Internet Connectivity Issue
So I have this server connected to the LAN, every other computer on the LAN is fully functional. My LAN is running a domain. The DC is the DHCP and the DNS server. The DC forwards unknown or external DNS queries to the Gateway Server. The gateway server is a linux box (Untangle). It forwards all queries to the ISP DNS servers. Now on to the problem....
This server can access and be accessed by every computer on the network and even VPN clients.
This server cannot browse the internet.
This server cannot successfully ping any address outside the LAN (including the ISP Gateway address)
This server can successfully perform a nslookup on any valid web address outside of the LAN
This server is running VMWare server and all it's Virtual Machines can browse the internet.
I have tried using a different NIC, I have tried turning off enhanced security in IE7, I have tried giving it a static ip, but nothing was different
This server can access and be accessed by every computer on the network and even VPN clients.
This server cannot browse the internet.
This server cannot successfully ping any address outside the LAN (including the ISP Gateway address)
This server can successfully perform a nslookup on any valid web address outside of the LAN
This server is running VMWare server and all it's Virtual Machines can browse the internet.
I have tried using a different NIC, I have tried turning off enhanced security in IE7, I have tried giving it a static ip, but nothing was different
If you don't have host file or proxy setup, the problem could be pretty hard to find (could also be a or some MS security updates).
Do you have a firewall running on your network that might be blocking that server from going out?
Sounds like the server has a firewall that is blocking port 53.
Oh, by the way, port 53 is DNS.
So, it also sounds like it is preventing ICMP traffic as well. (port 123 I beleive).
Sounds like either ISA firewall or Windows firewall has got you by the pajamas.
So, it also sounds like it is preventing ICMP traffic as well. (port 123 I beleive).
Sounds like either ISA firewall or Windows firewall has got you by the pajamas.
tchamtieh, had firewall covered. If this is your fix, please credit him for it.
If you need additional information on how to prevent your firewall from blocking ICMP and DNS, please ask. But, provide the software firewall running on the server.
If you need additional information on how to prevent your firewall from blocking ICMP and DNS, please ask. But, provide the software firewall running on the server.
ASKER
1. Yes, the server has 2 NICs but they both have the same settings. Both have gateway set to my linux box.
2. Disabled everything in the linux box except NAT and DNS. Still no luck.
3. No software firewalls installed. Windows firewall is disabled.
4. Can visit intranet pages by using their hostnames
5. VM's are using bridged mode.... gateways are the same (linux Box)
So I guess I am looking to find what tools, commands I could use to find out what the heck is going on. I thought it might just be IE, but my Symantec Corporate 10 couldn't even connect to it's update site. Not good.
2. Disabled everything in the linux box except NAT and DNS. Still no luck.
3. No software firewalls installed. Windows firewall is disabled.
4. Can visit intranet pages by using their hostnames
5. VM's are using bridged mode.... gateways are the same (linux Box)
So I guess I am looking to find what tools, commands I could use to find out what the heck is going on. I thought it might just be IE, but my Symantec Corporate 10 couldn't even connect to it's update site. Not good.
Try a trace to the internet and see where it's timing out, try "tracert 4.2.2.2" ... assuming your firewall is not blocking ICMP
SnailGT had multihomed DC covered:
There are problems with the binding of multiple NICs:
(((DHCP)))
DHCP can will send out on either NIC, You may not see the error but it will eventually appear to the server that a second DHCP server exists on the network. So, it will look like a rogue server to DHCP.
DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding
You can disable any binding from providing DHCP
(((DNS))) (Can cause intermittent communications or loss of contact with the server)
To prevent from DNS binding to the outside NIC or IP address, there are a couple things you will need to do. One is you need to prevent it from registering the SRV records in DNS. The second is you need to clean out DNS of any SRV records to the outside NIC. The third is, you need that outside NIC to not register with DNS.
Step 1) To resolve these issues, Follow this link: (NOTE: By default, 2003 server registers both NICs SRV records in DNS)
-- http://support.microsoft.com/?id=832478
Step 2) Once you prevent bot SRV records from registering in DNS when the netlogon service restarts, then you need to prevent it from registering its DNS records in DNS. To do this go to the NIC configuration>> TCP/IP properties>>Advanced Button>>DNS tab and disable the ability of the NIC to register its DNS settings in DNS
Step3)) Once you have disabled the ability to register that outside NICs DNS address, then you must remove all HOST A, SRV, and cached records of that outside NIC. I assume you already know how to remove HOST A records. To remove DNS cache, go to the command prompt and type IPconfig /flushDNS. To remove the SRV records, pleas follow the advice on this link:
http://support.microsoft.com/kb/241515
(((NETBIOS)))
(can cause missing computers in My network places, intermittent communications with mapped drives, the inability to use the browser and connect via computer name UNC paths)
For you, you may see something like (multiple computers with the same Name or same Ip exist on the network). You may also see 8032 and 8021 errors that say "your serverame thinks it is the master browser, the browser service has been stopped and an election has been forced" and you might see your server disappear from My network places.
Preventing Netbios is a little more difficult to do on various types of Multihomed domain controllers. Not always does a DC use WINS when dealing with netbios. So, this is a bit more involved.
To prevent Netbios from binding to the outside binding or VPN connection binding, you must go to that binding and remove the ability of it to do ""Netbios over TCP/IP"" or ""Netbios over DHCP"".
For a VPN connection and Dual NICs:
Right click "My network Places">>select "properties">>right click "VPN connection" or the Second NIC>>Select "Properties" >>Select "TCP/IP">> Go to Properties>>Go to the "WINS" Tab>> and prevent it from providing "Netbios over TCP/IP" and also prevent it from performing "Netbios over DHCP"
Other things to look out for:
(((Default Gateway)))
(Can cause problems with communicating to the outside world web sites)
You should have one single gateway for your multihomed NICs. If you are routing over your server, it should be the outside NIC that has a gateway configured. If you have the second NIC to communicate with a few nodes on the network, your Domain, side NIC should have the gateway configured. So, this is domain specific.
You have two choices that could resolve this issue:
1) team the NICs
2) disable one nic
Multihomed DCs are problematic at best, even if they are on the same IP settings as one another. It would be wise to rid yourself of one NIC. One NIC should support about 250 nodes on the network pretty well.
There are problems with the binding of multiple NICs:
(((DHCP)))
DHCP can will send out on either NIC, You may not see the error but it will eventually appear to the server that a second DHCP server exists on the network. So, it will look like a rogue server to DHCP.
DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding
You can disable any binding from providing DHCP
(((DNS))) (Can cause intermittent communications or loss of contact with the server)
To prevent from DNS binding to the outside NIC or IP address, there are a couple things you will need to do. One is you need to prevent it from registering the SRV records in DNS. The second is you need to clean out DNS of any SRV records to the outside NIC. The third is, you need that outside NIC to not register with DNS.
Step 1) To resolve these issues, Follow this link: (NOTE: By default, 2003 server registers both NICs SRV records in DNS)
-- http://support.microsoft.com/?id=832478
Step 2) Once you prevent bot SRV records from registering in DNS when the netlogon service restarts, then you need to prevent it from registering its DNS records in DNS. To do this go to the NIC configuration>> TCP/IP properties>>Advanced Button>>DNS tab and disable the ability of the NIC to register its DNS settings in DNS
Step3)) Once you have disabled the ability to register that outside NICs DNS address, then you must remove all HOST A, SRV, and cached records of that outside NIC. I assume you already know how to remove HOST A records. To remove DNS cache, go to the command prompt and type IPconfig /flushDNS. To remove the SRV records, pleas follow the advice on this link:
http://support.microsoft.com/kb/241515
(((NETBIOS)))
(can cause missing computers in My network places, intermittent communications with mapped drives, the inability to use the browser and connect via computer name UNC paths)
For you, you may see something like (multiple computers with the same Name or same Ip exist on the network). You may also see 8032 and 8021 errors that say "your serverame thinks it is the master browser, the browser service has been stopped and an election has been forced" and you might see your server disappear from My network places.
Preventing Netbios is a little more difficult to do on various types of Multihomed domain controllers. Not always does a DC use WINS when dealing with netbios. So, this is a bit more involved.
To prevent Netbios from binding to the outside binding or VPN connection binding, you must go to that binding and remove the ability of it to do ""Netbios over TCP/IP"" or ""Netbios over DHCP"".
For a VPN connection and Dual NICs:
Right click "My network Places">>select "properties">>right click "VPN connection" or the Second NIC>>Select "Properties" >>Select "TCP/IP">> Go to Properties>>Go to the "WINS" Tab>> and prevent it from providing "Netbios over TCP/IP" and also prevent it from performing "Netbios over DHCP"
Other things to look out for:
(((Default Gateway)))
(Can cause problems with communicating to the outside world web sites)
You should have one single gateway for your multihomed NICs. If you are routing over your server, it should be the outside NIC that has a gateway configured. If you have the second NIC to communicate with a few nodes on the network, your Domain, side NIC should have the gateway configured. So, this is domain specific.
You have two choices that could resolve this issue:
1) team the NICs
2) disable one nic
Multihomed DCs are problematic at best, even if they are on the same IP settings as one another. It would be wise to rid yourself of one NIC. One NIC should support about 250 nodes on the network pretty well.
ASKER
Maybe you misunderstood, the server with 2 NICS is not my DC. But I did follow your advise and teamed them anyway.
Tracert (any ip outside of the LAN) fails with a message like "cannot connect to host therefore cannot trace route"
I don't see any software firewalls on running on the machine. Is there a command or free tool that lets me see which ports are allowed to pass? (something to see if a firewall is running behind the scenes)
Tracert (any ip outside of the LAN) fails with a message like "cannot connect to host therefore cannot trace route"
I don't see any software firewalls on running on the machine. Is there a command or free tool that lets me see which ports are allowed to pass? (something to see if a firewall is running behind the scenes)
at the command prompt, type:
portqry -n xxx.xxx.xxx.xxx -o 53 -p both
where xxx.xxx.xxx.xxx is the IP of your DC
portqry -n xxx.xxx.xxx.xxx -o 53 -p both
where xxx.xxx.xxx.xxx is the IP of your DC
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, here it goes....
1. tried the command that cheif listed and it was not recognized, maybe I need a tool pack?
2. I matched my 1 NIC (all others are disabled now) to setting on my VM's. (no settings had to be changed)
3. Cleared all settings on all adapters except the one I am using.
When I try to go to the windows update site it says connecting to (ip address) then fails.
All other systems on the LAN are browsing the internet fine. Cannot ping outside of the LAN with this system only (all other boxes can ping fine). When I try to ping to an internet hostname it resolves correctly, then cannot ping resolved ip. This server is not a domain controller.
1. tried the command that cheif listed and it was not recognized, maybe I need a tool pack?
2. I matched my 1 NIC (all others are disabled now) to setting on my VM's. (no settings had to be changed)
3. Cleared all settings on all adapters except the one I am using.
When I try to go to the windows update site it says connecting to (ip address) then fails.
All other systems on the LAN are browsing the internet fine. Cannot ping outside of the LAN with this system only (all other boxes can ping fine). When I try to ping to an internet hostname it resolves correctly, then cannot ping resolved ip. This server is not a domain controller.
Please have a look here: http://www.securityfocus.com/infocus/1559
Do you have by any chance custom IPSec applied?
Do you have by any chance custom IPSec applied?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys for the suggestions here are the results of that.
to SailGT:
I saw these filters when originally troubleshooting. What a great technology, but yes all of them were disabled.
To ChiefIT:
IPconfig /all listed all the correct settings
ip address - >DHCP - > DC
subnet - > correct
gateway - >gateway
dns1 - > DC
dns2 - > gateway
WINS - > DC
I flushed DNS, ARP, and checked hosts file. The host file and the lmhost file both only had 127 loopback in it.
here is what the portqry command gave me
--------------------------
portqry -n (vm server ip) -o 53,80 -p both
Querying target system called:
192.168.0.121
Attempting to resolve IP address to a name...
IP address resolved to DB1
TCP port 53 (domain service): NOT LISTENING
UDP port 53 (domain service): NOT LISTENING
TCP port 80 (http service): LISTENING
UDP port 80 (unknown service): NOT LISTENING
--------------------------
I also found out that when I try to remote desktop into this machine it can't connect. Yet this machine can see all other machines in LAN and all client can access this machines Fileshares.
I am on service Pack 2
1)
dns2 - > gateway
Let me tell you what defining the gateway as a preferred DNS server does. The gateway doesn't have the ability to save SRV records in DNS. So, your gateway can not provide the DNS SeRVice records to active directory servers. Instead you will get an error that says something like "domain controller can't be found" or "Authentication server can't be found". The reason you get this is because you will go to the gateway, the gateway can't find the SRV records. So, it imediately goes to the outside world to look for your DC's.
2)
Your VM machine is not a DNS server? It is not listening on port 53 (the DNS port). Something is blocking it.
TCP port 53 (domain service): NOT LISTENING
UDP port 53 (domain service): NOT LISTENING
TCP port 80 (http service): LISTENING
UDP port 80 (unknown service): NOT LISTENING
So, there is more than one issue.
dns2 - > gateway
Let me tell you what defining the gateway as a preferred DNS server does. The gateway doesn't have the ability to save SRV records in DNS. So, your gateway can not provide the DNS SeRVice records to active directory servers. Instead you will get an error that says something like "domain controller can't be found" or "Authentication server can't be found". The reason you get this is because you will go to the gateway, the gateway can't find the SRV records. So, it imediately goes to the outside world to look for your DC's.
2)
Your VM machine is not a DNS server? It is not listening on port 53 (the DNS port). Something is blocking it.
TCP port 53 (domain service): NOT LISTENING
UDP port 53 (domain service): NOT LISTENING
TCP port 80 (http service): LISTENING
UDP port 80 (unknown service): NOT LISTENING
So, there is more than one issue.
ASKER
No, my VM machine is not a dns server. All this machine does is sql server 2005 and vmware server free (for testing different enviroments).
I see what you mean by assigning the dns2 to the gateway. I have removed that from the dhcp.
I see what you mean by assigning the dns2 to the gateway. I have removed that from the dhcp.
Regardless of the VM machine not being a DNS server, I still think it may not get resolution from the real DNS server because it is not listening on those ports. So, the VMmachine may not get DNS and you may have problems with DNS to your to that specific machine.
After removing the gateway from DHCP, you may have to do a IPconfig /release and IPconfig /renew to release the gateway passed down from the DHCP server. Or you can wait until the lease duration expires to get the change. Also, DNS cache may hold the gateway as a DNS server. So, you may have to flush the cache.
IPconfig /release
IPconfig /renew
IPconfig /flushdns
IPconfig /release
IPconfig /renew
IPconfig /flushdns
ASKER
Wow, I just stumbled onto this....
I was looking at my ipconfig /all to see if settings had changed and I made the command window full screen. I just happeded to look at one of my vmware virtual adapters and it had the same address as my gateway!
vmnet8 adapter had an address of 192.168.0.1
I changed it to an unused address and now I have the internet back!
Why would vmware statically assign this ip to this adapter and (most importantly) who should I credit for this solution?
I was looking at my ipconfig /all to see if settings had changed and I made the command window full screen. I just happeded to look at one of my vmware virtual adapters and it had the same address as my gateway!
vmnet8 adapter had an address of 192.168.0.1
I changed it to an unused address and now I have the internet back!
Why would vmware statically assign this ip to this adapter and (most importantly) who should I credit for this solution?
""Why would vmware statically assign this ip to this adapter ?""
A static assignement is done by human hands.
Dynamic assignments can be done by your DHCP server not having exceptions to that IP or a rogue DHCP server, like your gateway. When a DHCP lease is handed out, the server should tell the client to do an ARP ping and make sure the lease is not in use. So, if you have ICMP disabled, that IP may be taken up by a couple nodes. A rogue DHCP server will not have the exceptions you wish for fixed IPs.
""and (most importantly) who should I credit for this solution?""
That's up to you. Personally, I like to the answer to a question be the correct answer. So, that would be your finding. If you feel that folks helped you out, then assists are nice and appropriate.
A static assignement is done by human hands.
Dynamic assignments can be done by your DHCP server not having exceptions to that IP or a rogue DHCP server, like your gateway. When a DHCP lease is handed out, the server should tell the client to do an ARP ping and make sure the lease is not in use. So, if you have ICMP disabled, that IP may be taken up by a couple nodes. A rogue DHCP server will not have the exceptions you wish for fixed IPs.
""and (most importantly) who should I credit for this solution?""
That's up to you. Personally, I like to the answer to a question be the correct answer. So, that would be your finding. If you feel that folks helped you out, then assists are nice and appropriate.
ASKER
Thanks guys, although I found the answer, you guys boggled your brain with me. You were also able to provide insight on some things that I had not seen before. It will be that much easier next time to troubleshoot a dns or gateway issue.
Good experience :) glad you got it resolved!
I had some "nasty" network tests with VM too.
I had some "nasty" network tests with VM too.
2. How do you connect your VMs to the network? NAT or BRIDGE? If it is BRIDGE - is it the same GATEWAY you have on your server?