Unable to access restricted websites - possible firewall issue?

Hi,

I've got a puzzling problem that I hope someone can help with.

My organisation's Internet access is provided through our connection to the Irish Government Network (IGN)

Two websites that we need to access are restricted to those within the IGN. We were previously able to access these sites (and should still be able to do so) but for the past few months have been unable to do so. I have been liaising with IGN tech support but they say that, as nothing has changed at their end, that it must be a local issue. Nothing (that I am aware of) has changed at this end either. However I just discovered an exception to the rule - I am able to access the restricted websites on one of our client PCs. Having examined all the network settings I can't see anything differant except:

- The primary DNS is differant -actaully incorrect. It is 192.169.10.11 instead of 192.168.10.11. For some reason this seems to work. The alternate DNS server is the same as other clients (this points to the IGN). However, if I change the primary DNS back to 192.168.10.11 then I can no longer accces the restricted websites. If I change the primary DNS on other clients to 192.169.10.11 I can't access any websites.

Things I've tried:

- Using a differant network card with standard default settings

- Turning Windows firewall on/off (normally on for all clients). Makes no differance either way.

- Telnetting to the sites. For one I get blank black screen (indicating a connection) and the other I get "Could not open connection 0: Connect failed"

- A tracerte indicates that the trace for one of these sites is not even getting to our router. It seems like our Firewall may be blocking it but I cannot locate anything in the firewall logs relating to these IP addresses of these websites and, as one client PC CAN access these websites then I don't think it's a firewall issue (I am the only one with access to the firewall and I didn't set/change any rules relating to these sites or the one client that can access the sites)

- Changing the IP address on the working client. The IP address (even though dynamic) is not reserved for this PC and even after releasing/ renewing the address it still works on that one PC.

- All clients are DHCP. No static IP addresses. NAT addressing. We don't use a proxy server.
sdowerAsked:
Who is Participating?
 
sdowerAuthor Commented:
Hi,

I'm closing this question as I've been unable to find a resolution to this issue. Thanks for all your help.
0
 
troelandCommented:
Try doing a NSLOOKUP from the command prompt of the machine that works and then from one that doesn't.  I kind of looks like you have a DNS issue.


TJR
0
 
sdowerAuthor Commented:
Hi,
Results of nslookup:

On machine that works:
For the primary DNS, 192.169.10.11 (which should be incorrect) I get the message "*** Can't find server name for address 192.169.10.11: Timed out"
For the secondary DNS (on the IGN) it finds and displays the server name and address
For the IP address of both affected websites it displays the server name and address

On other clients:

For the primary DNS, 192.168.10.11 (the correct address for our DNS server) I get "** Can't find server name for address 192.168.10.11: Non-existent domain"
For the secondary DNS (on the IGN), I get "*** Can't find server name for address xx: Timed out"
For both of the affected websites, I get:

Server (name): Unknown

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Both machines are on the same network.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
troelandCommented:
There is something acting up between your DNS and theirs.  The simplest fix might be to just create a hosts file on each of your workstations refrencing the IP to name.

You can find this file at C:\Windows\system32\drivers\etc\

It has examples for proper configurations.


TJR
0
 
sdowerAuthor Commented:
Thanks. I've tried this but unfortunately it makes no differance.
0
 
troelandCommented:
Try an LMHosts file an import it?

TJR
0
 
sdowerAuthor Commented:
Hi,

Have tried an LMHosts file but this made no differance.
0
 
Steve BinkCommented:
If the only difference was in the DNS server, then it is obviously a DNS problem.

192.168.0.0/16 is an internal network, which means that DNS server is somewhere within your organization.  192.169.0.0/16, however, will be out on the internet.  That looks like a typo that just happened to point to a computer able to do DNS recursive calls

Go to the machine that is working, and attempt an nslookup for www.domain_U_want_to_reach.com.  If you get back a response, you'll see the IP as w.x.y.z.  Take that information to a machine that doesn't work, and edit %SYSTEMROOT%\system32\drivers\etc\hosts.  Put in the domain and IP, save the file, then open a command line prompt and run 'ipconfig /flushdns'.  Now that machine should be able to ping/nslookup the domain.
0
 
sdowerAuthor Commented:
Hi routinet,

Have tried this on several PC's but no luck I'm afraid.
0
 
Steve BinkCommented:
What process did you follow (step-by-step, please), and what were the results?
0
 
sdowerAuthor Commented:
I set-up the LMHosts file as per the instructions in the test file. I added the entries from the HOSTS file. Imported the LMHOSTS file via IP settings.

On the machine that is working, I did an NSLOOKUP for the sites I want to access, got the IP addresses, put that information into the HOSTS file on a machine that doesnt work.

Results = no change. I still cannot access those sites on any other machine.
0
 
Steve BinkCommented:
On the machine that doesn't work, what happens when you ping the IP?  What happens when you ping the name after making your adjustments to the HOSTS file?
0
 
sdowerAuthor Commented:
Hi, I get "Request Timed Out" for both sites (IP address and name) on all machines that don't work (including the one with the LMHOSTS file set-up). This seems to be the case for most/ all other addresses/names even though I can access the websites.

However, on the machine that works I get a reply for one of the sites for both IP address and name. The other site is just an IP address and I get "Request Timed Out". There is nothing in the HOSTS file or LMHOSTS file on this machine.
0
 
Steve BinkCommented:
What is the default gateway on these machines, and what happens when you try to ping it?

Explain a little bit about your physical layer configuration.  At what point do these machines directly connect to the network?  How many devices are in between them and the default gateway?  Are there any intranet routers involved?  Where does your default gateway lead?
0
 
sdowerAuthor Commented:
The default gateway is the same for all clients, including the one that works - this is our firewall (an internal IP address) which then points to our router (managed by the Goverment Network).

When I ping the gateway I get a reply on all clients.

All machines connect via switches to the firewall. There are no intranet routers.
0
 
Steve BinkCommented:
Please post the tracert results from a system that works and a system that doesn't work.  Include as much unedited information as you can without violating your security/privacy policies.

Have you ever used Wireshark?  If you can, try a capture from each system for both ping and a simple HTTP request.  

This is very much sounding like IGN cut you off, and your attempts to resolve with them were handled by a low-level tech who wanted you off the phone.  :)  The real oddity is why ONE system would work, and not the rest.  If the problem exists in your network, it will very likely be in the firewall, or in DHCP configuration.  That reminds me...please include as much information about your DHCP server as possible.  At a minimum, I would like to know the range of the active scopes, subnet masks, default gateway settings, and nameserver settings.
0
 
sdowerAuthor Commented:
>This is very much sounding like IGN cut you off, and your attempts to resolve with them were handled >by a low-level tech who wanted you off the phone.  :)  
This is very much my thinking too!!

Here are the results of the tracert for both sites:
On sample PC that DOESN'T work:

C:>tracert 169.254.255.194

Tracing route to netwatch.vpn [169.254.255.194]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

C:>tracert 169.254.222.35

Tracing route to pcframework.gov.ie [169.254.222.35]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.


On PC that DOES work:

C:>tracert 169.254.255.194

Tracing route to netwatch.vpn [169.254.255.194]
over a maximum of 30 hops:

  1     7 ms     1 ms     1 ms  169.254.216.129
  2   156 ms   162 ms   144 ms  159.134.141.213
  3    35 ms    65 ms    63 ms  83.71.50.129
  4   114 ms   106 ms   119 ms  83.71.50.130
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

C:>tracert 169.254.222.35

Tracing route to monoframework.gov.ie [169.254.222.35]
over a maximum of 30 hops:

  1     3 ms     2 ms     2 ms  169.254.216.129
  2    42 ms    68 ms    88 ms  159.134.133.13
  3   155 ms    91 ms    40 ms  83.71.90.205
  4    43 ms    44 ms    38 ms  83.71.90.206
  5    45 ms    47 ms    53 ms  169.254.254.199
  6   137 ms   137 ms   134 ms  monoframework.gov.ie [169.254.222.35]

Trace complete.
   

I've never used wireshark.I'm not an expert on DHCP so I hope this is the correct information:
Scope: 192.168.10.100 - 192.168.10.253
Subnet mask: 255.255.255.0
Lease duration: 8 hours
address pool: 192.168.10.100 - 192.168.10.129
Default gateway: 192.168.10.6 (this is our firewall)
DNS domain name: ncte.ie    
0
 
Steve BinkCommented:
Curious...your DHCP server hands out 192.168.* addresses.  What are the ipconfig returns on those systems?  The 169.254.* addresses are APIPA addresses.  Are you sure those are correct?

Run 'ipconfig /all' once on each system (working and not-working), and post those results here.
0
 
sdowerAuthor Commented:
Hi,

Apologies for the delay in posting this information. Had other sisues to deal with. Here are the results of the ipconfig /all:

ON PC that works:

C:>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : AnnePhelan
        Primary Dns Suffix  . . . . . . . : ncte.ie
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : ncte.ie
                                            ncte.ie

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : ncte.ie
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
        Physical Address. . . . . . . . . : 00-08-74-AD-F3-8A
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.10.150
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.6
        DHCP Server . . . . . . . . . . . : 192.168.10.11
        DNS Servers . . . . . . . . . . . : 192.169.10.11
                                            169.254.254.203
        Primary WINS Server . . . . . . . : 192.168.10.11
        Lease Obtained. . . . . . . . . . : 23 March 2009 11:43:54
        Lease Expires . . . . . . . . . . : 31 March 2009 11:43:54



On Sample PC that doesn't work :

C:>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : NCTETEST1
        Primary Dns Suffix  . . . . . . . : ncte.ie
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : ncte.ie
                                            ncte.ie

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : ncte.ie
        Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit E
thernet NIC
        Physical Address. . . . . . . . . : 00-1E-8C-90-81-D9
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.10.137
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.6
        DHCP Server . . . . . . . . . . . : 192.168.10.11
        DNS Servers . . . . . . . . . . . : 169.254.254.203
                                            192.168.10.11
        Primary WINS Server . . . . . . . : 192.168.10.11
        Lease Obtained. . . . . . . . . . : 23 March 2009 11:43:20
        Lease Expires . . . . . . . . . . : 31 March 2009 11:43:20
0
 
Steve BinkCommented:
The only difference I see is the order of the DNS servers, and I'm not sure that makes a difference.  When you run nslookup on each box, what comes up as the default DNS server?  Do you see any difference in connectivity if you force NCTETEST1 to use only 192.168.10.11 for DNS?  Is 169.254.254.203 a real system?  On your network or elsewhere?  Can both systems find (ping) the default gateway?
0
 
sdowerAuthor Commented:
NSlookup:

On AnnePhelan I get:

DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 192.169.10.11: Timed out
Default Server:  cwint.gn.gov.ie
Address:  169.254.254.203

Note that 192.169.10.11 is actually an incorrect address (probably a typo when setting up) - this should be 192.168.10.11.


on NCTETEST1 I get:

*** Can't find server name for address 192.168.10.11: Non-existent domain
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 169.254.254.203: Timed out
*** Can't find server name for address 192.168.10.11: Non-existent domain
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 169.254.253.203: Timed out
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.10.11


If I change the order of DNS servers it makes no differance on either PC. If I force NCTETEST1 to use 169.254.253.203 (which AnnePhelan must be using as 192.169.10.11 is invalid) then I can get one of the Government websites (but now the secure part) but cannot access any other website.

169.254.254.203 is a Gov DNS server outside our network. As the default gateway is a local address within our network then this server would not be able to find it. 192.168.10.11 can find the gateway. The gateway is our firewall which is connected to the Gov Network managed router.
0
 
Steve BinkCommented:
On NCTETEST1, do you have any other problems with connectivity?

I can only think of a couple possible problems at this point:

1) the network card on NCTETEST1 is dying.  If this is the case, you should see connection issues everywhere you go, not just on intranet or parallel networks.  I'm not inclined to believe this since DHCP is apparently working just fine.

2) That system is being filtered somewhere in the network layer, probably by a router or firewall, or possibly misconfiguration...I'm a little curious about the 169.254.254.203 vs 169.254.253.203.  For that matter, I'm a little curious as to why your DNS server is on an APIPA to begin with...

3) Possibly an infection of some sort?  A packet capture would tell you if the requests are malformed or something similar.

I recommend doing a packet capture just to see what is actually going out on the wire, and to see if any responses are coming back at all.  Another oddity is your previous tracert results.  The first hop should always be to your default gateway.  Not only is your first hop going somewhere else, it's going somewhere else on an entirely different network.
0
 
sdowerAuthor Commented:
Hi,

1) NCTETEST1 is representative of all clients on our network except AnnePhelan which is the exception, so I think it's unlikely that all other network cards are faulty. In any case I have previously tried using another network card on NCTETEST1 but this makes no difference.

2) I though this might be the case, but as Im the only one who should have access to our firewall I can't see how. There is only our firewall between this (and all clients) and the router (which is managed by the Gov Network meaning I have no access) and I couldn't find anything in the firewall logs indicating this. I don't know where 169.254.253.203 comes from. When I did a subsequent nslookup today this didn't show up:

DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 169.254.254.203: Timed out
*** Can't find server name for address 192.168.10.11: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  169.254.254.203

Im don't know why the DNS server is on APIPA - Im guess this was set-up by default, but what difference does this make? As far as I can see all addresses are being allocated by the DNS server.

3) Again, its unlikely that all but 1 client would be infected. In any case I have thoroughly scanned NCTETEST1 and cannot find anything infections. What do you recommend Im use for packet capture?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.