Solved

Suddenly cannot RDP or ping to or from RDS server 2008 except from within one subnet

Posted on 2013-10-25
15
1,193 Views
Last Modified: 2013-11-03
On a Windows 2008 R2 server running RDS, suddenly the server cannot be accessed via RDP expect by a machine on the same subnet.  It also cannot be pinged. Subnets cannot be accessed from that server at all (no pinging or mapping to anything in any other subnet). It cannot get to the Internet , though the Networking connection shows Internet as connected  OK.   i have checked the DHCP reservation, the DNS settings, flushed and registered, checked the adapter binding order, i have rebooted. I suspect a change in the firewall, some changes were made, am not managing the routing, but would like to know where to look on the Sonic Wall.  Any suggestions would be appreciated.
0
Comment
Question by:quaybj
  • 7
  • 4
  • 3
15 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 39602732
Since it can be accessed by machine on the same subnet that tells me its possibly a gateway setting that is wrong

Is the correct default gateway address setup on the server?
Can you from the server ping the default gateway?
If yes can you tracert to an external ip from it?

tracert 8.8.8.8 - run this from the server and see where it stops
0
 

Author Comment

by:quaybj
ID: 39604866
Hi smckeown77

yes the gateway address is correct,
i cannot ping the gateway
tracert 8.8.8.8 fails
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39604890
Ok, so next question is why can't you ping the gateway...

Have you a switch in the connection between server and gateway? I'd start by rebooting that
You mentioned changes in the firewall...since you can't even ping the gateway from the server that might be the case...can you login to the Sonicwall?

From it can you ping back to the server? Most Sonicwall devices have a ping utility to test this

As for what could have changed you'd need to look at the rules that are setup, usually there are rules based on interfaces...WAN-LAN, WAN-Subnet etc...your RDS is obviously on a specific subnet so I'd check for rules connected to that subnet

Which model Sonicwall?
0
ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

 

Author Comment

by:quaybj
ID: 39604985
The servers are colocated, so i can't reboot the switch until about 9 am.  The other servers in the same switch are pingable from another subnet, but not the one in question.  Other servers in the same switch are working ok, maybe a bad port?? seems strange...

I logged onto the sonic (NSA 2400)  and I cannot ping that server from the firewall, but i can ping the others.

I see a couple of things in the firewall address objects that look incorrect, but I am not managing the firewall and am not an expert, The config is complicated by VPN rules, i don't want to break it.  I will get the person handling this to check my questions.
0
 

Author Comment

by:quaybj
ID: 39604993
I should add... the server can be accessed from my home by using the Sonicwall VPN  remote client.  If i use the VPN client, i can remote to the server by its internal IP address.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39604996
Ok, that also points to a rule breakdown...

Server is accessible from home over a VPN - so the rules between the local subnet the server is on and the VPN subnet are working...

So yes this looks more and more like a rule that is mis-configured, switch is probably not an issue, port is def not an issue if the server is accessible at all(which it is)
0
 

Author Comment

by:quaybj
ID: 39605005
Thanks I will get back to you in a few hours.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39605711
Hi quaybj,

Ping is operational by default in the VPN tunnel and is not for other Zones, which would explain why ping is not working on the other Zones (not allowed via Access Rules).

Which Zone is the troubled server located in and which Zone are the others you mention in?

Can you provide a screen shot of your WAN > {whichever Zone your troubled server is in} within Firewall > Access Rules.

Thanks!
0
 

Author Comment

by:quaybj
ID: 39606241
diverseit (nice handle!)

the troubled server is in the LAN zone, so are the rest of the servers, 8 different subnets.  The fact that the server cannot surf the net is also puzzling.  One of the Access groups has an entry 'sonic for udp' pointing to 192.168.1.3, but there is no server at 192.168.1.3.

I also wonder if i have a windows firewall problem.  I didn't change anything and it was working fine before .  I will send a screen shot of the rules shortly.
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39606258
Sounds good!

Also disable the Windows Firewall via Services as through the GUI can lead to false/positives if there are OS corruptions.

So all the other servers are setup as sub-Interfaces within the LAN zone?

Diverse IT (Thanks!)
0
 

Author Comment

by:quaybj
ID: 39606915
Sorry that was not clear, i meant that the other servers are all in the same subnet as the troubled one, which can only be remoted to from within the subnet - i have to remote to the colocation site, then remote to the RDS server.  it's as though it's in a cage, no pinging, no surfing, no remoting from it to anything else.  Even the VPN scenario is basically the same thing: get to the subnet via the sonicwall, then one can use RDP.

The Windows firewall is on on the whole domain via GP.  I did try to disable it just on the RDP via services, i got kicked off, and now i cannot remote to the server at all.  more later...
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39607512
OK. Thanks for the clarification. Let's just focus on the screenshot of the Access Rules and then go from there whenever you have a chance to get logged back in.

Talk to you soon.
0
 

Author Closing Comment

by:quaybj
ID: 39616356
After i disabled the firewall and got disconnected in the process, the engineers at the colo rebooted, saw that that service was disabled when it came back up and re-enabled the firewall.  Everything went back to normal then.  Why this server hiccuped is still not clear, but starting and stopping the firewall did the trick.  I am awarding points here because i would not have gone to the services to disable the firewall right away, tweaking the  group policy settings for that server did not make the problem go away.  That tip saved me some work.
Thanks to Diverse IT!
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39620203
My pleasure. Glad I could help and thanks for the points!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question