Solved

SBS 2008 Server Cannot ping Gateway Router

Posted on 2012-03-19
18
1,668 Views
Last Modified: 2012-06-27
OK, I have a strange problem and it's driving me crazy.

I setup an SBS 2008 Server several months ago. Here are some details:

SBS 2008
Server is the DHCP Server
Have a Belkin router that is the gateway
One NIC being used on server (as suggested by the SBS 2008 install process)

Everything was working fine up until today.  Now  the server has no internet access.  
All of the client PC's do have internet access.

Here is the strange part.  I can ping every client computer from the server and each client computer can ping the server.

Every client computer can ping the router.  HOWEVER, I cannot ping the router from the server.

Any ideas on this would be helpful.

Thanks!
0
Comment
Question by:cbecker001
  • 6
  • 6
  • 4
  • +1
18 Comments
 
LVL 4

Expert Comment

by:ltsweb
ID: 37740565
1. Are you running Norton A/V?

2. Check the SBS firewall settings to make sure you have not blocked external DNS, port 80, or ping.

3. Run the SBS Internet wizard again, make sure you didn't block anything.

4.  Test DNS lookup by going to command prompt, type NSLookup, and then see if external websites resolve (ex. Google.com).

5.  Least favorite, try a winsock reset  [netsh winsock reset]  -- if this works, makes sure you check for a server virus!

6.  Can you get to the Belkin router using http?  Or does this too fail?

Regards!
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 37740594
Do not do a winsock reset on an SBS server.. Microsoft highly recommends against it for reasons I haven't figured out, yet..

You may have routing and remote access enabled on the server without knowing it.. This means it will try to grab a second hardware nic or create a virtual adapter to accept incoming VPN traffic or route over the server..

A more likely scenario is you have a bad arp cache record for the default gateway.

check your arp entries by going to the command prompt and typing: arp -a

If they are all dynamic entries, (not static), then you can delete all entries and let them re-populate dynamically. The command for deleting the arp cache is: Arp -d *

Another possibility is your computer's nic and the switch are not talking on the same duplex settings. Some switches are having problems with 1000Mb / full duplex on the switches. If this is a cisco switch, do not proceed with this portion of the post.. Instead let us know this is a Cisco switch.

Make sure if your computer nic is set to Auto discover, that the server is as well. If the switch is configured to 100Mb / full duplex, your duplex settings on the computer need to be the same.

If ping is the ONLY Problem, then someone may have configured an ACL to block ICMP echo replies ON THE ROUTER. ACLs define access controls to the router. So, have your network team determine if this is the case. Maybe the network team blocked all ICMP echo for that IP on the router.
0
 
LVL 4

Expert Comment

by:ltsweb
ID: 37740607
Actualy ChiefIT, you are most likely right about the Routing and Remote Access!  I totally forgot to mention to check that.  I've had that happen on regular boxes when setting up VPN!

Disable RRA and then see if it fixes the issue, then you can go back and troubleshoot.

Absolutely save the winsock reset as last resort as I hoped I mentioned.

ARP was not the issue in the last few servers I had this issue with - it had to do with Norton hijacking the network card and making itself as the default.

However, please post the final solution, that is the best part.
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37741541
Try the following steps:

1. Check the ip settings into your server by "ipconfig /all" command.Check if there's IP,Subnet Mask,Gateway and DNS address are correct.Release and renew IP to check that it's working fine:
ipconfig /release
ipconfig /renew
2. Login into your router and check DHCP lease database.Do you see server IP address and MAC address?
3. Clear ARP cache into server by the following:
arp -d
4. Can you ping gateway now?If no then go to step 5
5. Check the routers firewall if your server IP is blocked there.
6. Check you can ping server inside from your router(If there's any available ping option)
7. Check by disabling anti-virus into server (temporarily).
8. How many switches and piece of cables are you using between server to router? Check physical connectivity and be sure that there are no other DHCP Server into LAN distributing the same ranges IP.

NB: Also be sure that server isn't assigning APIPA.If server IP looks 169.254.x.x it means server isn't receiving IP from DHCP server and this IP is automatically assigned.
0
 

Author Comment

by:cbecker001
ID: 37742815
Still not working.  What I've done so far

cleared the ARP Cache (had some strange static IP's ) i.e., 239.254.2.2   255.255.255.255 (about 6 of them that I didn't recognize)  Even after clearing they returned.

Disabled Routing and Remote Access

I was using a trial version of AVG Server Edition, so I removed that completely.

I could not access the Belkin router from Http either.... from the clients I can, but not the server.

Last thing I tried was disabling the DHCP Server, but that caused an error, so I rebooted the server.  It has been applying computer settings for about 30 minutes now which is a lot longer than normal.

I enabled DHCP on the Belkin Router for now so the clients could have internet, so that could be causing the boot up issue I would imagine.

Sorry if I've missed something or gone out of order.

:(
0
 
LVL 4

Expert Comment

by:ltsweb
ID: 37742859
First, Try unplugging the network cable during the boot to see if that speeds it up.  If so, you can focus on the network card or driver.

Try these to see if you have any luck:

1) disable IP 6 and use only IP 4 (note, you will need to reinstall)
2)  try uninstalling and reinstalling the driver.
3)  Last time I had a problem like this it was because of the a/v:

a) I had to go into advanced settings and change the order so Norton was LAST
b) then I had to:

Windows Vista, Server 2008, and Windows 7 From command line:
 netsh int tcp set global chimney=disabled
 
To verify setting, from command line:
 netsh int tcp show global

Windows Server 2003 and Windows XP x64 From command line:
 netsh int ip set chimney enabled
 
To verify setting, query the following registry value:
 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPChimney
All Versions Create/set the following registry value:
 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload=1 (DWORD)
 To ensure the new configuration is active, disable/enabled the network connection or reboot.
 
NOTE: Some NIC drivers or management software may automatically re-enable these settings. In this case, disable any advanced NIC setting that mentions "Offload", then disable/enable connection or reboot. These settings may be found under the Advanced tab of the NIC Adapter Properties in the Device Manager
0
 

Author Comment

by:cbecker001
ID: 37742890
I'm going to list the arp entries because I don't know if they are related to the problem.

224.0.0.2                        01-00-5e-00-00-02        static
224.0.0.252                    01-00-5e-00-00-fc         static
239.255.255.250            01-00-5e-7f-ff-fa           static
239.255.255.253            01-00-5e-7f-ff-fd           static
255.255.255.255            ff-ff-ff-ff-ff-ff                  static

all of the other ip's I recognize, but not these
0
 
LVL 4

Expert Comment

by:ltsweb
ID: 37742914
You have two nics right?  Try configuring the other nic for a static ip inside your lan and making the gateway the belkin.  Disable your existing lan card and see whether you can ping.

Keep in mind, we will need to go back to original nic's ip to fix dns issues.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 37742985
applying network settings means it's discovering the network. It's not abnormal that this takes long on a server that just had its arp cache purged.

One thing we need to know about your methods to the madness is by what means are you pinging.

Are you pinging by IP address, hostname, or fully qualified domain name. Hostname and FQDN pings use Netbios and DNS resolution respectively. If you are bypassing netbios resolution and DNS resolution, you are immediately troubleshooting an OSI layer 1-3 problem. This means a physical problem, network switch problem/mac address, or routing /IP protocol problem.

If it's an L1 to L3 problem, then we need to look at the switch logs. That's the only means to an end. There can be MANY communications probelms between a computer nic and the switch.

-One is MTU settings and maximum segment size exceeded. If this were your problem it would Network wide.

-One is mismatched duplex settings. This could effect ONE computer, but is more likely to effect newer nic computers that host 1000Mb/Full duplex with newer OS versions.

-One has to do with spanning tree enabled on these access ports. Spanning tree should be enabled on the switches and router connections. But the hold down times for spanning tree times out Operating systems that are Vista and newer.

With Routing and remote access, you either have a virtual adapter or a physical adapter that was adopted into the mix and you may not have realized it. Here's the problem. Multihoming a domain controller or any other computer creates two default gateways, two DNS registrations, two Netbios Name registrations, two ARP entries and severely screws up the routing table UNLESS it is configured to HOST two nics on the network AND the computer is configured to prevent the multiple entries. RRAS is most likely your problem!.

With RRAS enabled, YOU WILL have Windows Firewall enabled, (regardless if it's disabled under services). Windows firewall prevents ICMP echo requests to the server... Since it messes up the routing table, you will have problems pinging out to other systems because the main LAN nic is busy, so your ping request will go out the second nic. With RRAS disabled, you have to get control of Windows firewall again. Windows firewall is used as a host based firewall and you have to make a lot of exceptions for server and troubleshooting functions to work. This includes ICMP echo (Ping) as well as File and Print Sharing (SMB/CIFS/DFS shares, or whatever you want to call them)...

It's the firewall capabilities of RRAS that I believe is the culprite, JUST LIKE THIS THREAD:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24709087.html
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37743048
You have encountered "Man In The Middle Attack".Check the following link:
http://www.windowsecurity.com/articles/understanding-man-in-the-middle-attacks-arp-part1.html

However, to prevent Man of the Middle attack :
1. Disable your NIC and unplug.Then collect your NIC physical address.
2. Into your DHCP server make the server physical address and static.

The following links will give you better idea and about the attack and prevention.
http://antivirus.about.com/od/whatisavirus/a/mitmattacks.htm

You can also use Microsoft Network Monitor to analyze traffic
http://www.microsoft.com/download/en/details.aspx?id=4865

Alternatively, you can use Wireshark to find out:
http://www.wireshark.org/download.html
0
 

Author Comment

by:cbecker001
ID: 37743074
OK, it finally came up after about an hour.

I disabled the original NIC.  I enabled NIC 2 and assigned it a static IP.

I can now ping the router.

However, I need the IP of the NIC to be 192.168.0.2.  If I change the IP of NIC2 to that I lost the ability to ping the router and lose internet access.

Also it appears that if I don't have 192.168.0.2 as my server IP I also lose my Exchange server.

I tried to enable the original NIC with that IP and then I lose everything again, even with NIC 2 Enabled.

Looks like I'm getting close though.

What does this say about my issue?
0
 
LVL 4

Accepted Solution

by:
ltsweb earned 250 total points
ID: 37743431
Ok Checker, we are getting somewhere!

For now to get your server back, change the Ip to 0.3 (or whatever) and then go into the DNS (Administrator Programs-> DNS),

Look for the old server IP address and make it the new server ip address.  This will fix the DNS issues and the Exchange Server issues.

Also, re-enable IP6, SBS requires that to start.

You will also need to change the firewall port redirection for 25/443/80/3389 etc to the new server address so you can receive email and remote access.

For now, you can abandon the 1st NIC and IP address and get the core functions back up.

You will need to scan for virus - use malwarebytes or something that digs deep for viruses.  We have not ruled out that the the trial version of a/v caused the problem.  

Did you uninstall the NICS and reinstall with fresh drivers?   That was something I suggested earlier.

One more short cut, you may be able to simply add the old ip address to the second NIC in addition to the new one.  That would save you the DNS trouble, but you will need to document b/c it could cause you troubleshooting issues later!  I recommend fixing your DNS entries to reflect the new IP address.

Keep us posted.
0
 

Author Comment

by:cbecker001
ID: 37744707
yes, it looks like I definitely have the MITM AttacK.  I read the posts you listed and it tells me about them, but doesn't really tell my how to get rid of it.

I scanned with updated Malwarebytes and it didn't find anything.
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37745042
It's inside from your network doesn't mean from your pc.You are just victim of it.
For end users it's a bit difficult to understand all these things but using network Protocol analyzer software like Microsoft Network Monitor or Wireshark can show you network traffic.When you encounter problem you install protocol analyzer software into server and start monitoring network traffic.You can see incoming packet and outgoing packet.You need to filter by ARP packet to see all ARP request.

And Intrusion Detection System(IDS) like Snort can detect this and Intrution Prevention System(IPS) can prevent it.Now a days, so many routers have IPS feature.

But without IDS or IPS if you want to resolve the problem the best could be:
Log into your router and make your servers physical address static or reserve the MAC against IP.Also into your server pc add a static entry:
#arp -s ''Gateway IP'' "Gateway LAN Physical Address"
0
 

Author Comment

by:cbecker001
ID: 37745887
I still don't know what caused the problem.  Finally, I don't think it was Mitm attack.

It took a long time because of rebooting... many, many times.

It seems I can not use 192.168.0.2 as my server IP anymore... anytime I try I get no internet.

I changed the server IP to .4 and it seems fine.  

ltsweb.... finally I uninstalled the nics and also removed the driver software and then reinstalled.  That helped along with the ip change.  Also I'm on the previously disabled NIC.  The NIC I was using initially is now disabled and all seems well....

Only problem is I have no RRAS.  I need to get my VPN reconfigured, but it was late and I didn't want to chance it tonight.  I opted for some sleep.

So far I think it's all come down to removing not only the adapter, but also the driver software and then reinstalling.  

I changed the DNS settings to reflect the new IP and Exchange Server is thankfully working again.
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37746070
If it's not a Man in the Middle Attack/ARP Spoofing it's good for you.But remember changing NIC isn't the solution if it's an ARP attack.Because might be later on you'll encounter the same problem.And also plug that NIC into another PC.Does it work?
0
 
LVL 4

Expert Comment

by:ltsweb
ID: 37746977
What error are you getting when you recreate RRAS?
0
 

Author Comment

by:cbecker001
ID: 37747514
The last 2 times I tried to recreate the VPN with RRAS I lost internet connection.  I haven't tried recreating it since I removed the NICS and drivers.

FYI, The NICS are onboard so when I say removed them, I mean from the device manager.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are 192.168.1.0/24 and 192…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now