Ping reply from different address

This one has me totally stumped.  I have a couple of machines which I've lost the ability to remote into with Real VNC.  I started looking for the reason and found that when I ping them I get replies from a different IP address.  It doesn't matter if I ping them using the machine name or the IP address I get a return from a different IP.

-------------------------------------------------------------------------------

C:\>ping board-dt

Pinging board-dt.TFI.intranet [172.16.11.104] with 32 by
Reply from 172.16.11.101: bytes=32 time=20ms TTL=255
Reply from 172.16.11.101: bytes=32 time=13ms TTL=255
Reply from 172.16.11.101: bytes=32 time=13ms TTL=255
Reply from 172.16.11.101: bytes=32 time=13ms TTL=255

Ping statistics for 172.16.11.104:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 13ms, Maximum = 20ms, Average = 14ms

C:\>ping 172.16.11.104

Pinging 172.16.11.104 with 32 bytes of data:
Reply from 172.16.11.101: bytes=32 time=13ms TTL=255
Reply from 172.16.11.101: bytes=32 time=13ms TTL=255
Reply from 172.16.11.101: bytes=32 time=13ms TTL=255
Reply from 172.16.11.101: bytes=32 time=13ms TTL=255

Ping statistics for 172.16.11.104:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 13ms, Maximum = 13ms, Average = 13ms

------------------------------------------------------------------------------

Unsuccessful debugging steps:
I've tried issuing the pings using different machines with the same result.
There are no HOST entries on any of the machines I used to ping or the target.
I've cleared the DNS Forward Lookup entry for the target machine.
I've changed the NIC card in the target machine.
I've changed the name of the target machine.
I've hard-coded the IP address (a new previously unused address) to the target machine.
I've checked the DNS server to assure Scavenging was setup.
... and I've performed hundreds of Internet searches, apparently with the wrong criteria, desperately looking for a fix
gspearmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Timothy McCartneySYS ADMINISTR I INFRASCommented:
Is it also safe to assume you've pressed the 'scavenge now' button on the DNS server to initiate that service immediately?

How long (time frame) have you been getting this issue, and how long (since enabling/running scavenging) has it been?

DNS updates can take a fair amount of time
0
Timothy McCartneySYS ADMINISTR I INFRASCommented:
Here's a link with a very detailed explanation of scavenging (with some best practices at the end).
0
Timothy McCartneySYS ADMINISTR I INFRASCommented:
Also, is it possible the target machine is configured with multiple IP addresses?

Open properties of network adapter, view properties of IPv4, click advanced, and see if there are more than one IP addresses listed in the 'IP addresses' list.

If only one is displayed, does the target machine have multiple NIC cards?
0
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

gspearmanAuthor Commented:
I did execute Scavenge Now through both the GUI two days ago and the command-line yesterday.  Still the same behavior.
0
Timothy McCartneySYS ADMINISTR I INFRASCommented:
Just realized I forgot the link in one of my previous comments regarding scavengin:

https://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx?Redirected=true
0
Thomas GrassiSystems AdministratorCommented:
What Os are the machines?

Have your tried  ipconfig /flushdns

do an ipconfig /all on the machine what does it show ? please post

What type of server is this ? OS ?
0
gfbarronCommented:
Have you tried issuing the command ipconfig /all on the device you are trying to ping to determine if it has the IP that is responding?

Also check your ARP tables, to see if your MAC to IP bindings are correct when pinging the target machine.


G
0
gspearmanAuthor Commented:
Target machine had only one onboard NIC.  When I added the second NIC I disabled the 1st.  When the machine was only using a single IP.
0
Prostanc3Commented:
A couple of people have mentioned above but it really does sound like a DNS issue to me, and as such I would personally check to see if you have duplicate records for individual IP addresses listed in DNS before proceeding, I had a similar issue with a client and deleting the incorrect records seemed to resolve this.
0
gspearmanAuthor Commented:
Target machine OS: Windows 7 Pro 64-bit
Client machine OS: Windows 7 Pro 64-bit
DNS Server OS: Windows Server 2008 R2 64-bit

I have literally done dozens of ipconfig /flushdns and ipconfig /registerdns on both the target machines, the client machines, and the DNS server.  After every failed attempt I would flushdns to be sure then try again.

I've looked at the ARP table and the IP address I am trying to ping is mapped to the proper MAC address.
0
gspearmanAuthor Commented:
There are no duplicates in my Forward Lookup table.  I've seen that problem in the past and that was one of the first things I looked for.  That lead me to check Scavenging which WAS turned off.  Turning it on has not corrected the problem.
0
Prostanc3Commented:
How about DNS dynamic updates? Is that configured properly?
0
Thomas GrassiSystems AdministratorCommented:
are the computers registering into DNS? Or are you adding  a host records?

Is this windows 2008 server a DC or member server?

If dc

lets run dcdiag make sure dns is working

dcdiag >dclogx.txt
dcdiag /test:registerindns /dnsdomain:FQDN HERE>>dclogx.txt
dcdiag /c /v >>dclogx.txt
dcdiag /test:dns >>dclogx.txt
0
gspearmanAuthor Commented:
As for the dcdiag tests, it passes all four.
0
gspearmanAuthor Commented:
Probably showing my ignorance but is it possible this could have something to do with a switch?  It strikes me as very odd that I get the same IP reply even after I changed target machines, target IP addresses, and target machine names.
0
Thomas GrassiSystems AdministratorCommented:
glad to here the the dcdiags are good.

what type of switches you have?

Maybe power cycle the switch

are the computers registering in DNS do you see them in there with new or old ip address?
0
Craig BeckCommented:
Guys how can this be a DNS issue if the OP tried pinging by IP and the result was the same??

Can you show the ipconfig /all and tracert 172.16.11.104 command-line output?
0
gspearmanAuthor Commented:
Switches are HP 2810s.

All the DNS registrations seem to be doing fine.  The IPs are associated with the appropriate PCs.

Plan on power cycling the switches this weekend immediately after our weekend backups complete.
0
Thomas GrassiSystems AdministratorCommented:
Sounds like a plan keep us posted
0
Craig BeckCommented:
It sounds like a virtual IP to me.  The same behaviour is displayed when using HSRP on a Cisco switch (for example).  You ping the virtual address but the reply comes from the active router's IP (so you can tell which one responded).

If you use the arp -a command at the command-line what MAC addresses are displayed for the two IP addresses?
0
gspearmanAuthor Commented:
The MAC addresses in the ARP table exactly match what SHOULD be returned in the ping replies.
0
Craig BeckCommented:
So is the MAC different for 172.16.11.104 and 172.16.11.101?

If you're getting a response from a different machine then, what happens when you turn .101 off?
0
gspearmanAuthor Commented:
The MAC addresses are different for the two machines.  The 101 machine IS off during my testing.  In fact it's out of the country at the moment and I checked to make sure it is not connected through the VPN.
0
Thomas GrassiSystems AdministratorCommented:
WE still would like to see an ipconfig /all and tracert
0
Craig BeckCommented:
So the IP address you're pinging is through a router/firewall?
0
gspearmanAuthor Commented:
No.  Both machines are inside the same building in a Windows domain.
0
Craig BeckCommented:
Ok.  Can you provide the IPCONFIG and TRACERT as asked previously?
0
Thomas GrassiSystems AdministratorCommented:
Ok lets try a DHCP reservation

Using the mac address of the computers nic go into your dhcp setup and set a dhcp reservation and assign a ip address
do you know how to setup a dhcp reservation?

then from the computer do ipconfig /release  then wait a min do ipconfig /renew

after that do ipconfig /all post results
0
gspearmanAuthor Commented:
ipconfig /all results


Windows IP Configuration

   Host Name . . . . . . . . . . . . : Board-DT
   Primary Dns Suffix  . . . . . . . : TFI.intranet
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : TFI.intranet
                                       TFI

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : TFI
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
   Physical Address. . . . . . . . . : {Valid MAC Address}
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . :  
   IPv4 Address. . . . . . . . . . . : 172.16.11.104(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Lease Obtained. . . . . . . . . . : Thursday, September 12, 2013 4:57:43 PM
   Lease Expires . . . . . . . . . . : Friday, September 20, 2013 11:32:30 AM
   Default Gateway . . . . . . . . . : 172.16.8.1
   DHCP Server . . . . . . . . . . . : 172.16.8.22
   DHCPv6 IAID . . . . . . . . . . . : 246983791
   DHCPv6 Client DUID. . . . . . . . :
   DNS Servers . . . . . . . . . . . : 172.16.8.24
                                       172.16.8.22
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.TFI:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : TFI
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


tracert results

Tracing route to Board-DT.TFI.intranet [172.16.11.104]
over a maximum of 30 hops:

  1     6 ms     4 ms     4 ms  172.16.11.101

Trace complete.
0
Thomas GrassiSystems AdministratorCommented:
The ipconfig /all looks good

I see you have two DNS servers

Are they both working?  When you update one does the other see the updates?

run the dcdiag again on both servers and post the output
0
gspearmanAuthor Commented:
Yes, both are accepting data posted to the other.

dcdiag results:


Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = TFIFS2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\TFIFS2
      Starting test: Connectivity
         ......................... TFIFS2 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\TFIFS2
      Starting test: Advertising
         ......................... TFIFS2 passed test Advertising
      Starting test: FrsEvent
         ......................... TFIFS2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... TFIFS2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... TFIFS2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... TFIFS2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... TFIFS2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... TFIFS2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... TFIFS2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... TFIFS2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... TFIFS2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... TFIFS2 passed test Replications
      Starting test: RidManager
         ......................... TFIFS2 passed test RidManager
      Starting test: Services
         ......................... TFIFS2 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0xC0003A9E
            Time Generated: 09/15/2013   17:01:28
            Event String:
            Owner of the log file or directory C:\inetpub\logs\LogFiles\W3SVC1\u_ex130915.log is invalid. This could be because another user has already created the log file or the directory.
         ......................... TFIFS2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... TFIFS2 passed test VerifyReferences
   
   
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   
   Running partition tests on : TFI
      Starting test: CheckSDRefDom
         ......................... TFI passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... TFI passed test CrossRefValidation
   
   Running enterprise tests on : TFI.intranet
      Starting test: LocatorCheck
         ......................... TFI.intranet passed test LocatorCheck
      Starting test: Intersite
         ......................... TFI.intranet passed test Intersite
0
Thomas GrassiSystems AdministratorCommented:
Ok now we now DNS is working

Have you power cycled the switches?

Something is still holding the old address

The machines are on the same lan as the servers and in the same building

Are these computers showing in DNS as a host records with correct address?
0
gspearmanAuthor Commented:
We cycled the switches today.  One kink is that one of the switches (not one that either of these machines are connected to) would not boot up.

The machines are on the same LAN and in the same building.

All the DNS entries look good.
0
Thomas GrassiSystems AdministratorCommented:
Wow must have been a bad switch

Can you ping from the workstations to the servers by FQDN

And then from the server to the workstations by FQDN

What are the results
0
Craig BeckCommented:
It's still NOT DNS if this happens when you ping using IP.

Can you post the IPCONFIG of the machine with .104?
0
gspearmanAuthor Commented:
I can ping TO the server from the affected machine with no problem.  The ping FROM any machine (including the server) gets the bad IP reply.
0
gspearmanAuthor Commented:
The ipconfig of the .104 machine is in one of the earlier posts.
0
Thomas GrassiSystems AdministratorCommented:
OK we need to clear the arp cache on the server and computer

http://www.tech-faq.com/clear-arp-cache.html

after that do the following

ipconfig /all
ping 172.16.8.104
arp -a
route print
Do you have a network diagram?

What type of device is 172.16.8.1 brand model?


Post results
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gspearmanAuthor Commented:
Same behavior after clearing ARP table.

172.16.8.1 is a Sonicwall NSA 2400 firewall.

Do not have a network diagram.  The problem machine and the servers are connected to the same HP 2810-48G switch.

ipconfig result:
Windows IP Configuration

   Host Name . . . . . . . . . . . . : Board-DT
   Primary Dns Suffix  . . . . . . . : TFI.intranet
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : TFI.intranet
                                       TFI

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : TFI
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
   Physical Address. . . . . . . . . : {Valid MAC Address}
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . :  
   IPv4 Address. . . . . . . . . . . : 172.16.11.104(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Lease Obtained. . . . . . . . . . : Monday, September 16, 2013 7:14:51 AM
   Lease Expires . . . . . . . . . . : Monday, September 23, 2013 7:21:17 AM
   Default Gateway . . . . . . . . . : 172.16.8.1
   DHCP Server . . . . . . . . . . . : 172.16.8.22
   DHCPv6 IAID . . . . . . . . . . . : 246983791
   DHCPv6 Client DUID. . . . . . . . :
   DNS Servers . . . . . . . . . . . : 172.16.8.24
                                       172.16.8.22
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.TFI:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : TFI
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


Route Print result:

===========================================================================
Interface List
 11...{Valid MAC Address} ......Broadcom NetLink (TM) Gigabit Ethernet
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.16.8.1     172.16.11.64     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.8.0    255.255.252.0         On-link      172.16.11.64    266
     172.16.11.64  255.255.255.255         On-link      172.16.11.64    266
    172.16.11.255  255.255.255.255         On-link      172.16.11.64    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      172.16.11.64    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      172.16.11.64    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    266 fe80::/64                On-link
 11    266 fe80::4576:fcf9:9275:f3d5/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
Thomas GrassiSystems AdministratorCommented:
Why is the ip address 172.16.11.104 and your gateway is 172.16.8.1

You have different subnets here why?
0
gspearmanAuthor Commented:
Our subnet mask is 255.255.252.0 which allows us to span from 172.16.8.1 to 172.16.11.255
0
Thomas GrassiSystems AdministratorCommented:
Ok lets try pinging 172.16.11.104 from your router what's the response?

Do you have access to the router to test?
0
gspearmanAuthor Commented:
The router belongs to our ISP and I do not have accept to it.
0
Thomas GrassiSystems AdministratorCommented:
Would be nice to see if we can get a ping from the router to see what it thinks

Also the router may need to have its cache cleared.

contact they and explain your issue
0
gspearmanAuthor Commented:
We are switching ISPs in 1 week.  Not sure I would get a lot of cooperation.  Also, not sure what the inability to ping from our interface to the outside world would prove.  Neither DHCP or DNS are handled by the gateway.
0
Thomas GrassiSystems AdministratorCommented:
The router can be causing this that's why we need to test from it.

Glad your changing ISP's if they don't help you I would get rid of them asap.
0
Craig BeckCommented:
The router would be replying from 172.16.11.104 ONLY if that IP address was on another subnet and the router was running Proxy-ARP.

This is NOT a DNS issue, and it's highly unlikely to be a router issue as all communication is on the same layer-2 segment.  This would only be a router issue if it is running HSRP.

If the correct machine is responding to the ping request it must have 2 NICs.
If a different machine is responding it must have the same IP as a different machine AS WELL as the IP it's responding with.

Why don't you disconnect the link to your router and see if this still happens?
0
gspearmanAuthor Commented:
In the end the problem turned out to be a driver incompatibility issue which only surfaced after a Microsoft update.  The machine we initially had problems with originally had a 32-bit OS which we upgraded to a 64-bit OS.  The drivers automatically updated and all was well until the MS update about 10 days ago.  Unfortunately, when I decided to give up on that machine and replace it with a spare we had I chose a machine of the same model so the problem replicated itself once we did the upgrade.  The solutions provided did not actually solve my problem but I really appreciate the guys hanging in there and TRYING to solve it.

Great effort guys.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.