Solved

Routing Issue with a domain

Posted on 2009-05-15
16
508 Views
Last Modified: 2013-11-16
Hi,

I'm having a weird routing issue I can't quite figure out.

I'm trying to access a website (outside domain) from within our organization, but I can't seem to get to it from a majority of the computers here. I can access the domain from my domain controller (which hosts DNS, DHCP, WSUS, etc), my main file server (no services other than printing and file serving), and my backup server (running backup exec 12.5).

None of these servers have direct NATs or Access rules through my PIX firewall (which is also my gateway).

However, when I try and access the domain from other computers in the office, it never gets there. It times out.

I've compared the routing tables (in windows) from a working server and a client that can't reach the destination domain.. and they're exactly the same. All servers and workstations point to my main domain DNS server.

Running ping, nslookup, and tracert all resolve the domain to it's correct IP address.. it just never gets there.

Does anyone have any suggestions on how to begin troubleshooting such a weird inconsistent issue?..

Network Details: Class C 192.168.1.x network range
PIX/Gateway: 192.168.1.254
DNS: 192.168.1.17

All clients and servers point to 192.168.1.17 for DNS/DHCP
All clients and servers use 192.168.1.254 for gateway.

We have a mix of switches.. some are Dell PowerConnects, some are 3COM, and some are Cisco 2900 Catalyst series.

The issue happens on Windows and Mac clients.

Thanks for your help!
Routing table from server that works:

 

C:\>route print

 

IPv4 Route Table

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x10003 ...00 12 79 3a f2 7b ...... HP NC7761 Gigabit Server Adapter

===========================================================================

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.13     10

        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1

      192.168.1.0    255.255.255.0     192.168.1.13     192.168.1.13     10

     192.168.1.13  255.255.255.255        127.0.0.1        127.0.0.1     10

     192.168.1.16  255.255.255.255        127.0.0.1        127.0.0.1     10

    192.168.1.255  255.255.255.255     192.168.1.13     192.168.1.13     10

        224.0.0.0        240.0.0.0     192.168.1.13     192.168.1.13     10

  255.255.255.255  255.255.255.255     192.168.1.13     192.168.1.13      1

Default Gateway:     192.168.1.254

===========================================================================

Persistent Routes:

  None

 

 

Routing table from client that does not work:

 

H:\>route print

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 18 8b 29 96 8c ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac

ket Scheduler Miniport

===========================================================================

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0    192.168.1.254   192.168.1.252       10

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

      192.168.1.0    255.255.255.0    192.168.1.252   192.168.1.252       10

    192.168.1.252  255.255.255.255        127.0.0.1       127.0.0.1       10

    192.168.1.255  255.255.255.255    192.168.1.252   192.168.1.252       10

        224.0.0.0        240.0.0.0    192.168.1.252   192.168.1.252       10

  255.255.255.255  255.255.255.255    192.168.1.252   192.168.1.252       1

Default Gateway:     192.168.1.254

===========================================================================

Persistent Routes:

Open in new window

0
Comment
Question by:mattai
16 Comments
 
LVL 3

Expert Comment

by:simprix
Comment Utility
Do you allow DNS queries from your internal subnet on your windows machine ?
0
 

Author Comment

by:mattai
Comment Utility
simprix-- yes, we do.
0
 
LVL 1

Expert Comment

by:jaysonfranklin
Comment Utility
Is there an outbound access-list on your PIX?
If no, then:
Do you have a zone for this external domain on your internal DNS server?
If no, then:
Are your forwarders set up correctly?
If yes, then:
What is the error you get while trying to visit the site? Is it a 404 page can't be found? or 104 connection reset by peer? Etc... also, are you using a proxy server?

A simple test to see if it is indeed a routing/connectivity issue is to telnet to the domain from one of your client machines. (you may have to turn telnet on from add/remove programs, add/remove windows components)

telnet domain.com 80

If you immediately get a black screen, the port opens and you do not have a routing problem.

if it says 'connecting....' and does not connect, then we can continue to troubleshoot the routing / connectivity issue.
0
 

Author Comment

by:mattai
Comment Utility
Hi, Thanks for your reply. Here are the answers to your questions in order:

Is there an outbound access-list on your PIX?

Yes: Source: any / Destination: any interface inside (outbound) service: ip

Do you have a zone for this external domain on your internal DNS server?

No.

Are your forwarders set up correctly?

Can you explain what you mean by "forwarders set up correctly"?

What is the error you get while trying to visit the site? Is it a 404 page can't be found? or 104 connection reset by peer? Etc... also, are you using a proxy server?

No proxy server. Firefox reports the connection times out. IE7 just says it cannot connect to the page. No specific error codes are displayed.

A simple test to see if it is indeed a routing/connectivity issue is to telnet to the domain from one of your client machines. (you may have to turn telnet on from add/remove programs, add/remove windows components) telnet domain.com 80 If you immediately get a black screen, the port opens and you do not have a routing problem. if it says 'connecting....' and does not connect, then we can continue to troubleshoot the routing / connectivity issue.

On one of the servers I said that was working in my original post it works. On a client, it does not. stays at "connecting"..

Thanks for your help!

-M
0
 
LVL 1

Expert Comment

by:jaysonfranklin
Comment Utility
ok, so, all other websites are working correctly right?

What does nslookup say on your client machines?

C:>nslookup
>domain.com

Does it display the correct IP address? if not, then you have a dns isue. You may want to clear the cache on your DNS server and then do ipconfig/flushdns -ipconfig/registerdns on your dns server and client machines.
0
 

Author Comment

by:mattai
Comment Utility
Works on both a machine that can get to the server, and one that can't:

C:\Documents and Settings\Administrator>nslookup
Default Server:  wybe-dom1.wybe.local
Address:  192.168.1.17

> consciousarts.net
Server:  wybe-dom1.wybe.local
Address:  192.168.1.17

Non-authoritative answer:
Name:    consciousarts.net
Address:  69.73.158.97
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Expert Comment

by:jaysonfranklin
Comment Utility
is this an intermittent issue or is it constant?

so, your dhcp gives out the 1.17 as the only dns server?

The forwarders on the dns server are the two DNS addresses provided by your ISP. Are these staticly set on the servers?

Try setting the static dns addresses provided by your ISP on a client machine.

also, check your Host file in C:\windows\system32\drivers\etc and make sure the consciousarts.net domain is not being pointed somewhere else.

Also, please post the traceroute from a client machine to the domain, as well as from a server. They *should* be the same.

else, i would check the pix to make sure it is not stripping http headers, etc. you can post the outbound acl for us to make sure.

also, does this happen on hosts connected to all switches? or can you isolate it to a 3com, dell, cisco switch?
0
 

Author Comment

by:mattai
Comment Utility
jaysonfranklin:

I'll type my answers below your questions:


Q. Is this an intermittent issue or is it constant?
A. Constant; no clients are routed to that domain.

Q. so, your dhcp gives out the 1.17 as the only dns server?
A. Yes.

Q. The forwarders on the dns server are the two DNS addresses provided by your ISP. Are these staticly set on the servers?
A. Yes, the addresses are listed in Forwarders in the AD DNS MMC.

Q. Try setting the static dns addresses provided by your ISP on a client machine.
A. Tried that, no change in behavior.

Q. also, check your Host file in C:\windows\system32\drivers\etc and make sure the consciousarts.net domain is not being pointed somewhere else.
A.  Hosts just has loopback defined.

Q. Also, please post the traceroute from a client machine to the domain, as well as from a server. They *should* be the same.
A. My traceroutes fail, on both server and client.

Q. else, i would check the pix to make sure it is not stripping http headers, etc. you can post the outbound acl for us to make sure.
A. I'll follow-up with this...

Q. also, does this happen on hosts connected to all switches? or can you isolate it to a 3com, dell, cisco switch?
A. All switches.
0
 
LVL 1

Accepted Solution

by:
jaysonfranklin earned 500 total points
Comment Utility
Ok, so to recap, you can get to every website on the internet except for 'consciousarts.net'

When i go there, i get the following..

Index of /

blog/
cgi-bin/
Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at consciousarts.net Port 80

Is there an access list on the webserver that is denying your network?

also, can you post the (scrubbed) config of the pix so we can make sure its not a firewall issue?

I think you asked this question in the wrong places.. you should have at least added the pix firewall group to it.
0
 

Author Comment

by:mattai
Comment Utility
Thanks Jason.

.... I didn't initially submit it into the PIX area because I wasn't sure if it was a firewall issue. I've posted my PIX Config below.


Building configuration...

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password y3rOvhl1PRwn6lan encrypted

passwd [password] encrypted

hostname [host]

domain-name [domain]

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.10 INT-UNIX

name 192.168.1.13 INT-EXCHANGE

name 66.153.112.132 EXT-HOST

name 192.168.1.12 INT-HOST

name 199.170.191.110 Protrack

name 192.168.1.189 B1000

name 128.118.46.3 PennStateTimeserver

name 74.9.103.36 EXT-UNIX

name 74.9.103.35 EXT-EXCHANGE

name 74.9.103.38 EXT-B1000

name 74.9.103.37 EXT-Host

name 128.118.25.3 PennStatetimeserver2

name 192.168.1.16 INT-EXCHANGE2

name 192.168.1.27 MindControl

name 192.168.1.60 WYBE_RCV-ACK

name 192.168.1.19 WYBE-TEST

name 192.168.1.35 WYBE-OD2

name 192.168.1.109 temp

name 192.168.1.122 WYBE-Playout

name 129.6.15.28 time-a.nist.gov

object-group service Timerserver udp 

object-group service KVMAccess tcp-udp 

  description Dell KVM Access Ports

  port-object eq 3211 

  port-object eq 2068 

  port-object eq 8192 

object-group service Mail tcp-udp 

  port-object eq 587 

  port-object eq 25 

access-list outside_access_in permit tcp any host EXT-EXCHANGE eq smtp 

access-list outside_access_in permit tcp any host EXT-EXCHANGE eq imap4 

access-list outside_access_in permit tcp any host EXT-EXCHANGE eq https 

access-list outside_access_in permit tcp any host EXT-EXCHANGE eq www 

access-list outside_access_in permit tcp any host EXT-EXCHANGE eq 587 

access-list outside_access_in permit tcp any host EXT-EXCHANGE eq 993 

access-list outside_access_in permit tcp any host EXT-UNIX eq ssh 

access-list outside_access_in permit tcp any host EXT-Host eq 4899 

access-list outside_access_in permit tcp any host EXT-B1000 eq ssh 

access-list outside_access_in remark Disabled 10-29-08 MLC

access-list outside_access_in deny tcp any host EXT-B1000 eq ftp 

access-list outside_access_in remark Disabled 10-29-08 MLC

access-list outside_access_in deny tcp any host EXT-B1000 eq ftp-data 

access-list outside_access_in permit tcp any host EXT-B1000 eq www 

access-list outside_access_in permit tcp any host EXT-B1000 eq 3000 log 

access-list outside_access_in permit udp any host EXT-B1000 eq ntp log 

access-list outside_access_in permit tcp any host EXT-B1000 eq 123 log 

access-list outside_access_in permit tcp any host 74.9.103.39 eq smtp 

access-list outside_access_in permit tcp any host 74.9.103.40 eq ssh 

access-list outside_access_in remark Disabled 10-29-08 MLC

access-list outside_access_in deny tcp any host 74.9.103.40 eq ftp 

access-list outside_access_in remark Disabled 10-29-08 MLC

access-list outside_access_in deny tcp any host 74.9.103.40 eq ftp-data 

access-list outside_access_in permit tcp any host 74.9.103.40 eq https 

access-list outside_access_in permit tcp any host 74.9.103.45 eq ftp-data 

access-list outside_access_in permit tcp any host 74.9.103.45 eq ftp 

access-list outside_access_in permit tcp any host 74.9.103.46 eq 8200 

access-list outside_access_in permit tcp any host 74.9.103.46 eq 5901 

access-list outside_access_in permit tcp any host 74.9.103.46 eq 3306 

access-list outside_access_in permit tcp any host 74.9.103.46 eq www 

access-list outside_access_in permit tcp any host 74.9.103.46 eq ssh 

access-list outside_access_in permit tcp any host 74.9.103.46 eq ftp 

access-list outside_access_in permit tcp any host 74.9.103.46 eq ftp-data 

access-list outside_access_in remark NTP for WYBE-DOM1

access-list outside_access_in permit udp host time-a.nist.gov eq ntp 74.9.103.0 255.255.255.0 eq ntp 

access-list outside_access_in remark NTP for WYBE-DOM1 (TCP)

access-list outside_access_in permit tcp host time-a.nist.gov eq 123 74.9.103.0 255.255.255.0 eq 123 

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.0 

access-list PA-VPN_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any 

pager lines 24

logging history debugging

mtu outside 1500

mtu inside 1500

ip address outside 74.9.103.34 255.255.255.240

ip address inside 192.168.1.254 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool PA-POOL 192.168.3.1-192.168.3.128 mask 255.255.255.0

pdm location 209.92.144.210 255.255.255.255 outside

pdm location INT-UNIX 255.255.255.255 inside

pdm location 192.168.1.117 255.255.255.255 inside

pdm location 192.168.2.1 255.255.255.255 inside

pdm location 192.168.2.0 255.255.255.0 inside

pdm location INT-EXCHANGE 255.255.255.255 inside

pdm location 192.168.1.11 255.255.255.255 inside

pdm location INT-HOST 255.255.255.255 inside

pdm location Protrack 255.255.255.255 outside

pdm location 192.168.1.9 255.255.255.255 inside

pdm location B1000 255.255.255.255 inside

pdm location 67.110.30.214 255.255.255.255 outside

pdm location PennStateTimeserver 255.255.255.255 outside

pdm location 192.168.1.0 255.255.255.0 inside

pdm location EXT-UNIX 255.255.255.255 outside

pdm location EXT-EXCHANGE 255.255.255.255 outside

pdm location EXT-B1000 255.255.255.255 outside

pdm location EXT-Host 255.255.255.255 outside

pdm location PennStatetimeserver2 255.255.255.255 outside

pdm location 192.168.1.14 255.255.255.255 inside

pdm location INT-EXCHANGE2 255.255.255.255 inside

pdm location MindControl 255.255.255.255 inside

pdm location 74.9.103.41 255.255.255.255 inside

pdm location Dell-KVM 255.255.255.255 inside

pdm location 74.9.103.46 255.255.255.255 outside

pdm location WYBE_RCV-ACK 255.255.255.255 inside

pdm location 74.9.103.39 255.255.255.255 outside

pdm location 192.168.2.0 255.255.255.0 outside

pdm location 192.168.3.0 255.255.255.0 outside

pdm location 74.9.103.45 255.255.255.255 outside

pdm location 192.168.1.17 255.255.255.255 inside

pdm location WYBE-TEST 255.255.255.255 inside

pdm location WYBE-OD2 255.255.255.255 inside

pdm location 192.168.1.106 255.255.255.255 inside

pdm location 192.168.1.252 255.255.255.255 inside

pdm location temp 255.255.255.255 inside

pdm location WYBE-Playout 255.255.255.255 inside

pdm location ConsciousArts.net 255.255.255.255 outside

pdm location time-a.nist.gov 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 10 74.9.103.41-74.9.103.44

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 74.9.103.45 WYBE-OD2 netmask 255.255.255.255 0 0 

static (inside,outside) EXT-EXCHANGE INT-EXCHANGE dns netmask 255.255.255.255 0 0 

static (inside,outside) EXT-UNIX INT-UNIX netmask 255.255.255.255 0 0 

static (inside,outside) EXT-Host INT-HOST netmask 255.255.255.255 0 0 

static (inside,outside) EXT-B1000 B1000 netmask 255.255.255.255 0 0 

static (inside,outside) 74.9.103.39 INT-EXCHANGE2 netmask 255.255.255.255 0 0 

static (inside,outside) 74.9.103.40 MindControl netmask 255.255.255.255 0 0 

static (inside,outside) 74.9.103.46 WYBE-Playout netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 74.9.103.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

aaa-server VPN_RAD protocol radius 

aaa-server VPN_RAD max-failed-attempts 3 

aaa-server VPN_RAD deadtime 10 

aaa-server VPN_RAD (inside) host 192.168.1.17 14u21me timeout 10

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.11 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.117 255.255.255.255 inside

http 192.168.2.1 255.255.255.255 inside

snmp-server host inside 192.168.1.252

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

auth-prompt prompt Please enter your network username in the format of [domain]\[username] 

auth-prompt accept Welcome to the MiNDtv Network! 

auth-prompt reject Access Denied. 

crypto ipsec transform-set ESP-3des-MD5 esp-3des esp-md5-hmac 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3des-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication VPN_RAD 

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup PA-VPN address-pool PA-POOL

vpngroup PA-VPN dns-server 192.168.1.17

vpngroup PA-VPN wins-server 192.168.1.17

vpngroup PA-VPN default-domain 192.168.1.17

vpngroup PA-VPN split-tunnel PA-VPN_splitTunnelAcl

vpngroup PA-VPN split-dns wybe.local

vpngroup PA-VPN idle-time 3600

vpngroup PA-VPN secure-unit-authentication

vpngroup PA-VPN authentication-server VPN_RAD

vpngroup PA-VPN user-authentication

vpngroup PA-VPN user-idle-timeout 10

vpngroup PA-VPN device-pass-through

vpngroup PA-VPN password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 15

ssh 209.92.144.210 255.255.255.255 outside

ssh timeout 15

management-access inside

console timeout 15

username [username] [password] encrypted privilege 15

username [username] [password] lOOWBtg.XRgYICHq encrypted privilege 15

terminal width 80

Cryptochecksum:26a33089bb29e55b5ad592bb2899da9e

: end

[OK]

Open in new window

0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
If possible can you setup a PC in front of your firewall and try accessing that site.  That will show if you have a Firewall issue or an issue where that site is blocking your IP address.
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Use tracetcp on windows, tcptraceroute on unix, and you will figure this out.

Cheers,
-Jon
0
 

Author Closing Comment

by:mattai
Comment Utility
never resolved issue. gave up. will revisit later.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Trunk port configuration for Wireless VLANs 11 52
Switch requirement for IP Phones 4 20
DHCP on ASA 3 20
cisco 2911 8 19
Let’s list some of the technologies that enable smooth teleworking. 
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now