WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!
Can't access outside websites sometimes
Hello experts,
I have an issue with outside webpages not coming up (google, yahoo, Microsoft…etc.)
Last two weeks we have been having a random hand full of users that fire up there computers in the morning and all is good, then later in the morning or midafternoon they can’t access any outside webpages. Can access inside (internally hosted websites) webpages. And not always the same users.
We have two internal DNS servers (2008 R2) that have been running smooth for a couple years now with no major updates or configurations. The only DNS logs on server show is an invalid domain name packet that is reject every now and then. I have restarted DNS services on server, Restarted DNS servers.
When this happens to the users, I can still ping the outside world from client (google, Microsoft …etc.), even get an nslookup. But no outside webpages come up. (just blank white page saying “Can’t find webpage”)
At first I thought this was related to Internet Explorer 11, but couple days later users with 9, and 10 started having the same issue. (all users are windows 7 boxes)
Ipconfig all looks good on clients (show right gateways and DNS servers, and good DHCP IP addy).
On the client I have tried just about everything I can think of, including:
Flushing cache
Cleaning out temp files (%temp%)
Scan clients for viruses\malware (Antivirus\malwarebytes) "negative"
Nslookup (good)
Flushing client DNS
Registering client DNS (ipconfig /registerdns)
Disable/enable network adapter
Updating network adapter driver
Installing a second network adapter card
Shutting down computer (hard shutdown), restarting
Checking system files (System File Checker – sfc /scannow)
We are using Internet Explorer ( I know, there is better, faster – It is what the our vendors support)
Not wanting to make this a “chrome, firefox” shootout….feels more like a DNS issue somehow, but can’t figure it out.
Everything works fine for everyone else, just these random few, and always different users.
We are not running a firewall inside and client firewalls are turn off. We have a Cisco firewall coming into domain (nothing change here – even restarted router and switches).
Bottom line, everything works good except for 1-2 hours in the day, some in the morning and some in the afternoon. And always just a few users.
Looking for any help……Let me know if you need any more info.
Any Ideas?
Thanks in advance.
Fubr
I have an issue with outside webpages not coming up (google, yahoo, Microsoft…etc.)
Last two weeks we have been having a random hand full of users that fire up there computers in the morning and all is good, then later in the morning or midafternoon they can’t access any outside webpages. Can access inside (internally hosted websites) webpages. And not always the same users.
We have two internal DNS servers (2008 R2) that have been running smooth for a couple years now with no major updates or configurations. The only DNS logs on server show is an invalid domain name packet that is reject every now and then. I have restarted DNS services on server, Restarted DNS servers.
When this happens to the users, I can still ping the outside world from client (google, Microsoft …etc.), even get an nslookup. But no outside webpages come up. (just blank white page saying “Can’t find webpage”)
At first I thought this was related to Internet Explorer 11, but couple days later users with 9, and 10 started having the same issue. (all users are windows 7 boxes)
Ipconfig all looks good on clients (show right gateways and DNS servers, and good DHCP IP addy).
On the client I have tried just about everything I can think of, including:
Flushing cache
Cleaning out temp files (%temp%)
Scan clients for viruses\malware (Antivirus\malwarebytes) "negative"
Nslookup (good)
Flushing client DNS
Registering client DNS (ipconfig /registerdns)
Disable/enable network adapter
Updating network adapter driver
Installing a second network adapter card
Shutting down computer (hard shutdown), restarting
Checking system files (System File Checker – sfc /scannow)
We are using Internet Explorer ( I know, there is better, faster – It is what the our vendors support)
Not wanting to make this a “chrome, firefox” shootout….feels more like a DNS issue somehow, but can’t figure it out.
Everything works fine for everyone else, just these random few, and always different users.
We are not running a firewall inside and client firewalls are turn off. We have a Cisco firewall coming into domain (nothing change here – even restarted router and switches).
Bottom line, everything works good except for 1-2 hours in the day, some in the morning and some in the afternoon. And always just a few users.
Looking for any help……Let me know if you need any more info.
Any Ideas?
Thanks in advance.
Fubr
Who is Participating?
If you can ping yahoo.com from a command prompt on the PC, that means you can resolve the name, so it does not sound like a DNS issue.
My recommendation is the next time this issue comes up, first test more than one pc to make sure this is not a local PC issue. Assuming it is all PC's, then go to one of the PC's and first ping yahoo.com and see if it resolves the name to an IP and responds, assuming it does then try to telnet to port 80 in yahoo.com e.g. telnet yahoo.com 80 and see if it connects. If it connects the issue is browser specific, but if it does not, then something is blocking access to your ports when the issues arise. It could be you firewall, router, a proxy or it could be the local Windows firewall or antivirus causing the issues. I would start with the local PC and work you way forward. Turn those services off an retest.
My recommendation is the next time this issue comes up, first test more than one pc to make sure this is not a local PC issue. Assuming it is all PC's, then go to one of the PC's and first ping yahoo.com and see if it resolves the name to an IP and responds, assuming it does then try to telnet to port 80 in yahoo.com e.g. telnet yahoo.com 80 and see if it connects. If it connects the issue is browser specific, but if it does not, then something is blocking access to your ports when the issues arise. It could be you firewall, router, a proxy or it could be the local Windows firewall or antivirus causing the issues. I would start with the local PC and work you way forward. Turn those services off an retest.
Just to clarify, when you say you can "ping the outside world" do you mean ping by domain name or ping by IP address? If the former, it is not a DNS issue as terces says. I had assumed you had meant the latter.
Have you tried a tracert?
Have you tried a tracert?
How you get internet on client computers ?
Through internal DNS servers and if they are forwarding queries to public DNS servers (ISP) ?
Please check with ISP about problem as I don't think there is any issue with your end
Some times DNS name resolution works perfectly but link may get chocked and become very slow so that you will face slow intrent connectiivty intermittently on random no of clients
Also check if anybody in office is using link heavily for some downloads etc
Mahesh
Through internal DNS servers and if they are forwarding queries to public DNS servers (ISP) ?
Please check with ISP about problem as I don't think there is any issue with your end
Some times DNS name resolution works perfectly but link may get chocked and become very slow so that you will face slow intrent connectiivty intermittently on random no of clients
Also check if anybody in office is using link heavily for some downloads etc
Mahesh
Thanks for the replies.
I don't think limit issue, as we have had a bigger user base in the past (double), but I will check DHCP pool in case pool is filled up. (shouldn't be issue with router)
when I say ping the outside world, I am pinging "cox.net", "google.com" all getting replies and IP address.
clients all us DHCP, which we then have 2 internal DNS servers which forward out to COX DNS servers.
I will check with ISP.
Now I did do a trace file (wireshark), but I'm to noobie with it to say "ahh that's the problem", but by the color code, I think there was some bad IP packets on one of the users that was having the issue. 1.92 is the user having the issues and 74.125.255.243 is Google the user in trying to access with browser. (example enclose).
I will do some more testing to see if I can find out any thing more.
I did rotate the order of forwarding DNS servers, maybe help going to different server first.
Thanks, I will let you know of any updates.
Fubr
WiresharkCap.png
I don't think limit issue, as we have had a bigger user base in the past (double), but I will check DHCP pool in case pool is filled up. (shouldn't be issue with router)
when I say ping the outside world, I am pinging "cox.net", "google.com" all getting replies and IP address.
clients all us DHCP, which we then have 2 internal DNS servers which forward out to COX DNS servers.
I will check with ISP.
Now I did do a trace file (wireshark), but I'm to noobie with it to say "ahh that's the problem", but by the color code, I think there was some bad IP packets on one of the users that was having the issue. 1.92 is the user having the issues and 74.125.255.243 is Google the user in trying to access with browser. (example enclose).
I will do some more testing to see if I can find out any thing more.
I did rotate the order of forwarding DNS servers, maybe help going to different server first.
Thanks, I will let you know of any updates.
Fubr
WiresharkCap.png
Sorry for the delay….was on vacation for holidays.
Got back Monday the 6th, and still having issues.
Did check with ISP before I left on vacation and they did have different DNS servers that I didn’t have.
Look like this might fix the issue before I left.
Did single out one users and ping yahoo.com.
It resolves just fine, good ping times and resolved name to IP. Next I telnet to yahoo.com, port 80 and it connected.
Reminder, all other users are fine, and the affected users are not the same every day.
Only difference I have notice in the last 4 days is I have been able to shut down user computer, wait 10-20 seconds, start back up and they work fine. Wasn’t able to do this before, and would last 30 minutes to an hour (no matter what I did), then be fine again.
With this user, it happen at noon. Most of our internet enabled staff leaves for lunch at this time, so I would think usage would be down (bandwidth wise).
Still scratching my head
Fubr
Got back Monday the 6th, and still having issues.
Did check with ISP before I left on vacation and they did have different DNS servers that I didn’t have.
Look like this might fix the issue before I left.
Did single out one users and ping yahoo.com.
It resolves just fine, good ping times and resolved name to IP. Next I telnet to yahoo.com, port 80 and it connected.
Reminder, all other users are fine, and the affected users are not the same every day.
Only difference I have notice in the last 4 days is I have been able to shut down user computer, wait 10-20 seconds, start back up and they work fine. Wasn’t able to do this before, and would last 30 minutes to an hour (no matter what I did), then be fine again.
With this user, it happen at noon. Most of our internet enabled staff leaves for lunch at this time, so I would think usage would be down (bandwidth wise).
Still scratching my head
Fubr
Seems to be getting worst.
Went from 1-2 people every other day to last 3 days 3-4 users per day.
Mostly different users, but last three days couple same users each day.
Can still ping outside websites by name, can trace route and get replies when this happens.
Can do the telnet (telnet yahoo.com 80) and connect.
What blows my mind is everyone else is fine, and these users are fine up till this point.
I have cisco technician coming out tomorrow to check routers and switches.
Servers show no logs to indicate anything..........
I did find logs on one user PC during this, source GroupPolicy, event ID 1055
Windows could not resolve the computer name.
And...
source NETLOGON, event ID 5719
Computer wasn't able to set up a secure session with a domain controller.
was still able to ping domain controller by name and get reply.....???
Personal I'm still thinking some kind of DNS/replication. reading the logs above, makes me think that all of a sudden this PC can't talk to DC and DC doesn't know this PC!!
But everyone else is fine and no error logs to guide me on server.
I will follow up after cisco technician comes tomorrow.
Fubr
Went from 1-2 people every other day to last 3 days 3-4 users per day.
Mostly different users, but last three days couple same users each day.
Can still ping outside websites by name, can trace route and get replies when this happens.
Can do the telnet (telnet yahoo.com 80) and connect.
What blows my mind is everyone else is fine, and these users are fine up till this point.
I have cisco technician coming out tomorrow to check routers and switches.
Servers show no logs to indicate anything..........
I did find logs on one user PC during this, source GroupPolicy, event ID 1055
Windows could not resolve the computer name.
And...
source NETLOGON, event ID 5719
Computer wasn't able to set up a secure session with a domain controller.
was still able to ping domain controller by name and get reply.....???
Personal I'm still thinking some kind of DNS/replication. reading the logs above, makes me think that all of a sudden this PC can't talk to DC and DC doesn't know this PC!!
But everyone else is fine and no error logs to guide me on server.
I will follow up after cisco technician comes tomorrow.
Fubr
Ok.....had the cisco tech go through router today (501 PIX), and turns out it "is" a license issue
(exceeding licenses)
strung hit it on the head....I would have argue this, but technician clear it up for me
We have a 50 user license, and that does not mean 50 users.
It means 50 devices!!
So every network printer, computer, server, smartphone, wireless device that has an IP or gateway configured, is talking to the router and it is logging this as a license.
Sad thing is Cisco End-of-Life these routers couple years back, so probably won't be able to upgrade the license on it. (maybe find an unlimited one on ebay)
My question now, for a work around (until I can get a new ASA) can I do a "clear local-host all" on the router?
Clearing out all local users, I would not have to restart router and break the VPN Connections (we have two sister sites connecting to our router by VPN connection)
Makes me wonder why it does not release these licenses when they are idle?
I notice when I do a "show local-host", I get a lot of computers that haven't been on the network in the last couple of months, not to mention computers that have been lock out from internet access. I'm hoping the "clear local-host all" will be a work around. If I do a "clear local-host ip-address" of some of these client devices, it frees up licensing.
Fubr
(exceeding licenses)
strung hit it on the head....I would have argue this, but technician clear it up for me
We have a 50 user license, and that does not mean 50 users.
It means 50 devices!!
So every network printer, computer, server, smartphone, wireless device that has an IP or gateway configured, is talking to the router and it is logging this as a license.
Sad thing is Cisco End-of-Life these routers couple years back, so probably won't be able to upgrade the license on it. (maybe find an unlimited one on ebay)
My question now, for a work around (until I can get a new ASA) can I do a "clear local-host all" on the router?
Clearing out all local users, I would not have to restart router and break the VPN Connections (we have two sister sites connecting to our router by VPN connection)
Makes me wonder why it does not release these licenses when they are idle?
I notice when I do a "show local-host", I get a lot of computers that haven't been on the network in the last couple of months, not to mention computers that have been lock out from internet access. I'm hoping the "clear local-host all" will be a work around. If I do a "clear local-host ip-address" of some of these client devices, it frees up licensing.
Fubr
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month4 days, 5 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
Maybe a router problem? Can't handle that many users?