Solved

how to prove issue with firewall, domain or DNS?

Posted on 2014-04-24
36
477 Views
Last Modified: 2016-02-25
odd issue.

we use sophos on our clients, win7.
also use webfiltering software that uses a local proxy server at our main site and softwatre locally on machines outside of HQ.

2x weeks in sucsession we have lost internet for about 1-2hrs sae day of week.

i have disabled sophos, webfiltering and local proxy at both sites but i am still getting isses with the internet.  intermittant though, only some sites not showing content and some sites not displaying at all..
i think its either firewall (managed by 3rd party) or DNS with our ISP.

last week the managed co said no changes were made to the firewall.

How can i prove this?
0
Comment
Question by:CHI-LTD
  • 20
  • 13
  • 2
  • +1
36 Comments
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40019658
Have a machine configured to not use Sophos and use the Firewall as the default gateway,  If the issue happens with PCs using Sophos but not with the other machine then it is Sophos at fault.

Call the ISP when the issue happens so they could validate and ensure there are issues with their infrastructure.  During the outage, connect a PC to the Internet link by removing it from the firewall.  If issue persists then it is ISP, if not then it is firewall related.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40019909
For DNS problems, you can analyse it yourself (use the nslookup command). For other problems, you need a clean laptop, and outside this infrastructure (preferably directly connected to the modem). If the laptop also has this problem, you know it's out of your hand. If the laptop has no problems while the others do, it's either a network device, or the software causing it.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40019977
yes proved it was something to do with our environment by testing a machine on a different lan/wan.
The problem resolves itself at HQ site @ 12pm and the other site at 12:30.  Happend last week also..
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 40020708
I use Netgong (formerly called IPmonitor).  Netgong is basically a ping tool.  You can have it schedule a ping as often as once per minute to numerous devices and it will log connectivity, record disconnects, and can be configured with alerts, all in a nice little graphical interface which can produce a simple html report.  By pinging a local device, router, ISP's gateway, and an Internet IP you can determine between which devices the connection is lost.  By using names instead of, or as well as, IP's you could also test DNS.  Great little tool with 30 day free trial period.
http://netgong.tsarfin.com/
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40027267
very odd.  i have a simialr proglem again today.  this time i have 2x machiens on my lan (not using local proxy server) that cannot get through to www.experts-exchange.com 
i can ping it and tracert the site but just wont load...

Ideas?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40027355
Using experts-exchange is not a good example, at least not for today (I was on 2 locations today, noticable intermittent outage).
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027382
I had the same issue; internet fine but unable to load EE a few times earlier today.  Suspect they may have had some minor issues.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40027385
hmm, very odd though as my other user here not via proxy was getting issues to sage.
but also had similar problems last week.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027419
When it happens try a more robust site like Google.
Try http://www.google.com
If it fails try: http://184.150.183.212  (Google by IP)
If the later works it is a DNS issue.

If having problems with Sage you may have DNS issues.
Do you have your own internal DNS server?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40027430
i could access google fine at the time.
yes local DNS boxes...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027442
With local DNS clients and server should point only to your internal DNS servers, do not  add a router or ISP as secondary.  Adding an ISP could result in local failures such as Sage.

I would also try changing your DNS forwarders as a test, perhaps Google's  8.8.8.8  You may have a slow or dormant DNS server in the forwarder causing delays and timeouts.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40027475
all clients are pointing to local DNS servers.

i tried 8.8.8.8 the opther day and it worked.  what can i test locally?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40027600
Do you mean 8.8.8.8 solved the problem?  If so then the primary DNS forwarder is either off-line or having performance issues.  ISP's sometimes update DNS servers without advising.

Locally make sure  nslookup  servername  and nslookup  internaldomain.local  return the correct information.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40028984
it did when i had this problem last week.

ah, just remembered we have changed our DNS server settings to dynamically update...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40029454
and....... ??
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40029514
wondered if dynamic dns changes are causing problem?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40029524
Could be.
If you set to 8.8.8.8 and it worked I would set statically.  I suspect with dynamic it reverts back to your ISP.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40029529
as an additional dns server within DHCP servers?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40029576
It sounds like the change you made was on the PC itself?  Fine as a test but whether static or dynamic through your DHCP server the, PC, and the server as well, can ONLY have your Internal DNS server/s listed.

I was referring to the forwarders in the DNS management console.
When you try to access any DNS name the server is used to resolve it.  If it is a local name such as a PC it checks its own database.  When it gets a name, such as www.google.com it either checks the Internet root servers or uses a DNS forwarder to 'ask it' to resolve the name.  The forwarder is most often an ISP's DNS server but can be Google's, another ISP or service provider.  The reason for using an ISP is it should be the fastest to respond, but often isn't, resulting in delays and even failures.   Changing to 8.8.8.8 on the PC worked, so try it as the forwarder.

To do so, on the server, go to the DNS management console, click on the server name, in the right hand window double-click on Forwarders (not forward lookup zones), under the forwarders put 8.8.8.8 and using the arrows move it to the top.
Then on the server and connecting PC run  ipconfig /flushdns

If interested you can test public DNS servers' performance.
https://www.grc.com/dns/benchmark.htm
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40034127
okay its happening again, similar day and time of day.  odd...

A bit more background info:

The remote site has only windows 7 PCs that point to DNS servers at 2x other main sites, so uses the permanent VPN for this, but the traffic is routing directly out from this site to the web, not tunnelling over the VPN out, i think.

Changing the DNS server settings for one of the clients to an ip address of each of the DNS servers we have i found only one of them worked.  Using 8.8.8.8 also worked.

trace routing when using 8.8.8.8 and 192.168.2.22 DNS worked but different routes.

Ideas?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40034129
but can ping and tracert to google.com fine using either of the local DNS servers
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40034252
So there are no private DNS servers on your site?  That would have been good to know.
DNS to your remote site DNS servers can only be done using the VPN's, it cannot be routed via the Internet.
Chances are your VPN service is interrupted or 'sleeping' and DNS fails.
The best solution is to add a read only domain controller, with DNS, at the local site.
Though you do not have to have a DNS server locally and can support a site using remote DNS servers, the downside is any interruption in the VPN service and you loose the ability to resolve public FQDNs.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40034318
We have 4x remote DNS servers.  2x at each site.  I have narrowed this down to 3x of them not working, and only one of them is.  
However some minutes later the machines i hadn't played with in terms of setting different DNS IP addresses worked fine.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40034439
Usually with remote DNS servers the problem is a brief disconnect of the VPN or latency.
Are the PC's on the site with the DNS servers having any issues?
I always recommend if more than a couple of PC's at a site that they have a local DC.  It can be a read only, or even an old server but it allows for faster name resolution and the ability to maintain internet access if the VPN is down.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40034463
No the machines are all standalone behind a layer 3 switch and cisco firewall.
its intermittent.  if i nslookup or gpresult it shows correct DC..
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40034592
>>"No the machines are all standalone ..."
I was meaning at the other sites where there are DCs, do they have any issues with accessing web sites like the problematic site?

At least we can assume the original question is resolved; "how to prove issue with firewall, domain or DNS".  It seems to be DNS.  The next issue is why.

>>"trace routing when using 8.8.8.8 and 192.168.2.22 DNS worked but different routes"
Yes as 8.8.8.8 is an internet based DNS server, and the other is an internal accessed via the VPN.  They would be totally different.

>>"Changing the DNS server settings for one of the clients to an ip address of each of the DNS servers we have i found only one of them worked"
It sounds like a misconfiguration issue or a latency problem.
Are there any errors in the Event logs of the DNS server under DNS (or in the DNS management console -same log)

Why don't you set up DNS Benchmark, add all 4 of your internal servers, and run the test.  See if there is any significant difference between the 4.
https://www.grc.com/dns/benchmark.htm
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40034616
I see.  No this site works fine.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40098072
okay so today i noticed i had the same problem on my PC which hasnt any web filterign softweare enabled/ruinning, so goes directly out to the internet through our L3 switch, firewall, router, ISP - and again noticed bbc.co.uk wasnt loading correctly.
so ran the following:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\user>nslookup
Default Server:  DC1.domain.local
Address:  172.19.10.17

> bbc.co.uk
Server:  DC1.domain.local
Address:  172.19.10.17

*** DC1.domain.local can't find bbc.co.uk: Server failed
www.bbc.co.uk
Server:  DC1.domain.local
Address:  172.19.10.17

*** DC1.domain.local can't find www.bbc.co.uk: Server failed
>
C:\Users\user>ping www.bbc.o.uk
^C
C:\Users\user>ping www.bbc.co.uk

Pinging www.bbc.net.uk [212.58.246.92] with 32 bytes of data:
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58
Reply from 212.58.246.92: bytes=32 time=7ms TTL=58

Ping statistics for 212.58.246.92:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 7ms, Average = 7ms

C:\Users\user>nslookup
Default Server:  DC1.domain.local
Address:  172.19.10.17

> bbc.com
Server:  DC1.domain.local
Address:  172.19.10.17

Non-authoritative answer:
Name:    bbc.com
Addresses:  212.58.246.103
          212.58.244.18
          212.58.244.20
          212.58.246.104

> bbc.co.uk
Server:  DC1.domain.local
Address:  172.19.10.17

Name:    bbc.co.uk
Addresses:  212.58.244.20
          212.58.246.104
          212.58.244.18
          212.58.246.103

>

which you can see failed to resolve the domain...

Why?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 40098096
It could be related to this known Issue:
http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
Article references SB but applies to non-SBS versions too.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40098105
so would you use a forwarder then on all DC's?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40098193
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40098194
would you apply it to all DCs?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40098200
think is its intermittent, i don't need to restart DNS or delete cache...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40098222
your link is the same issue, it needs to be applied on all internal DNS servers, which usually means DCs.  The DNS service then needs to be restarted.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40098271
thanks
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 40098303
seems to be the only resolution..
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 154
Radius ASA Authentication Failed 4 76
Vlan extend across 2 switches 16 26
Cisco Maximum Prefixes Allowed for Customer 5 24
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question