every1isevil2
asked on
Random intermitent destination NET unreachable
Hey Everyone,
I'm having a VERY strange problem with the network here. The users here are having intermitent connectivity problems. At random, they can't get out to the internet. Everything internally works fine. DNS resolves just fine, but when they try to ping out, they get a "Destination NET unreachable" response. 5 minutes later, everything is back up and working just fine.
**This is random and doesn't affect ALL users at the same time. Most users are fine while some are having problems.**
**ALL INTERNAL TRAFFIC IS FLAWLESS**
Current network configuration:
Users
|
Users ----- Switch ------ Switch ------ Firebox X55e ----- Internet
|
Users ----- Switch ------ Switch
|
Users
# of users: 30
Firewall: Watchguard Firebox X55e firmware 11.1
All switches are gigabit unmanaged
Ip subnet: 192.168.99.0/24
DG: 192.168.99.1
The firewall is currently configured with Wan Failover.
Things I have tried:
*Saved config of firewall and swapped it out with the same model (actually helped out a bit, but still having some issues)
*tried moving the firewall to a different switch
*Installed a hub between switch and firewall for packet capture (noticed that there is no traffic from the pc having problems when the problem is occuring even though they are trying to get on or pinging)
*monitored traffic through the firewall traffic monitor and noticed no packets coming in from pc with problems
*i've connected another switch to the network, connected the firebox to that, and connected specific users to it
I've tried to find a common denominator to try to solve the problem but haven't been able to pin point anything.
Any help is greatly appreciated.
Thanks in advance
I'm having a VERY strange problem with the network here. The users here are having intermitent connectivity problems. At random, they can't get out to the internet. Everything internally works fine. DNS resolves just fine, but when they try to ping out, they get a "Destination NET unreachable" response. 5 minutes later, everything is back up and working just fine.
**This is random and doesn't affect ALL users at the same time. Most users are fine while some are having problems.**
**ALL INTERNAL TRAFFIC IS FLAWLESS**
Current network configuration:
Users
|
Users ----- Switch ------ Switch ------ Firebox X55e ----- Internet
|
Users ----- Switch ------ Switch
|
Users
# of users: 30
Firewall: Watchguard Firebox X55e firmware 11.1
All switches are gigabit unmanaged
Ip subnet: 192.168.99.0/24
DG: 192.168.99.1
The firewall is currently configured with Wan Failover.
Things I have tried:
*Saved config of firewall and swapped it out with the same model (actually helped out a bit, but still having some issues)
*tried moving the firewall to a different switch
*Installed a hub between switch and firewall for packet capture (noticed that there is no traffic from the pc having problems when the problem is occuring even though they are trying to get on or pinging)
*monitored traffic through the firewall traffic monitor and noticed no packets coming in from pc with problems
*i've connected another switch to the network, connected the firebox to that, and connected specific users to it
I've tried to find a common denominator to try to solve the problem but haven't been able to pin point anything.
Any help is greatly appreciated.
Thanks in advance
ASKER
Here is the output from a computer that was having the problems. Looks like i'm missing the info under "persistent routes"
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 12 3f 97 c2 fb ...... Broadcom NetXtreme 57xx Gigabit Controller -
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.99.1 192.168.99.67 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.99.0 255.255.255.0 192.168.99.67 192.168.99.67 10
192.168.99.67 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.99.255 255.255.255.255 192.168.99.67 192.168.99.67 10
224.0.0.0 240.0.0.0 192.168.99.67 192.168.99.67 10
255.255.255.255 255.255.255.255 192.168.99.67 192.168.99.67 1
Default Gateway: 192.168.99.1
===========================================================================
Persistent Routes:
None
I:\>ping google.com
Pinging google.com [209.85.225.106] with 32 bytes of data:
Reply from 192.168.99.1: Destination net unreachable.
Reply from 192.168.99.1: Destination net unreachable.
Reply from 192.168.99.1: Destination net unreachable.
Reply from 192.168.99.1: Destination net unreachable.
Ping statistics for 209.85.225.106:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
ASKER
Shortly after.
Pinging google.com [209.85.225.99] with 32 bytes of data:
Reply from 192.168.99.1: Destination net unreachable.
Reply from 209.85.225.99: bytes=32 time=23ms TTL=50
Reply from 209.85.225.99: bytes=32 time=24ms TTL=50
Reply from 209.85.225.99: bytes=32 time=24ms TTL=50
Ping statistics for 209.85.225.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 23ms, Maximum = 24ms, Average = 17ms
I:\>netstat /rn
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 12 3f 97 c2 fb ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.99.1 192.168.99.67 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.99.0 255.255.255.0 192.168.99.67 192.168.99.67 10
192.168.99.67 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.99.255 255.255.255.255 192.168.99.67 192.168.99.67 10
224.0.0.0 240.0.0.0 192.168.99.67 192.168.99.67 10
255.255.255.255 255.255.255.255 192.168.99.67 192.168.99.67 1
Default Gateway: 192.168.99.1
===========================================================================
Persistent Routes:
None
Normally you should not have anything under persistent routes. Persistent routes are routes that were manually added with the "route add -p" command and normally this is not needed.
The routing table on this computer is fine. It 192.168.99.1 that is having the routing problem:
"Reply from 192.168.99.1: Destination net unreachable."
So you need to see what its problem is. It may be having problems with its routing table.
However, it
The routing table on this computer is fine. It 192.168.99.1 that is having the routing problem:
"Reply from 192.168.99.1: Destination net unreachable."
So you need to see what its problem is. It may be having problems with its routing table.
However, it
ASKER
**update**
Just found that a continuous ping going keeps the connection from dropping. about 20 min after the pings stop... the connection stops dropping again
Just found that a continuous ping going keeps the connection from dropping. about 20 min after the pings stop... the connection stops dropping again
If you are still getting the message:
"Reply from 192.168.99.1: Destination net unreachable."
Then you still need to focus on whatever 192.168.99.1 is and find out why it is returning the message. That message means that the device 1921.68.99.1 does not have a route to get to the address you are attempting to ping.
"Reply from 192.168.99.1: Destination net unreachable."
Then you still need to focus on whatever 192.168.99.1 is and find out why it is returning the message. That message means that the device 1921.68.99.1 does not have a route to get to the address you are attempting to ping.
ASKER
We currently just have a continuous ping going on all the users that have problems as a big band-aid. I have been working with watchguard on the problem. I suspect it's something with the arp table dropping the users after a specific amount of inactivity. They can't figure it out either.
Couple of questions:
Is 192.168.99.1 the Watchguard?
Who is the "user?" If the user is also on the 192.168.99.1 network, then dropping the user's IP address from the arp table would have nothing to do with it. Take your ping from above, where 192.168.99.67 was pinging google.com.
The 192.168.99.1 and 192.168.99.67 are on the same IP subnet. If 192.168.99.1 dropped the arp entry for 192.168.99.67, then it (192.168.99.1) would never have sent the message back that the destination net is unreachable. You would have just got a timeout because 192.168.99.1 would not have know what MAC to send the response back to.
The message is saying that 192.168.99.1 did not have a route to 209.85.225.99. Which would really indicate that 192.168.99.1 lost its default route somehow.
Is 192.168.99.1 the Watchguard?
Who is the "user?" If the user is also on the 192.168.99.1 network, then dropping the user's IP address from the arp table would have nothing to do with it. Take your ping from above, where 192.168.99.67 was pinging google.com.
The 192.168.99.1 and 192.168.99.67 are on the same IP subnet. If 192.168.99.1 dropped the arp entry for 192.168.99.67, then it (192.168.99.1) would never have sent the message back that the destination net is unreachable. You would have just got a timeout because 192.168.99.1 would not have know what MAC to send the response back to.
The message is saying that 192.168.99.1 did not have a route to 209.85.225.99. Which would really indicate that 192.168.99.1 lost its default route somehow.
ASKER
1: Yes. 192.168.99.1 is the watchguard
2: I'm referring "user" as a user workstation on the network.
Comment on the last statement.
The problem is intermittent and not everyone has it at the same time. When one person can't get to yahoo.com... the person next to them can get to it just fine.
2: I'm referring "user" as a user workstation on the network.
Comment on the last statement.
The problem is intermittent and not everyone has it at the same time. When one person can't get to yahoo.com... the person next to them can get to it just fine.
O.K., it will have nothing to do with dropping entries with the arp table otherwise you would never get the message back from the ping.
What it actually sounds more like is that the Watchguard may have a limitation on the number of concurrent translates it can have.
Is the number of translate entries fixed or configurable?
What it actually sounds more like is that the Watchguard may have a limitation on the number of concurrent translates it can have.
Is the number of translate entries fixed or configurable?
ASKER
OOOoooOO... good question. going to look into that. Thanks!
http://www.watchguard.com/products/edge-e/detailed-specs.asp lists the concurrent session limit on the x55e as 10,000.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ipconfig /all
netstat /rn
It sounds as if they have somehow lost their IP routing table.