[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Random intermitent destination NET unreachable

Posted on 2010-01-04
13
Medium Priority
?
1,944 Views
Last Modified: 2013-11-16
Hey Everyone,

I'm having a VERY strange problem with the network here. The users here are having intermitent connectivity problems. At random, they can't get out to the internet. Everything internally works fine. DNS resolves just fine, but when they try to ping out, they get a "Destination NET unreachable" response. 5 minutes later, everything is back up and working just fine.  

**This is random and doesn't affect ALL users at the same time. Most users are fine while some are having problems.**

**ALL INTERNAL TRAFFIC IS FLAWLESS**

Current network configuration:


                                      Users
                                          |
Users ----- Switch ------ Switch ------ Firebox X55e ----- Internet
                                          |
Users ----- Switch ------ Switch
                                          |
                                      Users

# of users: 30
Firewall: Watchguard Firebox X55e firmware 11.1
All switches are gigabit unmanaged

Ip subnet: 192.168.99.0/24
DG: 192.168.99.1

The firewall is currently configured with Wan Failover.

Things I have tried:

*Saved config of firewall and swapped it out with the same model (actually helped out a bit, but still having some issues)
*tried moving the firewall to a different switch
*Installed a hub between switch and firewall for packet capture (noticed that there is no traffic from the pc having problems when the problem is occuring even though they are trying to get on or pinging)
*monitored traffic through the firewall traffic monitor and noticed no packets coming in from pc with problems
*i've connected another switch to the network, connected the firebox to that, and connected specific users to it

I've tried to find a common denominator to try to solve the problem but haven't been able to pin point anything.

Any help is greatly appreciated.

Thanks in advance
0
Comment
Question by:every1isevil2
  • 7
  • 5
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 26176957
Next time it happens you may want to have them issue the commands:

  ipconfig /all
  netstat /rn

It sounds as if they have somehow lost their IP routing table.
0
 
LVL 4

Author Comment

by:every1isevil2
ID: 26177089
Here is the output from a computer that was having the problems. Looks like i'm missing the info under "persistent routes"
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 12 3f 97 c2 fb ...... Broadcom NetXtreme 57xx Gigabit Controller -
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.99.1   192.168.99.67       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.99.0    255.255.255.0    192.168.99.67   192.168.99.67       10
    192.168.99.67  255.255.255.255        127.0.0.1       127.0.0.1       10
   192.168.99.255  255.255.255.255    192.168.99.67   192.168.99.67       10
        224.0.0.0        240.0.0.0    192.168.99.67   192.168.99.67       10
  255.255.255.255  255.255.255.255    192.168.99.67   192.168.99.67       1
Default Gateway:      192.168.99.1
===========================================================================
Persistent Routes:
  None

I:\>ping google.com

Pinging google.com [209.85.225.106] with 32 bytes of data:

Reply from 192.168.99.1: Destination net unreachable.
Reply from 192.168.99.1: Destination net unreachable.
Reply from 192.168.99.1: Destination net unreachable.
Reply from 192.168.99.1: Destination net unreachable.

Ping statistics for 209.85.225.106:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Open in new window

0
 
LVL 4

Author Comment

by:every1isevil2
ID: 26177122
Shortly after.
Pinging google.com [209.85.225.99] with 32 bytes of data:

Reply from 192.168.99.1: Destination net unreachable.
Reply from 209.85.225.99: bytes=32 time=23ms TTL=50
Reply from 209.85.225.99: bytes=32 time=24ms TTL=50
Reply from 209.85.225.99: bytes=32 time=24ms TTL=50

Ping statistics for 209.85.225.99:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 24ms, Average = 17ms

I:\>netstat /rn

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 12 3f 97 c2 fb ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.99.1   192.168.99.67       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.99.0    255.255.255.0    192.168.99.67   192.168.99.67       10
    192.168.99.67  255.255.255.255        127.0.0.1       127.0.0.1       10
   192.168.99.255  255.255.255.255    192.168.99.67   192.168.99.67       10
        224.0.0.0        240.0.0.0    192.168.99.67   192.168.99.67       10
  255.255.255.255  255.255.255.255    192.168.99.67   192.168.99.67       1
Default Gateway:      192.168.99.1
===========================================================================
Persistent Routes:
  None

Open in new window

0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 57

Expert Comment

by:giltjr
ID: 26177150
Normally you should not have anything under persistent routes.  Persistent routes are routes that were manually added with the "route add -p" command and normally this is not needed.

The routing table on this computer is fine.  It 192.168.99.1 that is having the routing problem:

     "Reply from 192.168.99.1: Destination net unreachable."

So you need to see what its problem is.  It may be having problems with its routing table.


However, it
0
 
LVL 4

Author Comment

by:every1isevil2
ID: 26183947
**update**

Just found that a continuous ping going keeps the connection from dropping. about 20 min after the pings stop... the connection stops dropping again
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26184000
If you are still getting the message:

  "Reply from 192.168.99.1: Destination net unreachable."

Then you still need to focus on whatever 192.168.99.1 is and find out why it is returning the message.  That message means that the device 1921.68.99.1 does not have a route to get to the address you are attempting to ping.
0
 
LVL 4

Author Comment

by:every1isevil2
ID: 26184023
We currently just have a continuous ping going on all the users that have problems as a big band-aid. I have been working with watchguard on the problem. I suspect it's something with the arp table dropping the users after a specific amount of inactivity. They can't figure it out either.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26184173
Couple of questions:

Is 192.168.99.1 the Watchguard?

Who is the "user?"  If the user is also on the 192.168.99.1 network, then dropping the user's IP address from the arp table would  have nothing to do with it.  Take your ping from above, where 192.168.99.67 was pinging google.com.

The 192.168.99.1 and 192.168.99.67 are on the same IP subnet.  If 192.168.99.1 dropped the arp entry for 192.168.99.67, then it (192.168.99.1) would never have sent the message back that the destination net is unreachable.  You would have just got a timeout because 192.168.99.1 would not have know what MAC to send the response back to.

The message is saying that 192.168.99.1 did not have a route to 209.85.225.99.  Which would really indicate that 192.168.99.1 lost its default route somehow.
0
 
LVL 4

Author Comment

by:every1isevil2
ID: 26184222
1: Yes. 192.168.99.1 is the watchguard

2: I'm referring "user" as a user workstation on the network.  

Comment on the last statement.

The problem is intermittent and not everyone has it at the same time. When one person can't get to yahoo.com... the person next to them can get to it just fine.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26184279
O.K., it will have nothing to do with dropping entries with the arp table otherwise you would never get the message back from the ping.

What it actually sounds more like is that the Watchguard may have a limitation on the number of concurrent translates it can have.

Is the number of translate entries fixed or configurable?
0
 
LVL 4

Author Comment

by:every1isevil2
ID: 26184380
OOOoooOO... good question. going to look into that. Thanks!
0
 
LVL 2

Expert Comment

by:Mark Roberts
ID: 26285234
http://www.watchguard.com/products/edge-e/detailed-specs.asp lists the concurrent session limit on the x55e as 10,000.  
0
 
LVL 4

Accepted Solution

by:
every1isevil2 earned 0 total points
ID: 26318189
Thanks for the feedback but I found that this was related to a duplex mismatch.  After hard coding speed/duplex it worked.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question