Solved

Internet Connectivity Issue

Posted on 2008-10-20
24
410 Views
Last Modified: 2013-12-08
So I have this server connected to the LAN, every other computer on the LAN is fully functional. My LAN is running a domain. The DC is the DHCP and the DNS server. The DC forwards unknown or external DNS queries to the Gateway Server. The gateway server is a linux box (Untangle). It forwards all queries to the ISP DNS servers. Now on to the problem....

This server can access and be accessed by every computer on the network and even VPN clients.
This server cannot browse the internet.
This server cannot successfully ping any address outside the LAN (including the ISP Gateway address)
This server can successfully perform a nslookup on any valid web address outside of the LAN
This server is running VMWare server and all it's Virtual Machines can browse the internet.

I have tried using a different NIC, I have tried turning off enhanced security in IE7, I have tried giving it a static ip, but nothing was different
0
Comment
Question by:Matt Coughlin
  • 10
  • 7
  • 4
  • +2
24 Comments
 
LVL 5

Expert Comment

by:SnailGT
Comment Utility
1. Does this server has 1 NIC or more? Does it have correct default gateway?
2. How do you connect your VMs to the network? NAT or BRIDGE? If it is BRIDGE - is it the same GATEWAY you have on your server?
0
 
LVL 18

Expert Comment

by:flyingsky
Comment Utility
If you don't have host file or proxy setup, the problem could be pretty hard to find (could also be a or some MS security updates).
0
 
LVL 6

Expert Comment

by:tchamtieh
Comment Utility
Do you have a firewall running on your network that might be blocking that server from going out?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Sounds like the server has a firewall that is blocking port 53.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Oh, by the way, port 53 is DNS.

So, it also sounds like it is preventing ICMP traffic as well. (port 123 I beleive).

Sounds like either ISA firewall or Windows firewall has got you by the pajamas.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
tchamtieh, had firewall covered. If this is your fix, please credit him for it.

If you need additional information on how to prevent your firewall from blocking ICMP and DNS, please ask. But, provide the software firewall running on the server.
0
 
LVL 5

Author Comment

by:Matt Coughlin
Comment Utility
1. Yes, the server has 2 NICs but they both have the same settings. Both have gateway set to my linux box.
2. Disabled everything in the linux box except NAT and DNS. Still no luck.
3. No software firewalls installed. Windows firewall is disabled.
4. Can visit intranet pages by using their hostnames
5. VM's are using bridged mode.... gateways are the same (linux Box)
So I guess I am looking to find what tools, commands I could use to find out what the heck is going on. I thought it might just be IE, but my Symantec Corporate 10 couldn't even connect to it's update site. Not good.
0
 
LVL 6

Expert Comment

by:tchamtieh
Comment Utility
Try a trace to the internet and see where it's timing out, try "tracert 4.2.2.2" ... assuming your firewall is not blocking ICMP
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
SnailGT had multihomed DC covered:

There are problems with the binding of multiple NICs:

(((DHCP)))
DHCP can will send out on either NIC, You may not see the error but it will eventually appear to the server that a second DHCP server exists on the network. So, it will look like a rogue server to DHCP.

DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding

You can disable any binding from providing DHCP

(((DNS))) (Can cause intermittent communications or loss of contact with the server)
To prevent from DNS binding to the outside NIC or IP address, there are a couple things you will need to do. One is you need to prevent it from registering the SRV records in DNS. The second is you need to clean out DNS of any SRV records to the outside NIC. The third is, you need that outside NIC to not register with DNS.

Step 1) To resolve these issues, Follow this link: (NOTE: By default, 2003 server registers both NICs SRV records in DNS)
 -- http://support.microsoft.com/?id=832478
Step 2) Once you prevent bot SRV records from registering in DNS when the netlogon service restarts, then you need to prevent it from registering its DNS records in DNS. To do this go to the NIC configuration>> TCP/IP properties>>Advanced Button>>DNS tab and disable the ability of the NIC to register its DNS settings in DNS
Step3)) Once you have disabled the ability to register that outside NICs DNS address, then you must remove all HOST A, SRV, and cached records of that outside NIC. I assume you already know how to remove HOST A records. To remove DNS cache, go to the command prompt and type IPconfig /flushDNS. To remove the SRV records, pleas follow the advice on this link:
http://support.microsoft.com/kb/241515

(((NETBIOS)))
(can cause missing computers in My network places, intermittent communications with mapped drives, the inability to use the browser and connect via computer name UNC paths)

For you, you may see something like (multiple computers with the same Name or same Ip exist on the network). You may also see 8032 and 8021 errors that say "your serverame thinks it is the master browser, the browser service has been stopped and an election has been forced" and you might see your server disappear from My network places.

Preventing Netbios is a little more difficult to do on various types of Multihomed domain controllers. Not always does a DC use WINS when dealing with netbios. So, this is a bit more involved.

To prevent Netbios from binding to the outside binding or VPN connection binding, you must go to that binding and remove the ability of it to do ""Netbios over TCP/IP"" or ""Netbios over DHCP"".
For a VPN connection and Dual NICs:
Right click "My network Places">>select "properties">>right click "VPN connection" or the Second NIC>>Select "Properties" >>Select "TCP/IP">> Go to Properties>>Go to the "WINS" Tab>> and prevent it from providing "Netbios over TCP/IP" and also prevent it from performing "Netbios over DHCP"

Other things to look out for:
(((Default Gateway)))
(Can cause problems with communicating to the outside world web sites)
You should have one single gateway for your multihomed NICs. If you are routing over your server, it should be the outside NIC that has a gateway configured. If you have the second NIC to communicate with a few nodes on the network, your Domain, side NIC should have the gateway configured. So, this is domain specific.

You have two choices that could resolve this issue:
1) team the NICs
2) disable one nic

Multihomed DCs are problematic at best, even if they are on the same IP settings as one another. It would be wise to rid yourself of one NIC. One NIC should support about 250 nodes on the network pretty well.

0
 
LVL 5

Author Comment

by:Matt Coughlin
Comment Utility
Maybe you misunderstood, the server with 2 NICS is not my DC. But I did follow your advise and teamed them anyway.
Tracert (any ip outside of the LAN) fails with a message like "cannot connect to host therefore cannot trace route"
I don't see any software firewalls on running on the machine. Is there a command or free tool that lets me see which ports are allowed to pass? (something to see if a firewall is running behind the scenes)
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
at the command prompt, type:

portqry -n xxx.xxx.xxx.xxx -o 53 -p both

where xxx.xxx.xxx.xxx is the IP of your DC

0
 
LVL 5

Assisted Solution

by:SnailGT
SnailGT earned 100 total points
Comment Utility
You cannot have default gateway on both NICs
Only one has to have gateway (other(s)) need to be empty

Get one NIC (let's call it main) with default gateway and compare it field by field to one of your VMs NIC. Compare IPs, netmask, default GW, DNS.....


0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Author Comment

by:Matt Coughlin
Comment Utility
ok, here it goes....
1. tried the command that cheif listed and it was not recognized, maybe I need a tool pack?
2. I matched my 1 NIC (all others are disabled now) to setting on my VM's. (no settings had to be changed)
3. Cleared all settings on all adapters except the one I am using.
When I try to go to the windows update site it says connecting to (ip address) then fails.
All other systems on the LAN are browsing the internet fine. Cannot ping outside of the LAN with this system only (all other boxes can ping fine). When I try to ping to an internet hostname it resolves correctly, then cannot ping resolved ip. This server is not a domain controller.
0
 
LVL 5

Expert Comment

by:SnailGT
Comment Utility
Please have a look here: http://www.securityfocus.com/infocus/1559

Do you have by any chance custom IPSec applied?
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 400 total points
Comment Utility
Yah, IPsec could cause it:

What does the IPconfig /all say?
Also, remove all records except the loopback address from the HOST file and flush the DNS resolver cache on the VM machine:

So, a Client (or in this case your VM machine) sends out a DNS query:
1) The first place a client looks for is a cached entry. (To determine if this is the case, go to the command prompt of the client and type IPconfig /flushdns.)
3) Then if your client doesn't have the cached entry, it will look at the client's C:\Windows\system32\drivers\ect\Host file for resolution. If the host file is configured, the client will assume it can/can not provide its own DNS resolution. So, it will stop right there without going to the preferred DNS server for resolution. (You can look at and edit the host file with word pad. Check and see that there are no entries, except 127 loopback addres, in the computer's host file. These files are used if you don't have a DNS server.

After the client can't determine its own DNS query it will look at the prefered DNS server.
__________________________________________________________________________________
If the above doesn't work check this troubleshooting out:

1) --Port blockage problem troubleshooting:
From your DC, go to the command prompt and type:
Portqry -n xxx.xxx.xxx.xxx -o 53,80 -p both
Where xxx.xxx.xxx.xxx is the ip of this VM machine. Let's see  if it is listening to both DNS resolution and HTTP ports when coming from the DC.


2) Wrong preferred DNS server:
Who is your preferred DNS server for this machine? It should be your Windows DNS server
3) Wrong default gateway, (shouldn't effect ping)
What is your default gateway? For one nic it should be your default gateway
4) NIC flooding
What service pack are you on? If on SP1, download and install SP2.
5) Wrong Subnet:
Check your subnet mask to see if it is the same as your subnet.
_________________________________________________________________________________
I think you have a problem with a configured host file on the VM machine.
DNS-query.gif
0
 
LVL 5

Author Comment

by:Matt Coughlin
Comment Utility

Thanks guys for the suggestions here are the results of that.

to SailGT:

I saw these filters when originally troubleshooting. What a great technology, but yes all of them were disabled.

To ChiefIT:

IPconfig /all listed all the correct settings

ip address - >DHCP - > DC
subnet - > correct
gateway - >gateway
dns1 - > DC
dns2 - > gateway
WINS - > DC
 
I flushed DNS, ARP, and checked hosts file. The host file and the lmhost file both only had 127 loopback in it.
here is what the portqry command gave me

---------------------------------------------
portqry -n (vm server ip) -o 53,80 -p both
Querying target system called:
192.168.0.121
Attempting to resolve IP address to a name...

IP address resolved to DB1

TCP port 53 (domain service): NOT LISTENING
UDP port 53 (domain service): NOT LISTENING
TCP port 80 (http service): LISTENING
UDP port 80 (unknown service): NOT LISTENING
---------------------------------------------

I also found out that when I try to remote desktop into this machine it can't connect. Yet this machine can see all other machines in LAN and all client can access this machines Fileshares.

I am on service Pack 2
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
1)
dns2 - > gateway

Let me tell you what defining the gateway as a preferred DNS server does. The gateway doesn't have the ability to save SRV records in DNS. So, your gateway can not provide the DNS SeRVice records to active directory servers. Instead you will get an error that says something like "domain controller can't be found" or "Authentication server can't be found". The reason you get this is because you will go to the gateway, the gateway can't find the SRV records. So, it imediately goes to the outside world to look for your DC's.

2)
Your VM machine is not a DNS server? It is not listening on port 53 (the DNS port). Something is blocking it.
TCP port 53 (domain service): NOT LISTENING
UDP port 53 (domain service): NOT LISTENING
TCP port 80 (http service): LISTENING
UDP port 80 (unknown service): NOT LISTENING

So, there is more than one issue.


0
 
LVL 5

Author Comment

by:Matt Coughlin
Comment Utility
No, my VM machine is not a dns server. All this machine does is sql server 2005 and vmware server free (for testing different enviroments).
I see what you mean by assigning the dns2 to the gateway. I have removed that from the dhcp.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Regardless of the VM machine not being a DNS server, I still think it may not get resolution from the real DNS server because it is not listening on those ports. So, the VMmachine may not get DNS and you may have problems with DNS to your to that specific machine.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
After removing the gateway from DHCP, you may have to do a IPconfig /release and IPconfig /renew to release the gateway passed down from the DHCP server. Or you can wait until the lease duration expires to get the change. Also, DNS cache may hold the gateway as a DNS server. So, you may have to flush the cache.

IPconfig /release
IPconfig /renew
IPconfig /flushdns
0
 
LVL 5

Author Comment

by:Matt Coughlin
Comment Utility
Wow, I just stumbled onto this....
I was looking at my ipconfig /all to see if settings had changed and I made the command window full screen. I just happeded to look at one of my vmware virtual adapters and it had the same address as my gateway!
vmnet8 adapter had an address of 192.168.0.1
I changed it to an unused address and now I have the internet back!
Why would vmware statically assign this ip to this adapter and (most importantly) who should I credit for this solution?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
""Why would vmware statically assign this ip to this adapter ?""

A static assignement is done by human hands.

Dynamic assignments can be done by your DHCP server not having exceptions to that IP or a rogue DHCP server, like your gateway. When a DHCP lease is handed out, the server should tell the client to do an ARP ping and make sure the lease is not in use. So, if you have ICMP disabled, that IP may be taken up by a couple nodes. A rogue DHCP server will not have the exceptions you wish for fixed IPs.

""and (most importantly) who should I credit for this solution?""
That's up to you. Personally, I like to the answer to a question be the correct answer. So, that would be your finding. If you feel that folks helped you out, then assists are nice and appropriate.
0
 
LVL 5

Author Closing Comment

by:Matt Coughlin
Comment Utility
Thanks guys, although I found the answer, you guys boggled your brain with me. You were also able to provide insight on some things that I had not seen before. It will be that much easier next time to troubleshoot a dns or gateway issue.
0
 
LVL 5

Expert Comment

by:SnailGT
Comment Utility
Good experience :) glad you got it resolved!
I had some "nasty" network tests with VM too.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now