Problems connecting to internal server

Mwvarner
Mwvarner used Ask the Experts™
on
I have what I believe is a DNS problem.  I have an internal web server that my users access on a on regular basis. Lately some of them can't connect to the server.  They get "Page Cannot be displayed.  However if I have them connect to the network via a VPN connect they can connect to the server fine.

I can also get it to connect sometimes by switching from a wired connection to our Wi-Fi or from Wi-Fi to a wired connection.

I'm fairly sure it has something to do with DNS but I'm not sure where to start to try to find the issue.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
So its completely random? What are they using for DNS? Do they work one day and not the next? Can you ping by name and IP?
Top Expert 2014

Commented:
How does the VPN server connect to your internal network?  Do you have a single subnet, or multiple subnets?  Do you have VLANs?

Unless you have a unique DNS server for the VPN connection and your internal server has a different IP address on the via VPN, I don't think this is a DNS issue.  Normally a server's IP address and host name is the same on a VPN connection as it would be on your internal network.

Now just to make sure, your users are on your internal network also, right?
Ian ArakelNetwork Lead: Data and Security
Top Expert 2016

Commented:
Hi Mwvarner,

We believe the issue is a below:

i)
Webserver hosted on the internal environment. Is it published on the internet?

ii)
Users are unable to access the website externally.
Kindly confirm if this externally means from a remote site location or the internet.

iii)
install tcping.exe tool in your workstations C drive in the windows folder
use the nslookup command to verify the DNS entry and tcping connectivity in the below cases:

a)
When connected via VPN.
b)
When connected minus VPN.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Ok, Let forget about the VPN for a minute.  Internally in the same office as the server some users can connect with no problem while others cannot.

1 Some of theses users connect fine on our internal WiFi while others connect fine on a wired connection.  When one of them doesn't work I've disabled the connection temporarily and used the other and then I can connect.  Even after I re enable the connection that didn't work I can continue to access the server for days or even weeks on that machine.

I also had a computer this afternoon that was connected via a wired connection.  I couldn't access the server or ping by name.  I pinged by IP address one time and then I could ping by name and connect to the server with no problem.  The name of the server is backoffice.esieci.com and the internal IP address is 10.1.30.8.  We are using a class B subnet internally if that matters.
Top Expert 2014

Commented:
Can you post the output of "ipconfig /all" from a machine that works and from one that is having the problem?

Author

Commented:
I'll do that when I'm back in the office on Monday

Author

Commented:
I tried connecting to the server today from my laptop.  I got an error that the page could not be displayed.

I ran Ipconfig /all and the output is below.


Windows IP Configuration

   Host Name . . . . . . . . . . . . : VM-10-1
   Primary Dns Suffix  . . . . . . . : esieci.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : esieci.com

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : esieci.com
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-77-3D-A4
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::496c:d02f:43ed:8da6%2(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.50.85(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Monday, March 7, 2016 11:11:37 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 15, 2016 11:11:37 AM
   Default Gateway . . . . . . . . . : 192.168.168.20
                                       10.1.0.1
   DHCP Server . . . . . . . . . . . : 10.1.40.1
   DHCPv6 IAID . . . . . . . . . . . : 50334761
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-4B-2E-20-00-0C-29-77-3D-A4
   DNS Servers . . . . . . . . . . . : 10.1.40.1
                                       10.1.40.2
                                       208.67.220.220
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.esieci.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : esieci.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


I could ping the server by IP address but not by name.

I disabled and reenabled the Ethernet adapter on my laptop and then I was able to ping by name and access the server.

I ran the Ipconfig /all again and the output is below but the before and after outputs are exactly the same.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : VM-10-1
   Primary Dns Suffix  . . . . . . . : esieci.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : esieci.com

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : esieci.com
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-77-3D-A4
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::496c:d02f:43ed:8da6%2(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.50.85(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Monday, March 7, 2016 11:26:23 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 15, 2016 11:26:23 AM
   Default Gateway . . . . . . . . . : 192.168.168.20
                                       10.1.0.1
   DHCP Server . . . . . . . . . . . : 10.1.40.1
   DHCPv6 IAID . . . . . . . . . . . : 50334761
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-4B-2E-20-00-0C-29-77-3D-A4
   DNS Servers . . . . . . . . . . . : 10.1.40.1
                                       10.1.40.2
                                       208.67.220.220
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.esieci.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : esieci.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


I also connected from another PC in my office and it connected the first time.  The output from that Ipconfig /all is below.



Windows IP Configuration

   Host Name . . . . . . . . . . . . : ESG-IT-001
   Primary Dns Suffix  . . . . . . . : esieci.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : esieci.com

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : B6-AE-2B-C2-1E-8E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 3:

   Connection-specific DNS Suffix  . : esieci.com
   Description . . . . . . . . . . . : Surface Ethernet Adapter
   Physical Address. . . . . . . . . : 58-82-A8-8F-2F-C5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b942:e5e9:bf31:cbd7%23(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.50.95(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Monday, March 7, 2016 8:46:34 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 15, 2016 8:46:33 AM
   Default Gateway . . . . . . . . . : 10.1.0.1
   DHCP Server . . . . . . . . . . . : 10.1.40.1
   DHCPv6 IAID . . . . . . . . . . . : 492339880
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-F3-74-A0-58-82-A8-8F-2F-C5
   DNS Servers . . . . . . . . . . . : 10.1.40.1
                                       10.1.40.2
                                       208.67.220.220
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : esieci.com
   Description . . . . . . . . . . . : Marvell AVASTAR Wireless-AC Network Controller
   Physical Address. . . . . . . . . : B4-AE-2B-C2-1F-8F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : B4-AE-2B-C2-1F-90
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.esieci.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : esieci.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
I have noticed lately on some of my home computers that i use for testing IPV6 was messing things up. Try unchecking and see what happens. And get rid of the external dns. 208.67.220.220
Top Expert 2014
Commented:
Next time you have the problem issue the command:

     ipconfig /displaydns > dnscached.txt

Then:

    ipconfig /flushdns

Then look at the dnscached.txt file and see what IP address was returned.

Then definintly get rid of 208.67.220.220 from your DNS server list.

One of the FP's for Windows XP changed how MS did DNS lookups and every release of Windows since has done the same thing.

Before the fixpack was applied if you had DNS servers define like:

     10.1.40.1
     10.1.40.2
     208.67.220.220

Windows would send a lookup request to 10.1.40.1, wait 30 seconds for a reply.  If it received a reply, did not matter what the reply was, it would stop right there.  

If it did not receive a reply, it would hten send a reqquest to 10.1.40.2 and wait 30 seconds for a reply.  If it received a reply, did not matter what the reply was, it would stop right there.

If it did not receive a reply, it would hten send a reqquest to 208.67.220.220 and wait 30 seconds for a reply.  No matter what it would stop right there.

The chances of you ever getting to 208.67.220.220 was slim and if you did get there, typically you were having other issues because your internal DNS servers were having problems and you might not be able to find any host name within your Windows domain.

After the fix pack was installed:

Windows would send the lookup request 10.1.40.1, 10.1.40.2, and 208.67.220.220 in that order, but all within a ms of each other and wait 5 seconds for a response.  It would then accept the response from the 1st host that responded and then IN MEMORY, put that IP address first in the list.  So if by chance 208.67.220.220 responded first, the next lookup request would be sent to 208.67.220.220, 10.1.40.1, and 10.1.40.2, in that order, still all within a ms of each other.


Now typically you would expect internal hsots (10.1.40.1 or 10.1.40.2) to respond before an external host (208.67.220.220), but in some instances you might get the exnternal host responding first.

Now what happens if the external DNS server does not have a entry for the host you are looking up, or better yet has a different IP address.  Will remember I said that Windows accepts the 1st answer it get back, if if the 1st answer is NO SUCH HOST, then it assumes there is no such host.  If it gets back the address of hostA is x.x.x.x, it accepts that and will try to connect to that IP address.

Author

Commented:
The last comment seems to have worked for one of my branches today.  One person couldn't connect. I ran command you suggested and there was no address for the server. I deleted the external DNS  and restarted the computer and it connected fine.  I want to give it at least one more try before I call this done but it looks good so far.
Top Expert 2014

Commented:
You don't want to have any host use a external DNS server, they should all point to your internal DNS servers and then they will forward requests for any unknown domains to external DNS servers.
Ian ArakelNetwork Lead: Data and Security
Top Expert 2016

Commented:
Hi Glitjr,

Thanks for the above comment.
Appreciate it.
@Mwvarner:  Refrain from using external DNS servers within a domain since they would not have visibility of the A record entries created within the organization.
Ian ArakelNetwork Lead: Data and Security
Top Expert 2016

Commented:
Hi Mwvarner,

Just kind of inquisitive to know if you managed to capture the outputs of ipconfig/displaydns during and post the issue occurrence.
Kindly share the same if it is available with you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial