Solved

Network problem fixed but not sure why

Posted on 2009-05-13
17
1,414 Views
Last Modified: 2012-05-06
I recently installed a Sonicwall TZ 210.  My network consists of cable modem --> TZ 210 --> Dell Powerconnect 2748 managed switch --> everything else.

I have 2 servers running, (1 is SBS2003 which is the dc, dns server, print server, and does exchange and another windows 2003 server which just does sql.)  I have 2 networked printers and approx. 25 workstations running XP pro.
All these exist on a single domain with class c private ip address on a /24 subnet.  The servers and the printers have static ip.  

The problem I was experiencing was that the workstations that ran applications which utilized the sql server were throwing errors pertaining to a brief loss of connectivity.  I did some packet sniffing on wireshark using port mirroring on my switch and didn't see anything really unusual.  I starting doing ping -t to the TZ 210, my switch, both servers, my printers, and several random workstations and constantly monitoring that to find that intermittently the ping to everything would time out once or twice then normal traffic would resume except for a printer which would continue to timeout for 30 sec to a min usually. It was not one specific printer, both did it at differerent times.  

The Dell switch is less than two months old so I began to suspect a jabbering nic or a bad cable.  Systematically,  I disconnected everything attached to my switch one thing at a time and continued to watch those ping -t's from multiple locations to isolate the cause.  Considering this dropping of network packets was only happening once every 2-3 hours this was a VERY time consuming and frustrating task.  I checked the data rate on the nics, etc and all configurations and found nothing.  

To make a long story short, none of this fixed the problem.  I then took the sql server and moved it from my switch to one of the extra ethernet ports on the TZ 210 and I noticed that the workstations running the applications using sql were no longer throwing those errors.  I continued to monitor the pings as I described above and nothing had changed and I was still getting the packets dropped periodically.  I then too the SBS2003 and moved it from the switch to its own ethernet port on the TZ 210 and my network problems disappeared.

I'm totally confused here.  While I'm grateful the problem is fixed I want to know why.  The ethernet ports the 2 servers are on and the LAN port on the TZ 210 are still the same subnet, etc and would still be the same broadcast domain right?  I"m not sure what moving it to its own physical port but keeping it in the same LAN fixed.  

On a side note I checked every port on the switch and had 0 collisions, 0 jabbers, 0 CRC or Align errors, etc.  

Any insight into this would be appreciated.
0
Comment
Question by:FASP
17 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 400 total points
ID: 24386009


It's very hard to know for sure since the information you provided is non specific, I could have been several things.

When you say "throwing errors pertaining to a brief loss of connectivity" do you mean you lost link?
Or do you mean it was unresponsive? Could have been the server was overutilized? Could be the connection table was filled up, or it could be that something/someone was DOS'ng your box from the outside? What kind of errors were you seeing?

Check the switch ports, do you mean CRC/FCS errors, input/output errors on teh switch or servers?
Is there anything in the logs? Do you have a firewall or IDS/IDP?

Like I said it could be a ton of things, seeing traffic captures during normal operations and during problem times would be essential.

harbor235 ;}
0
 

Author Comment

by:FASP
ID: 24386571
I'll narrow the scope of the question down a little.  It would help me to understand what exactly would change in my network when I took the server off the switch, (which connects to the Sonicwall UTM device via the LAN ethernet connection,) and put it on its own ethernet connection off the Sonicwall UTM while still residing on the same LAN.  

I had already posted here numerous times about this problem with captures, etc, etc ad nauseum.  It would  help me tremendously now to just know what something simple like that would change. Even assuming a network that was working right.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 100 total points
ID: 24388056
All sorts of things. Duplicate IP Addresses, incorrect network configurations/bindings, port speeds - the list is endless.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 400 total points
ID: 24388153


Also, couold have been just dumb luck, perhps if something ws going on it stopped at that moment.
If you put it back does it re-appear?

As Keith stated, it could be a misconfiguration on the switch.

harbor235 ;}
0
 

Author Comment

by:FASP
ID: 24388533
A little more info: single domain, 192.168.1.xxx ip scope with /24 subnet so very basic.  SBS does dhcp and the printers are outside the range of the assigned scope.  Anything else with a static ip has that address reserved.  I didn't find any duplicate ip address.  I'm not sure what network configuration could be incorrect.  Everything has the sonicwall TZ 210's static ip as its gateway, the sbs as dns, subnets all correct, etc.  Very simple and easy and never found anything there.  All the nics are set to auto detect, flow control is off.  I'm not using anything fancy on the managed switch like storm control, etc.  I'm just not seeing anything obvious, my network is probably very simple compared to what some of  you work with.  If it was a jabbering nic or a bad cable on the server(s) I would think just moving physical ports but having it in the sam lan wouldn't fix it.

If i move the server from the sonicwalls extra ethernet port and plug it back in my dell switch the problem resumes.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 400 total points
ID: 24388698


How many switches? Could be a spanning tree problem? How are the switch and the SonicWall connected? could be a spanning tree problem between the switch and the layer 2 functions of the SW

harbor235 ;}
0
 

Author Comment

by:FASP
ID: 24388819
Its just one switch, a Dell Powerconnect 2748, connected to the Sonicwall by cat5.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 400 total points
ID: 24391445


but   the firewall acts like a switch as well for the internal LAN ports, so you really have two. Can you post your switch config?


harbor235 ;}
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:FASP
ID: 24396378
Here are some screenshots from the Dell powerconnect switch of what I thought you would be interested in seeing.  Some additional info not shown:  jumbo frames are disabled.  Every port is by default on vlan1 on the switch.  There is currently no port mirroring or storm protection enabled on it.
ipaddressing.jpg
0
 

Author Comment

by:FASP
ID: 24396401
this is the switch address table.  The TTL set to 600 (which is 10 min. I think.)
addresstable.jpg
0
 

Author Comment

by:FASP
ID: 24396412
This is the switch interface configuration.
interfaceconfig.jpg
0
 

Author Comment

by:FASP
ID: 24396425
If you are interested, this is a screenshot of the Sonicwall interace screen
SWinterfaces.jpg
0
 

Author Comment

by:FASP
ID: 24396442
a screenshot of the Sonicwall's portshield interface screen.
SWportshieldgroups.jpg
0
 

Author Comment

by:FASP
ID: 24396456
The Sonicwall's network zones
SWzones.jpg
0
 

Author Comment

by:FASP
ID: 24396471
I really appreciate your help.  I'm glad my problem is fixed but it really bothers me that I can not figure out why.  I can provide you with screenshots of any information you require.
0
 

Author Closing Comment

by:FASP
ID: 31581214
Not really a specific solution offered but awarded points for your effort.
0
 

Expert Comment

by:barrymwohl
ID: 26454397
I have a similar problem.  I just replaced a Netgear FVS318 with a Sonicwall TZ210 as an "upgrade" in being able to manage threats on my Network.   The Internet Modem connects to the TZ210 on firewall X1 and then the firewall connects to through it's X0 Lan Port to a Dell Powerconnect 5424 which is connected to a Dell 5212.  My network runs mostly connect to the Powerconnect 5424.  My domain controller runs Windows 2000 Server SP4 and is my file server and print server.  My application server runs Windows 2000 Server SP4 terminal services.  I have about 25 other clients running Windows 2000 professional or Windows XP Professional.

Using the TZ210, I cannot get Backup Exec 12.5 remote agents to install or to complete backups.  My "interface server" running Windows XP Pro loses connectiviity and shuts off interface services, and a separate "drug and drug-drug interaction" dataserver (Windows 2000 Pro) gets very slow.

Taking the TZ210 out and replacing it with the Netgear FVS318, all these problems go away.

I am new here, so I'm sorry if it is bad etiquette to post to a closed thread.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now