• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 855
  • Last Modified:

SBS 2008 internet connection status Not Connected

Hey guys,

I'm stumped. I have here a DC SBS 2008 that has full Lan access, but no internet access.  I'm not able to Ping "google.com" but it resolves to the IP and get request timed out.  Anything internal works.  I tried a tracert to google and it only gets to the first hop.  This server has 2 Nics, but only 1 is enabled, Windows firewall is turned off.  the AV is Viper which has no firewall features and I can Ping the gateway.  I do have ASA firewall and am able to successfully run packet tracer from server IP to googles IP, however HTTP and HTTPS is opened for this server and I am able to RDP to the server from home via RWW..  All PCs and servers on the LAN have internet access.

any help would be great!
0
regmandy
Asked:
regmandy
  • 28
  • 20
  • 16
  • +1
3 Solutions
 
wrwiii12Commented:
What happens if you ping and tracert to 4.2.2.1?
0
 
WaynepreCommented:
Try restarting the DNS Server and DNS Client in services.

Go to Start - Administrative Tools - Services

Right Click on DNS Server - click restart
Righ click on DNS Client - click restart
0
 
regmandyAuthor Commented:
tracert to 4.2.2.1 gives me the same result as going to google.  1st hop goes to the gateway and times out after.

Restarted DNS server and client no change.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
ReneGeCommented:
It indeed seems like you are not connected to the internet.
Try pinging your ISP default gateway.
0
 
wrwiii12Commented:
Is ping allowed through the ASA?  When you do it look at the real time logging using the ASDM and see if you are getting denies.

I guess I should ask if this connection has worked in the past in the current configuration (both hardware and software) and if so have any config changed been made to the ASA.
0
 
regmandyAuthor Commented:
ping is allowed out from inside.  I am unable to telnet to say google.com either where I can from other machines/servers inside the network.  The only thing is the ASA was recently reloaded to clear up some memory issues.  There was a backup run of the config, the reload was done then the config was reloaded and saved to mem.   I have to admit, ASA is not my strong point, however like I said I was able to do a packet trace on the ASA from the servers internal iP to google.coms IP.

the ISP gateway shouldnt be the issue as it's the same used for the rest of the network.  All other PCs and servers(with same gateway etc) have internet access.  

I'll run another test and check the realtime logs.  last time I checked I didn't see anything come from the source IP which in my mind should be the servers IP..
0
 
wrwiii12Commented:
Yeah thats what I would do just to see if the traffic is even making it to the firewall.

ASA ASDM GUI - Click monitoring on the top, click logging at the bottom, click view in the middle
0
 
regmandyAuthor Commented:
Looks like from the log that it's getting through, but the server it's showing timed out?.  

6      Dec 30 2012      13:07:41      302020      (Servername)      1      74.125.228.99      0      Built outbound ICMP connection for faddr 74.125.228.99/0 gaddr myispgateway/1 laddr CE-DC00/1

6      Dec 30 2012      13:07:41      302021      74.125.228.99      0      (Servername)      1      Teardown ICMP connection for faddr 74.125.228.99/0 gaddr myispgateway/1 laddr CE-DC00/1
0
 
wrwiii12Commented:
What if you do a telnet yahoo.com 80

What does the log show?
0
 
regmandyAuthor Commented:
telnet to yahoo.com 80

6      Dec 30 2012      14:07:33      302013      98.139.183.24      80      (Servername)3100      Built outbound TCP connection 1402777 for outside:98.139.183.24/80 (98.139.183.24/80) to inside:(Servername)/3100 (externalgatewayIP/3100)

6      Dec 30 2012      14:08:03      302014      98.139.183.24      80      (Servername)      3100      Teardown TCP connection 1402777 for outside:98.139.183.24/80 to inside:(Servername)/3100 duration 0:00:30 bytes 0 SYN Timeout

I did notice I have a different IP then when I ping from another machine.  get the same results telneting to the other iP on port 80
0
 
WaynepreCommented:
Maybe it's worth trying thre basics...
As it is SBS it always worth running Fix my Network
Have you tried this yet?
0
 
wrwiii12Commented:
You are getting this on the sbs server and other pc's right?  Or is it just the sbs.
0
 
regmandyAuthor Commented:
this is just the SBS server.. all other PCs and servers have internet access..

I've tried the fix my network to no avail..
0
 
WaynepreCommented:
Can you please check that your Network Adapter (LAN) TCP/IP IP address, Default gateway, Router and DNS are configured with the correct settings.
0
 
wrwiii12Commented:
Yes I agree with Waynepre.  Check that your gateway address on the server is the same as the working PCs.  If it is do a arp -a and ensure it sees it as the right MAC.
0
 
regmandyAuthor Commented:
yup, I've gone over them a few times thinking I'm missing something stupid.  

I've compared to another server I have and settings match other than the IP(of course).

IP 192.168.20.5
SubMask 255.255.255.0
GW 192.168.20.239
prim DNS 192.168.20.5
sec DNS 192.168.20.15
0
 
WaynepreCommented:
Can you please try removing the sec DNS and change the prim DNS to Google 8.8.8.8

and let us know if the internet works on the server then?
0
 
wrwiii12Commented:
what if you do the arp -a from the working server and from the non working server?  is the mac the same for both for the gateway IP?
0
 
regmandyAuthor Commented:
ok I'll check the arp

from the second DC
192.168.20.239        e0-5f-b9-e9-e9-f9     dynamic

from the primary thats having issues
192.168.20.239        e0-5f-b9-e9-e9-f9     dynamic
0
 
wrwiii12Commented:
I know this might be a little redundant but for comparison sake can you turn on the asa monitoring again.  Do a telnet yahoo.com 80 from the bad server and then from the good server and see if the traffic is the same?

You have some weird stuff going on.
0
 
regmandyAuthor Commented:
definitely got some weird stuff going on..

changed the DNS to 8.8.8.8 and still unable to get to the internet, Ping denied.
0
 
WaynepreCommented:
oooooook.... ummmm.....

I take it you are using the Exchange on the SBS server???

If so are you able to send an email and receive to / from externally?
0
 
regmandyAuthor Commented:
From the server having issues..
telnet yahoo.com 80

6      Dec 30 2012      16:29:11      302013      72.30.38.140      80      CE-DC00      40009      Built outbound TCP connection 1449336 for outside:72.30.38.140/80 (72.30.38.140/80) to inside:CE-DC00/40009 (142.166.210.193/40009)

6      Dec 30 2012      16:29:41      302014      72.30.38.140      80      CE-DC00      40009      Teardown TCP connection 1449336 for outside:72.30.38.140/80 to inside:CE-DC00/40009 duration 0:00:30 bytes 0 SYN Timeout

telnet yahoo.com 80 on server with internet access
6      Dec 30 2012      16:31:19      302013      98.139.183.24      80      192.168.20.15      53198      Built outbound TCP connection 1449978 for outside:98.139.183.24/80 (98.139.183.24/80) to inside:192.168.20.15/53198 (CE-ENTELIWEB_OUTSIDE/53198)

6      Dec 30 2012      16:33:20      302014      98.139.183.24      80      192.168.20.15      53198      Teardown TCP connection 1449978 for outside:98.139.183.24/80 to inside:192.168.20.15/53198 duration 0:02:00 bytes 0 TCP FINs

the difference also..  server A not working is sbs 2008..  server B with internet access is server 2K8 R2.
0
 
regmandyAuthor Commented:
yes SBS is exhange.  external email is what started this.  internal email works fine, external is not.  we are using SBS pop connector to connect to the ISPs server for external mail.  I am able to login a mailbox using webmail and see there are emails.. so the problem is this server not able to connect to internet for the pop connector to get what it needs.  I'm tying the internet and email issues together.
0
 
WaynepreCommented:
In the SBS Console can you please re run Connect to the Internet.
Are you able to RDC to the server from the server that does work?
0
 
regmandyAuthor Commented:
when I run connect to the internet, it finds the gateway and ip.  from what I understand I don't have to configure it since it's the gateway is a 2900 series cisco.  but I have to manually configure the ports to be open.  THis server is running exchange, DHCP and DNS but not sharepoint.  so those ports are open on the ASA 5510.

I am currently connected remotely from home using RWW.  and yes I am able to connect using RDC within the network.

and Thank you all so far for your advice.. this ones got me stumped good.
0
 
regmandyAuthor Commented:
I did notice when running telnet to yahoo from multiple different machines that the outside interface is different on the servers that have internet access compared to the one which does not.  the server with no access seems to be trying to use the external Gateway.  looking at the logs I've posted above.  I'm not sure if this would be a routing issue on the firwall or not?
0
 
WaynepreCommented:
The firewall was going to be my next suggestion, do you have a working backup of the config that you could restore to?
0
 
wrwiii12Commented:
Do you have a static or dynamic public IP?
0
 
regmandyAuthor Commented:
static public IP.  I have a backup of the firewall to put me back in the current state..
0
 
WaynepreCommented:
in the current state or a state of which you know works?
0
 
regmandyAuthor Commented:
no the current state which doesn't work.  I tried to restore the config to the most recent which is Feb.  and I have the same issue.  The server was working last week prior to the ASA reboot due to memory issues..  I just took over administering this building.
0
 
WaynepreCommented:
Between me, you and wrwiii12 we have been working on this for over 5 hours now and it seems we are not getting any closer to resolving your issue. I think it might be worth having a second pair of eyes going over the config of your server. Would you allow remote access?
0
 
regmandyAuthor Commented:
sure thing..  I agree on the second pair of eyes.  let me know which tools you prefer..
0
 
WaynepreCommented:
For security i think it might be best if you email me d(etails are on my profile). I will send you the details over email.. But we should always update this forum with our results.
0
 
wrwiii12Commented:
Yeah if you are getting 2 different IPs on public I think there is a config issue too.

Good luck and let me know if you need a 3rd set of eyes.
0
 
regmandyAuthor Commented:
well, it looks like it certainly is a firewall issue thats blocking the .5 internal IP.  I changed the IP on the server to .8 and internet was back up with all functionality..  I changed IP address in the network object of my ASA to the new IP and saved it to mem, hopeing that the .8 would be blocked and I could reconfigure to the .5 IP to keep all the services running with the original IP, but unfortunately that had no effect.

So do I need to open a new question for this or can I continue as this issue is not yet fully resolved.  

Thank you Waynepre to giving me someone to bounce ideas from.  you were certainly committed to this and I appreciate it..  Can I give points for that?  8o)
0
 
regmandyAuthor Commented:
So do we have anyone here who is good with ASA5510 that can help me by perhaps looking at my ACL?  see what I'm missing?
0
 
wrwiii12Commented:
I am here for you.  Do you want to do a remote session or post your sanitized config here?
0
 
regmandyAuthor Commented:
we can do a remote session if you rather.. for someone who knows ASA, this should be fairly simple.
0
 
wrwiii12Commented:
Ok we will update this ticket after the fact.  

Shoot me an email to the email on my profile please.
0
 
regmandyAuthor Commented:
I was going to but don't see one in your profile..  8o)
0
 
WaynepreCommented:
Good luck guys... Let me know how you get on and did it..

Email me with details on my profile....

Happy New Year to all..
0
 
regmandyAuthor Commented:
Will do Wayne..  thank again!
0
 
wrwiii12Commented:
Odd!!!

Skype - wrwii12
or
william at whitneysolutions dot com
0
 
regmandyAuthor Commented:
can't find that name in skype so sent you an email
0
 
WaynepreCommented:
Gents if you need me Skype me on waynepre might us be worth adding each other to help each other in future if you like..
0
 
wrwiii12Commented:
Sounds good to me.  My skype name is wrwiii12, i missed an i.

He will be able to give more info later on to confirm but it seems like it might have been a bad NIC issue.
0
 
WaynepreCommented:
Ah, NIC or firewall?? as the firewall isn't accepting 192.168.20.5?

at first we thought it could have been the router, but then digging deeper we thought it was the server so digged deeper into that. The server could do with being rebuilt at some point but that is gonna be a massive job.

I think once Reg has this little issue resolved he will be fine until he decides what he wants to do... I have spoken to my Cisco expert but he is drunk would you believe lol... So I will have a chat with him tomorrow if there still is an issue with the firewall.

Just had a thought, if it still is the firewall and not the NIC is it worth resetting the firewall back to factory settings upgrade the firmware and reconfigure..??

If its the NIC change to the second NIC that is currently disabled.
0
 
WaynepreCommented:
I should have said, when I left Reg it looked like a firewall issue after all.
0
 
wrwiii12Commented:
yeah he changed to a second NIC and it is working when I closed out with him.
0
 
WaynepreCommented:
With .5 or .8 do you know?
0
 
wrwiii12Commented:
It was working with both when he changed to the new NIC.
0
 
WaynepreCommented:
Ah I thought we tried that and .5 didn't work I must be wrong. Well I am glad we have gotten to the bottom of it... Right I'm off to bed its 02:14 here and I gotta be up early. Night to you both and Happy new year.
0
 
wrwiii12Commented:
Happy New Year to you too!
0
 
regmandyAuthor Commented:
Hey guys,
ok...  .5 wasn't working originally, and With Wayne I switched it to .8 to test and it was working..  so to test I switched it back to .5 and it still wasn't working so I was 99% sure it was firewall.  Happy new year Wayne.  80)..

So Will came on and we were going to look at the ASA.  well after a quick game plan, I went to the server room and switched the IP back to .5..  by this time the IP had been switched for  probably 30 mins to an hr.  low and behold.. the internet was working..  ping requests worked etc..  I blame it on William, I think the my internetz wuz sceered!..  so it started to work again..  right?  8o)

well I wasn't able to recreated it which leads me to beleive it might of been an ARP cache issue..  I will try again to replicate it tomorrow but count it resolved FINALLY..  

I'm going to have to split the points..  Will for scaring it straight.. 80) and Wayne for the dedication and time he offered in assistance..  Great to have guys like these around to help bounce some ideas or second pair of eyes when needed.

thanks again!
0
 
regmandyAuthor Commented:
Hey guys,

Ok this is is not closed.  the problem came back couple times since.  Originally I thought it was the ARP..  but the next time it happed I tried flushing ARP and nothing.  So I swapped to the second nic permanently and that did not fix it either.  It seems the problem flops between IP.

So basically the original IP is .5 and the second IP is .8.  
Internet access drops from .5 (note internal network still functions 100%).  Swap to .8 IP and internet is up.  After about 4 to 5 hrs running internet drops on .8.  change the IP back to .5 then the internet is up again.

Any thoughts?
0
 
wrwiii12Commented:
And this is only happing on this one box?
0
 
regmandyAuthor Commented:
yup, just on this 1 server.
0
 
wrwiii12Commented:
Want to do a remote session when the problem shows up again?
0
 
regmandyAuthor Commented:
thanks for the offer, but I think I have it licked this time.  I'm just waiting to see if I drops today..  I will update.
0
 
regmandyAuthor Commented:
it was tough as either really resolved the issue, however time and dedication and brainstorming were great and helped come to resolution so I had to split the points..   in the end, ARP cache was the issue I beleive.
0
 
regmandyAuthor Commented:
Confirmed ARP cache was the problem.  I had to clear the cache on my cisco router as well as on the server and let them rebuild themselves.  There was a duplicate mac entry in the ARP on the router for both the IPs used on the server.  once I cleared the ARP, it matched the Mac of the primary nic to the proper IP and everything has been stable since last week..
0
 
wrwiii12Commented:
Good to hear that you figured out the exact cause.
0
 
regmandyAuthor Commented:
thank you for your help!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 28
  • 20
  • 16
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now