• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

Can't Ping Windows 2008 Server on new Subnet

Windows 2003 SP2 DC
Windows 7
Windows 8
Windows Vista
Windows 2008 R2 Servers
Cisco sg200 switch setup with two Vlans vlan 1 and vlan 1018
Meraki MX60 Security Appliance  10.2.8.1  vlan 1 and 10.1.8.1 vlan 1018

Just added new subnet to my network 10.1.8.0/22 valn 1018
My existing subnet is 10.2.8.0/22  vlan 1

I have several servers with dual nics and I need them to access the new subnet

Server A Windows 2003 DC 10.2.8.23 vlan 1
Server B Windows 2003 DC 10.2.8.30 vlan 1
Server C Windows 2003 Member Server 10.2.8.23 vlan 1 second nic 10.1.8.23 vlan 1018
Windows 7 10.2.8.99 vlan 1
Windows 8 10.2.8.98 vlan 1
Vista 10.2.8.97 vlan 1
Windows 2008 Member server 10.2.8.17 vlan 1 second nic 10.1.8.17 vlan 1018
Windows 2008 Member Server 10.2.8.36 vlan 1 second nic 10.1.8.36 vlan 1018

So that's the network layout

From any vlan 1 computer I can ping the MX60 10.1.8.1 address no issue
from any vlan 1 computer I can ping 10.1.8.23 on vlan 1018 which is the Windows 2003 member server
From MX60 I can ping any computer on vlan 1  and vlan 1018 all works so far

When I try to ping from a vlan 1 computer like 10.2.8.99 Windows 7 I can not ping the Windows 2008 Servers on vlan 1018 by ip address 10.1.8.17 or 10.1.8.36

Both Windows 2008 Servers on vlan 1018 has the problem
The same two Windows 2008 server work ok on vlan 1
Both Windows 2008 servers on on both vlans

What is stopping ping from working from vlan 1 to vlan 1018 on a windows 2008 server?
0
Thomas Grassi
Asked:
Thomas Grassi
  • 9
  • 7
1 Solution
 
strivoliCommented:
Silly question... what happens if you stop W2008's Firewall?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
firewall stopped same problem
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Update stopping the firewall killed all access to this server

Also not a silly question

Thoughts
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
arnoldCommented:
Hi,

You are using a netmask of 255.255.252.0 is that the correct mask on all your items. also you have two vlans using the same IP space.

You need to define the separation which is what vlans do then configure the firewall on which the vlans exist to allow the traffic you need to pass between them.  Note if you have a single DHCP, you would need to setup multiple scopes on the dhcp server while on the router/switch setup a dhcp relay agent or ip helper that will deal with dhcp search requests on vlans where there is no dhcp connected.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

Only one dhcp server

But all these devices on vlan 1018 have static ip addresses assigned no dhcp is required

How do I do that in the firewall never setup vlans before on my network

Do you have an example

Thanks
0
 
arnoldCommented:
VLAN is a virtual separation to having two separate switches with one set of computers connected to one switch and the other connected to another. Both switches are connected ton a router.
Each VLAN has to have their own IPS.
Are you setting up VLAns to restrict limit interaction between one set of computers and perhaps servers?

On the firewall where you define the VLAn, what IP are you using for the interface?

Broadcasts can not pass VLAN boundaries.

Try leaving your VLAN 1 using 10.1.8.1/24
your vlan 1018 setup with 10.1.9.1/24 configure DHCP helper, dhcp relay agent, ip helper to forward requests to your dhcp server IP
in dhcp server create a new scope for 10.1.9.0/24 2-254.
make sure in scope options use the router IP for this scope to us the 10.1.9.1 of the vlan 1018 ip address.

see if a dynamic allocating IP host on vlan18, presumably you have a managed  switch where you designate which port is on which vlan.

make sure host connecting on vlan1018 can get ip from dhcp server.

On your
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
arnold

I can ping across vlans from windows 7 10.2.8.99 to windows 2003 on 10.1.8.23 no problem

It is only the windws 2008 computers that have the problem
0
 
arnoldCommented:
check the netmask on the workstation versus on the 2008 which is presumably static.  make sure if the netmask matche

is the router set.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
arnold

Ipconfig all from workstation

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\trgrassijr55.OUR>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : tgkw002
   Primary Dns Suffix  . . . . . . . : our.network.tgcsnet.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : our.network.tgcsnet.com
                                       network.tgcsnet.com
                                       tgcsnet.com

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card
   Physical Address. . . . . . . . . : 0C-60-76-0C-E8-93
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : our.network.tgcsnet.com
   Description . . . . . . . . . . . : Marvell Yukon 88E8040 PCI-E Fast Ethernet
 Controller
   Physical Address. . . . . . . . . : 00-25-64-60-50-83
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::dc96:aacc:2e25:5c90%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.2.8.70(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Lease Obtained. . . . . . . . . . : Friday, March 13, 2015 6:14:49 PM
   Lease Expires . . . . . . . . . . : Saturday, March 21, 2015 6:15:03 PM
   Default Gateway . . . . . . . . . : 10.2.8.1
   DHCP Server . . . . . . . . . . . : 10.2.8.30
   DHCPv6 IAID . . . . . . . . . . . : 218113380
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-E8-CC-27-00-25-64-60-50-83

   DNS Servers . . . . . . . . . . . : 10.2.8.24
                                       10.2.8.30
   Primary WINS Server . . . . . . . : 10.2.8.30
   Secondary WINS Server . . . . . . : 10.2.8.24
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : our.network.tgcsnet.com
   Description . . . . . . . . . . . : isatap.our.network.tgcsnet.com
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{09BFB1DD-1B40-4A25-94FE-6DD78403C
499}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


Ping attempt from the above computer


C:\Users\trgrassijr55.OUR>ping 10.1.8.17

Pinging 10.1.8.17 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.8.17:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

ping 10.2.8.17

Pinging 10.2.8.17 with 32 bytes of data:
Reply from 10.2.8.17: bytes=32 time=1ms TTL=128
Reply from 10.2.8.17: bytes=32 time<1ms TTL=128
Reply from 10.2.8.17: bytes=32 time<1ms TTL=128
Reply from 10.2.8.17: bytes=32 time<1ms TTL=128

Ping statistics for 10.2.8.17:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

Ipconfig /all from windows 2008 server

pconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : TGCS010
   Primary Dns Suffix  . . . . . . . : our.network.tgcsnet.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : our.network.tgcsnet.com

Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 00-26-B9-5C-AC-5C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.8.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.2.8.30
                                       10.2.8.24
   Primary WINS Server . . . . . . . : 10.2.8.30
   Secondary WINS Server . . . . . . : 10.2.8.24
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-26-B9-5C-AC-5B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.2.8.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.2.8.1
   DNS Servers . . . . . . . . . . . : 10.2.8.30
                                       10.2.8.24
   Primary WINS Server . . . . . . . : 10.2.8.24
   Secondary WINS Server . . . . . . : 10.2.8.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{B5DBEC9A-2727-42CB-8595-01EA414E2DFB}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{7A0063A1-9BFE-467B-AB12-FD1251F03636}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes



Arnold

Remember
This same computer can ping a windows 2003 server with the same vlan as the windows 2008 server
Also not all server have 2 nics with both vlans
The windows 2008 server is blocking ping on the second vlan

Thoughts
0
 
arnoldCommented:
Your 2008 Server has two network connection 3 and 4 with 4 not having a default gateway.

   IPv4 Address. . . . . . . . . . . : 10.1.8.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . :


There is no default gateway for traffic originating from 10.1.8.17 which is why a ping is not being seen.

a ping to 10.1.8.17 can not be received by anyone outside the 10.1.8.17/22 network.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

Sorry for the late response on this my internet service went out late last night yuk.
On the phone for hours.

I added the Gateway 10.1.8.1 to the nic above and yes now I can ping

I should have mentioned that I was not using a gateway on the second nic that was by my design.
When you add a second nic with a gateway you get a warning message.
It does work.

I am wondering why this does not happen on a Windows 2003 Server no gateway and I can ping from any computer to its second vlan address

 My Windows 2003 Server
IPv4 Address. . . . . . . . . . . : 10.1.8.23(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.252.0
    Default Gateway . . . . . . . . . :

Any computer on vlan 1 (10.2.8.x/22) can ping 10.1.8.23

The only difference I can see if that my Windows 2003 server does not run Windows firewall where as the Windows 2008 servers do.

Also would it be better if I did a route add ?

route add 10.1.8.0 mask 255.255.252.0 10.1.8.1 metric 2 -p
or
route add 10.1.8.17 mask 255.255.252.0 10.1.8.1 metric 2 -p

Thoughts
0
 
arnoldCommented:
why do you have two segments on the servers?  This bypasses your VLAN shielding.
A VLan is to isolate/insulate by connecting even a single system to bot means this system is a vulnerability of the setup and could be made to function as the bridge.

What is the reason for your VLAN setup (other than to learn, defining what it is you expect from this)?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

This all started when I ran test-systemhealth on my Exchange 2010 server on a windows 2008 server
The report listed that I had two default gateways defined

So to get around this i decided a vlan would be a good method

Added plus i learned about vlan

So how should I proceed?
0
 
arnoldCommented:
Why do you have a system with two separate networks? What is the purpose for that?

Without understanding what your setup is and what motivates it, a suggestion could significantly adversely impact your setup/environment.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

Not sure where we are going here.

This all started back a few years ago. When ISP's started blocking port 25 for email.  My exchange server had only one nic with port 25 open for email.  Then after several issues of not receiving email I enabled the second nic on the server and assigned port 1025 to that nic.   All works well this was Exchange 2007.
Now Exchange 2010 is running and with the same setup the test-systemhealth report complains about two gateways on the server. Spoke with Exchange Experts they suggested to fix that.

So this is my way of fixing that creating a new network using vlan on my one and only switch. This is a small network I run in my residence.  So it keeps me busy.

Can you suggest a different method to accomplish this?

Thanks
0
 
arnoldCommented:
I think this is where an issue starts and ends.
Your firewall can handle everything dealing with port forwarding from outside to inside.
There only time one uses two nics on the server is when one is used for one type of access while the other for something like backup network, access to storage (SAN) i.e. minimize impact of one type of traffic on the other, or as a teaming connection (both nics are bonded and so on the switch) deals with increasing the available bandwidth for both lan and incoming traffic along with proviing cable/network adatapter failure.

you did not have to use two networks to have 25 and 1025 end on the same system.


vlan is also not needed for those changes.
A vlan is suitable if you have lan systems and you wish to limit the exposure of the servers to compromised workstations. with VLANs all workstations on one and the servers on the other. On the router you will have rules what type of traffic from the workstations can pass to get to each server or all servers.
.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

Thanks on this one

Still trying to figure out the route add I need  so I do not need the default gateway I will open new question later
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now