SBS 2008 Server Cannot ping Gateway Router

OK, I have a strange problem and it's driving me crazy.

I setup an SBS 2008 Server several months ago. Here are some details:

SBS 2008
Server is the DHCP Server
Have a Belkin router that is the gateway
One NIC being used on server (as suggested by the SBS 2008 install process)

Everything was working fine up until today.  Now  the server has no internet access.  
All of the client PC's do have internet access.

Here is the strange part.  I can ping every client computer from the server and each client computer can ping the server.

Every client computer can ping the router.  HOWEVER, I cannot ping the router from the server.

Any ideas on this would be helpful.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1. Are you running Norton A/V?

2. Check the SBS firewall settings to make sure you have not blocked external DNS, port 80, or ping.

3. Run the SBS Internet wizard again, make sure you didn't block anything.

4.  Test DNS lookup by going to command prompt, type NSLookup, and then see if external websites resolve (ex.

5.  Least favorite, try a winsock reset  [netsh winsock reset]  -- if this works, makes sure you check for a server virus!

6.  Can you get to the Belkin router using http?  Or does this too fail?

Do not do a winsock reset on an SBS server.. Microsoft highly recommends against it for reasons I haven't figured out, yet..

You may have routing and remote access enabled on the server without knowing it.. This means it will try to grab a second hardware nic or create a virtual adapter to accept incoming VPN traffic or route over the server..

A more likely scenario is you have a bad arp cache record for the default gateway.

check your arp entries by going to the command prompt and typing: arp -a

If they are all dynamic entries, (not static), then you can delete all entries and let them re-populate dynamically. The command for deleting the arp cache is: Arp -d *

Another possibility is your computer's nic and the switch are not talking on the same duplex settings. Some switches are having problems with 1000Mb / full duplex on the switches. If this is a cisco switch, do not proceed with this portion of the post.. Instead let us know this is a Cisco switch.

Make sure if your computer nic is set to Auto discover, that the server is as well. If the switch is configured to 100Mb / full duplex, your duplex settings on the computer need to be the same.

If ping is the ONLY Problem, then someone may have configured an ACL to block ICMP echo replies ON THE ROUTER. ACLs define access controls to the router. So, have your network team determine if this is the case. Maybe the network team blocked all ICMP echo for that IP on the router.
Actualy ChiefIT, you are most likely right about the Routing and Remote Access!  I totally forgot to mention to check that.  I've had that happen on regular boxes when setting up VPN!

Disable RRA and then see if it fixes the issue, then you can go back and troubleshoot.

Absolutely save the winsock reset as last resort as I hoped I mentioned.

ARP was not the issue in the last few servers I had this issue with - it had to do with Norton hijacking the network card and making itself as the default.

However, please post the final solution, that is the best part.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Khandakar Ashfaqur RahmanExpert/ConsultantCommented:
Try the following steps:

1. Check the ip settings into your server by "ipconfig /all" command.Check if there's IP,Subnet Mask,Gateway and DNS address are correct.Release and renew IP to check that it's working fine:
ipconfig /release
ipconfig /renew
2. Login into your router and check DHCP lease database.Do you see server IP address and MAC address?
3. Clear ARP cache into server by the following:
arp -d
4. Can you ping gateway now?If no then go to step 5
5. Check the routers firewall if your server IP is blocked there.
6. Check you can ping server inside from your router(If there's any available ping option)
7. Check by disabling anti-virus into server (temporarily).
8. How many switches and piece of cables are you using between server to router? Check physical connectivity and be sure that there are no other DHCP Server into LAN distributing the same ranges IP.

NB: Also be sure that server isn't assigning APIPA.If server IP looks 169.254.x.x it means server isn't receiving IP from DHCP server and this IP is automatically assigned.
cbecker001Author Commented:
Still not working.  What I've done so far

cleared the ARP Cache (had some strange static IP's ) i.e., (about 6 of them that I didn't recognize)  Even after clearing they returned.

Disabled Routing and Remote Access

I was using a trial version of AVG Server Edition, so I removed that completely.

I could not access the Belkin router from Http either.... from the clients I can, but not the server.

Last thing I tried was disabling the DHCP Server, but that caused an error, so I rebooted the server.  It has been applying computer settings for about 30 minutes now which is a lot longer than normal.

I enabled DHCP on the Belkin Router for now so the clients could have internet, so that could be causing the boot up issue I would imagine.

Sorry if I've missed something or gone out of order.

First, Try unplugging the network cable during the boot to see if that speeds it up.  If so, you can focus on the network card or driver.

Try these to see if you have any luck:

1) disable IP 6 and use only IP 4 (note, you will need to reinstall)
2)  try uninstalling and reinstalling the driver.
3)  Last time I had a problem like this it was because of the a/v:

a) I had to go into advanced settings and change the order so Norton was LAST
b) then I had to:

Windows Vista, Server 2008, and Windows 7 From command line:
 netsh int tcp set global chimney=disabled
To verify setting, from command line:
 netsh int tcp show global

Windows Server 2003 and Windows XP x64 From command line:
 netsh int ip set chimney enabled
To verify setting, query the following registry value:
All Versions Create/set the following registry value:
 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload=1 (DWORD)
 To ensure the new configuration is active, disable/enabled the network connection or reboot.
NOTE: Some NIC drivers or management software may automatically re-enable these settings. In this case, disable any advanced NIC setting that mentions "Offload", then disable/enable connection or reboot. These settings may be found under the Advanced tab of the NIC Adapter Properties in the Device Manager
cbecker001Author Commented:
I'm going to list the arp entries because I don't know if they are related to the problem.                        01-00-5e-00-00-02        static                    01-00-5e-00-00-fc         static            01-00-5e-7f-ff-fa           static            01-00-5e-7f-ff-fd           static            ff-ff-ff-ff-ff-ff                  static

all of the other ip's I recognize, but not these
You have two nics right?  Try configuring the other nic for a static ip inside your lan and making the gateway the belkin.  Disable your existing lan card and see whether you can ping.

Keep in mind, we will need to go back to original nic's ip to fix dns issues.
applying network settings means it's discovering the network. It's not abnormal that this takes long on a server that just had its arp cache purged.

One thing we need to know about your methods to the madness is by what means are you pinging.

Are you pinging by IP address, hostname, or fully qualified domain name. Hostname and FQDN pings use Netbios and DNS resolution respectively. If you are bypassing netbios resolution and DNS resolution, you are immediately troubleshooting an OSI layer 1-3 problem. This means a physical problem, network switch problem/mac address, or routing /IP protocol problem.

If it's an L1 to L3 problem, then we need to look at the switch logs. That's the only means to an end. There can be MANY communications probelms between a computer nic and the switch.

-One is MTU settings and maximum segment size exceeded. If this were your problem it would Network wide.

-One is mismatched duplex settings. This could effect ONE computer, but is more likely to effect newer nic computers that host 1000Mb/Full duplex with newer OS versions.

-One has to do with spanning tree enabled on these access ports. Spanning tree should be enabled on the switches and router connections. But the hold down times for spanning tree times out Operating systems that are Vista and newer.

With Routing and remote access, you either have a virtual adapter or a physical adapter that was adopted into the mix and you may not have realized it. Here's the problem. Multihoming a domain controller or any other computer creates two default gateways, two DNS registrations, two Netbios Name registrations, two ARP entries and severely screws up the routing table UNLESS it is configured to HOST two nics on the network AND the computer is configured to prevent the multiple entries. RRAS is most likely your problem!.

With RRAS enabled, YOU WILL have Windows Firewall enabled, (regardless if it's disabled under services). Windows firewall prevents ICMP echo requests to the server... Since it messes up the routing table, you will have problems pinging out to other systems because the main LAN nic is busy, so your ping request will go out the second nic. With RRAS disabled, you have to get control of Windows firewall again. Windows firewall is used as a host based firewall and you have to make a lot of exceptions for server and troubleshooting functions to work. This includes ICMP echo (Ping) as well as File and Print Sharing (SMB/CIFS/DFS shares, or whatever you want to call them)...

It's the firewall capabilities of RRAS that I believe is the culprite, JUST LIKE THIS THREAD:
Khandakar Ashfaqur RahmanExpert/ConsultantCommented:
You have encountered "Man In The Middle Attack".Check the following link:

However, to prevent Man of the Middle attack :
1. Disable your NIC and unplug.Then collect your NIC physical address.
2. Into your DHCP server make the server physical address and static.

The following links will give you better idea and about the attack and prevention.

You can also use Microsoft Network Monitor to analyze traffic

Alternatively, you can use Wireshark to find out:
cbecker001Author Commented:
OK, it finally came up after about an hour.

I disabled the original NIC.  I enabled NIC 2 and assigned it a static IP.

I can now ping the router.

However, I need the IP of the NIC to be  If I change the IP of NIC2 to that I lost the ability to ping the router and lose internet access.

Also it appears that if I don't have as my server IP I also lose my Exchange server.

I tried to enable the original NIC with that IP and then I lose everything again, even with NIC 2 Enabled.

Looks like I'm getting close though.

What does this say about my issue?
Ok Checker, we are getting somewhere!

For now to get your server back, change the Ip to 0.3 (or whatever) and then go into the DNS (Administrator Programs-> DNS),

Look for the old server IP address and make it the new server ip address.  This will fix the DNS issues and the Exchange Server issues.

Also, re-enable IP6, SBS requires that to start.

You will also need to change the firewall port redirection for 25/443/80/3389 etc to the new server address so you can receive email and remote access.

For now, you can abandon the 1st NIC and IP address and get the core functions back up.

You will need to scan for virus - use malwarebytes or something that digs deep for viruses.  We have not ruled out that the the trial version of a/v caused the problem.  

Did you uninstall the NICS and reinstall with fresh drivers?   That was something I suggested earlier.

One more short cut, you may be able to simply add the old ip address to the second NIC in addition to the new one.  That would save you the DNS trouble, but you will need to document b/c it could cause you troubleshooting issues later!  I recommend fixing your DNS entries to reflect the new IP address.

Keep us posted.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cbecker001Author Commented:
yes, it looks like I definitely have the MITM AttacK.  I read the posts you listed and it tells me about them, but doesn't really tell my how to get rid of it.

I scanned with updated Malwarebytes and it didn't find anything.
Khandakar Ashfaqur RahmanExpert/ConsultantCommented:
It's inside from your network doesn't mean from your pc.You are just victim of it.
For end users it's a bit difficult to understand all these things but using network Protocol analyzer software like Microsoft Network Monitor or Wireshark can show you network traffic.When you encounter problem you install protocol analyzer software into server and start monitoring network traffic.You can see incoming packet and outgoing packet.You need to filter by ARP packet to see all ARP request.

And Intrusion Detection System(IDS) like Snort can detect this and Intrution Prevention System(IPS) can prevent it.Now a days, so many routers have IPS feature.

But without IDS or IPS if you want to resolve the problem the best could be:
Log into your router and make your servers physical address static or reserve the MAC against IP.Also into your server pc add a static entry:
#arp -s ''Gateway IP'' "Gateway LAN Physical Address"
cbecker001Author Commented:
I still don't know what caused the problem.  Finally, I don't think it was Mitm attack.

It took a long time because of rebooting... many, many times.

It seems I can not use as my server IP anymore... anytime I try I get no internet.

I changed the server IP to .4 and it seems fine.  

ltsweb.... finally I uninstalled the nics and also removed the driver software and then reinstalled.  That helped along with the ip change.  Also I'm on the previously disabled NIC.  The NIC I was using initially is now disabled and all seems well....

Only problem is I have no RRAS.  I need to get my VPN reconfigured, but it was late and I didn't want to chance it tonight.  I opted for some sleep.

So far I think it's all come down to removing not only the adapter, but also the driver software and then reinstalling.  

I changed the DNS settings to reflect the new IP and Exchange Server is thankfully working again.
Khandakar Ashfaqur RahmanExpert/ConsultantCommented:
If it's not a Man in the Middle Attack/ARP Spoofing it's good for you.But remember changing NIC isn't the solution if it's an ARP attack.Because might be later on you'll encounter the same problem.And also plug that NIC into another PC.Does it work?
What error are you getting when you recreate RRAS?
cbecker001Author Commented:
The last 2 times I tried to recreate the VPN with RRAS I lost internet connection.  I haven't tried recreating it since I removed the NICS and drivers.

FYI, The NICS are onboard so when I say removed them, I mean from the device manager.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.