getting launched in normal mode hich is goosing the several functions I decribed.  Because all these items have something to do with connectivity at the normal windows desktop and because the ciscovpn setup I had to use was intended to totally block all network and internet access to this computer and by this coputer except thru theVPN, I suspect that there is either a renegade left over from the cisco vpn or a near clone of one.  It's the only thing that makes sense.

Unless you and some of our colleages here have some additional insight and/or suggestions to offer, I'm about ready to force feed the dreaded winxp pro sp2 down this throat and see if this fixes the problem.  Or, I could break off part of the issue - like the bizzarre IE behavior - and post it in the IE zone.

What's your take on this approach?
0
Netman66Commented:
You could attempt a System Restore prior to the VPN client getting installed.

You could also use MSCONFIG to weed out what's running at startup that maybe looks promising.

If you can determine through that tool what's causing it, then tracking it down becomes easier.

0
grant-ellsworthAuthor Commented:
Sadly, I dont have backups of his macine to support a sytem restore.  

MSConfig may help, but I eradicted the startup groups and the RUN key contents.

I'll give it another look-see and let you know the outcome.

Somewhere between CISCO and MS there's an answer - but both of those theivin' pirates charge too much for pro help with their fragile bugware.  The additional aggrevation is figuring out what cateogry and what language/terminology to ask the questions in.
0
Netman66Commented:
Do you have a firewire adapter listed in Device Manager?

If so, disable it temporarily.
0
grant-ellsworthAuthor Commented:
the computer is relatively unadorned. There is no firewire adapter.

I had an idea - what do you think of giving this thing a bit of the hair of the dog that may have bit him?  What if we  re-installed the <expletive-deleted> ciscovpnclient and got it connected with a real vpn and then disconnected it properly.  It might reset the params to what they ought to be.  

What do you think?  

Cisco hasn't documented wehat it pees on to set up its <doubl-expletive deleted> virtual adapter and what other params it changes when it goes into service and isolates the local computer from the lan and the internet.  Is there a way to get CISCO to cough it up?
0
Netman66Commented:
I was thinking about that.  You could install the client cleanly, then remove it properly from Add/Remove.

The only thing I recall this client doing is changing the MTU to 1300.  Other than that, it has all it's own stack.

It's worth a shot.

0
grant-ellsworthAuthor Commented:
The voodoo report:  

1. I re-installed the vpn client and rebooted
2. I connected to the vpn for which I had to install it originally, then disconnected and exited the vpn client
3. I stopped the CISCO service and made it manual startup (it had mucked up something else when I let it run when I really didn't need it - but it was long enough ago that I've forgotten what it was).
4. Then, and only then was I able to get netbios connections to my lan computers, responses from pinging them by Netbios name, and connect to internet sites.
5.  Then and only then was I able to ping the computer from other machines on my lan - pinging by name and by ip; I was also able to connect to this computer from the lan - that is, I could access it by name and access its shares
6.  I rebooted
7. I was broked again - could not ping from network, could not connect to shares from network
8. Restarted the vpn service
9  Could still connect from the computer to network and internet resources; but could not connect to the computer from the LAN (or any other avenue I tried)
10.  Started vpn client; connected to the <expletive deleted> vpn; disconnected; exited client; stopped the <expletive deleted> vpn service
11.  All was well - could now connect inbound and outbond
-----------------
need to uninstall the vpn client and see  if my connectibilty will stick - but I shudder.  I need the connectivity on this machine for a day or so before I risk really screwing it up again.
-------------------------
Does the VPN client masquerade as any standard MS networking module - i.e. replace a MS standard mmodule (dll or exe) with something of its own?

I think the vpn client has got a constraint or a bug - when it's installed and the vpn service is started, the machine can't be accessed by lan resources; if the service is stopped and on manual, a reboot leaves the ip stack set to block incoming requests to access and it can't be fixed until we connect to a valid vpn and disconnect, etc..

Comments?  Next step?  
0
Netman66Commented:
No, I don't think the Cisco client has any Microsoft named files.

0
trinak96Commented:
Shot in the dark but - list processes running when booted into safe mode and compare when booted normally.
Find which service(s) the "extra" processes belong to and start these individually (from safe mode)while test pinging the pc.
This may help to track down the errant service, may not - possibly worth a go.....
0
grant-ellsworthAuthor Commented:
To trinak96 - I tried that and found that I couldn't start several of the services in SAFE mode.  The ones I could start did not affect the problem.

Does anybody here have a detailed knowledge of what pieces of the system the ciscovpn client screws around with?
0
trinak96Commented:
has the dell box got a wireless card installed/embedded ? If so disable.
0
grant-ellsworthAuthor Commented:
NOPE - NO WIRELESS ANYTHING!
0
trinak96Commented:
Is the vpn client configured to "enable start before logon" ?
0
grant-ellsworthAuthor Commented:
VPN Client is NOT configured to "enable to start before logon"
0
grant-ellsworthAuthor Commented:
To Trinak96 and Netman66 - I want to thank you both for the clues to this mess.  Unfortunately we don't have a real solution yet.  I'm going to frame the question a little bit diferent and post it as a cisco vpn client issue - which I am now thoroughly persuaded that it is.  The issue is simple - uninstalling the vpn client leaves the IP stack and related functions thoroughly hosed up.
0
grant-ellsworthAuthor Commented:
Update - I tried the ofllowing:

1.  Uninstall then eradicate all remants of the CISCO VPN
2.  Run "Winsockfix"
3.  Reboot
4.  after login, I could ping anything anywhere by FQDN but could not ping local network names; I also could not reconnect network drives

The TCIP setup was using DHCP, and I confirmed that DHCP had provided valid IP and DNS addresses.

Then, after determining that I could not "see" or access things by name on the network, I went to the IP Config pages in the Setup for the NIC and on the WINS page. I selected the Use NetBios over TCP/IP option - the "Default - use DHCP, etc.." was the previous setting.

After selecting "Use Netbios over TCP/IP", I could connect with network resources.

Of course, this had not effect on the browser - I put something like 'www.microsoft.com' in the browse and it just hangs there.

What do we need to do to re-enable the  browser to work?  
0
grant-ellsworthAuthor Commented:
I erred in previous comment.  I was not complete.  After enabling "Use NetBios over TCP/IP", I still could not connect to network resources.  I had to add the recource name and IP address to our WINS LMHOSTS file before I could connect to network resources.
0
EndothermicCommented:
I had this exact problem, as many others, too.  Here is what worked for me, a simple, single registry change:

http://www.damnralph.com/CommentView,guid,4ab62f8b-c0bc-4b3e-a965-3033d0d5e018.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grant-ellsworthAuthor Commented:
Bravo! Barvo!  Bravissimo!!!!  Been hunting thisdown for the past 3 months.  This is afirsst class stinker of a problem - and to have it perpetrated by CISCO and to have CISCO Techs require $$$$$ just to get this issue fixed (if they could do it at all) or provide support only to CISCO active customers is a CRIME!!!!!!
0
grant-ellsworthAuthor Commented:
To EndoThermic:  And I'll extend my gratitude to the author at damnralph.com!  This is such a stinker that we really ought to find a way to make it easier to find.  Any ideas?
0
EndothermicCommented:
I'm so glad to hear this worked for you!!  I wasted two days chasing my tail on this.  Here are some keywords that should help others find this solution:

Cannot browse with HTTP, can browse with HTTPS
Outbound port 80 is blocked
Uninstalled Cisco VPN Client
UninstallDNE, Error: Dneinst execution error while installing DNE, returncode -517799898
Deterministic Network Enhancer
After a few minutes (8 minutes, 10 minutes), I cannot browse
Can't browse the internet
Malware blocking outbound port 80?
VMWare VirtualCenter stops responding after a few minutes
Can ping internet servers
DNS name resolution works
Cannot telnet to a server on port 80, blocked
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vsdatant
Windows XP
0
grant-ellsworthAuthor Commented:
The most aggrevating symptom was that I cold not ping my local network nor could I acces the machine from my local network. TO run my local apps from my server I had to add the servers (and other network machines)  to the local LMHOSTS file ...  SO, I described this problem as "NETbios/TCP-IP    - access by name is broken" - but I'm not sure this is the best way to write it up.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.