Solved

Slow Network

Posted on 2016-09-19
51
78 Views
Last Modified: 2016-09-21
This one has been a killer. About 3 weeks ago Comcast replaced their router which caused me to resubnet this network. I didn't think it would be hard. One Server, Twent workstation (DHCP) and three static IP printers.

Something still isn't right. At 6pm something happens that causes a network disconnect on a couple of different workstatons. Something similar to pulling the network cable. Apps are hung and nothing responds. It started out being a IPV6 issue when Comcast left their IPV6 DHCP running and that wreaked havoc. Finally got it shut off but still have weird things happening.

I have a little workstation inventory program that times out trying to connect to the workstations. So... I tried a tracert to the workstations and it times out! No matter what workstation I try a tracert to it goest through 30 steps and times out. dcdiag says everything is fine but it isn't. ANyone have any ideas?

Is it safe to un-install and re-install the DNS role from the server?
0
Comment
Question by:LockDown32
  • 21
  • 16
  • 8
  • +2
51 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41805359
I would try a packet sniffer and since you are advising clients, I recommend you get Comm View (Tamosoft), set it up and trace packets from the Comcast modem to the server or a workstation.

Where is DCHP?  Comcast or the Server?
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 41805365
Please provide us with one of your client workstation ipconfig /all (from command prompt) before and after network failure occurs also post your trace trace route results..

What I'm thinking is something is wrong with your dhcp lease, especially if it happens every day at the same time..

DirkMare
0
 
LVL 6

Accepted Solution

by:
mickfinley earned 250 total points
ID: 41805383
I disable IPv6 on our PC's because I've caught them flooding the network with router advertisements(or Router Solicitation, can't remember exact), it acted very much like a network loop.   A packet sniffer such as wireshark can see these packets and may point you in the right direction.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41805388
No matter what workstation I try a tracert to it goest through 30 steps and times out.
30 steps????
30 steps are default maximum.
So, that sounds like routing loop (check your routes).
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41805465
Attached is the ipconfig /all. I even went as far as turning off the Windows FIrewall on the server and workstations and can still not ping or tracert from the server to any workstations.

When I re-subnetted obviously I reworked the DHCP Server but maybe I didn't to it properly? Is there a way to completely delete the DHCP servers? It tried deleting it and when I re-added it the first thing it did was show me two previous DHCP servers at the old 192.168.0.0 subnet. Then when I selected "This Server all it did was bring back the existing server.....
Capture.PNG
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41805487
Still playing. I tried a gpupdate on one workstation. Came back with the error "user policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed because of lack of network connectivity to a domain controller.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41805527
I am not sure how to fix DHCP after re-working it. Here is a guide for configuring DHCP

https://technet.microsoft.com/en-us/library/hh831538(v=ws.11).aspx
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41805531
In playing further.... when I un-check IPV6 gpupdate works flawlessly. When I check it I get the error about not finding the DC. I can check and un-check a million times and it will follow that pattern.

This was the same problem when Comcast initially left their IPV6 server running. The IPV6 was incorrect but since it took priority over IPV4 nothing was able to communicate with the DC. I just assumed that the lease on the IPV6 would expire thus removing it from the workstations. Didn't happen.

I found an article on how to disable IPV6 via GPO but it doesn't seem to work. Can you disable IPV6 via GPO?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41805534
IPv6 is normally bland and trouble-free. I do not know a way to disable by GPO but someone might. Something else continues to be wrong somewhere if removing IPv6 fixes things.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41805549
My guess, after playing a little further, is that even though I thought I shut off the Comcast IPV6 Server I didn't. Either that or there is yet another IPV6 server somewhere. I know how to trace back a IPV4 address but haven't played a lot with IPV6. Has anyone looked at the ipconfig /all I posted? Can you tell if something is passing out IPV6 addresses and if so, what?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41805562
I do not see (in your ipconfig output) any other DHCP server. so it is hard to say where it might come from .
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41805572
It did have an IPV6 address. That is what seems to be messing it up. Where did it get that IPV6 address?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41805578
Yes, I can see it has one, but there is no evidence of where it came from.  I see such IPv6 address here on my own system. But there is not IPv6 server I know of. That is what I cannot know or figure out here.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41805596
Yes. This just keeps getting weirder.  I just now noticed that some of the network connections were described as "Work" even though these workstations are part of a domain. As soon as I un-check IPV6 on the adapter and reboot they revert to "Domain Network". So at this point it is painfully obvious that something is still passing out IPV6 addresses and it is wreaking havoc with the workstations. I am running W10 here and my workstations have those same IPV6 entries in the ipconfig /all but like you I am not running IPV6 anywhere on the network.

So the million dollar question..... how can you tell (via ipconfig or any other method) if you are getting a IPV6 address from somewhere and how can you determine from where?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41805621
Go here:   http://www.pcauthority.com.au/News/303978,see-if-you-have-an-ipv4-or-ipv6-connection.aspx

I switched to my HUAWEI card to see if any differences and it says I am on IPv4 only.

IPCONFIG shows both. I am still working on this.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41805641
Here is a really neat local way to conclusively see how you are connected

NIC-Status
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41805673
A couple of things here:

1. Using Comm View, and a Wi-Fi connection here at my cottage this week, I see several IPv6 address on this network, but mostly IPv4. NIC Status says IPv4 ONLY. This is not a big enough place for IPv6 in general. I am thinking the IPv6 packets are from the resort router but I have no access to that.

2. On any IPCONFIG, I see local IPv6 addresses, but I am not using IPv6 as shown in NIC status.

3. I would be VERY surprised if you are using IPv6 in your network here. You describe as smaller rather than larger.

4. Run tracert -4 (and your other commands to force tracert to use only IPv4. Are you still getting 30 hops?
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 41805956
Clients will assign them self ipv6 address and it not necessarily linked to DHCP think of it as APIPA for ipv6..

the FE80 "link local address" confirms this.

https://4sysops.com/archives/ipv6-tutorial-part-6-site-local-addresses-and-link-local-addresses/
and
https://www.techopedia.com/definition/12720/automatic-private-ip-addressing-apipa

Seeing that you already disabled the IPv6 protocol on your client and the issue was resolved. On your server please confirm the following.

Go to network adapters connections
press alt
click on advanced
and then advanced settings
in connections make sure Ethernet is selected and make sure the bindings orders are correct.
seeing that you are using ipv4 it should be listed first.
Bindings
I am not 100% sure if the server would require a reboot but I would recommend it for the clients..
If this doesn't resolve the issue we would need to disable ipv6 from DNS manager to insure your DNS Server doesn't respond to request over ipv6.

DirkMare
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41806374
The binding order is correct on the server with the exception that IPV6 is not bound. I disabled it on the server.

Are you saying that this binding order take precedence over the statement "Windows will act on IPV6 first"?

Right now DNS Manager is only listening in the IPV4 because IPV6 is disabled. But it was like this yesterday when I started the ping, tracert and gpupdate from the workstations. With IPV6 enabled the workstations wouldn't ping, tracert or gpupdate. With IPV6 disabled it would.

So.... why would accidentally leaving a IPV6 DHCP running create such havoc? Right now about all I can do to resole the issue is go back through all twenty workstations and disable IPV6. Aweful big mess for something as simple as resubnetting.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41806386
why would accidentally leaving a IPV6 DHCP running create such havoc?

It should not and never has on any on my machines. Never.

Did you look at NIC Status?  What did it say (for any machine) about IPv6?
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 41806403
on your server if ipv6 is listed first it will respond with ipv6 the same can be said about ipv4..

What I don't understand is..
At 6pm something happens that causes a network disconnect on a couple of different workstatons

I am not sure that IPv6 would cause this..

As per my first comment please post trace route and ipconfig before and at timeof  failure.. could it be that the DHCP on your router is not disabled completely?

DirkMare
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41806454
Yes this one is a killer. This morning I can put IPV6 on a workstation and Tracert, Ping and Gpupdate work. The same workstation that it didn't work on all yesterday afternoon. I don't understand this 6pm thing either other then I have seen it and it is just like pulling the network cable out of the computer while all the applications are running. Programs aren't responding, you can't easily kill them and you really have no choice but to turn the power off.

The real oddity is that it only seems to happen if their main program is up and running at 6. According to their support workstation don't do anything on a schedule. Don't know what it is or what's causing it but it is right at 6 with this certain program open. I wouldn't think IPV6 would all of a sudden freak out but that is where is started. By the Comcast router passing out IPV6. From what I can tell it is off but back to the question above... how can you tell if there is a IPV6 DHCP server on the line?
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 41806483
From your ipconfig I see you have temporary IPv6 address assigned to your client network adapter..
Have you released and renewed the client network adapter?
Also this ipv6 address does it belong to one of your servers..
2001:558:feed::1
2001:558:feed::2

run ipconfig /all on your server and it should list the ipv6 address if it is not your server I would suggest contacting your ISP and ask them to confirm that DHCP for ipv4 and 6 is disabled..

DirkMare
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41806527
Also, please respond to "Check the NIC Status) and let us know if IPv6 is even active on workstations.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41806594
ipconfig /all on the server (just one 2012 Server) does not reference any IPV6 data. I unchecked IPV6 on the server NIC long ago when this whole mess started.

Here is the only thing consistent: I went around to all 20 workstations this morning. Any workstation that had IPV6 enabled showed up as either a Work network or a Public network. As soon as I un-checked IPV6 it reverted to a domain network. Everything seems to be working now. Very, very strange. It appears the IPV6 is the problem but they really aren't using IPV6. So how can you tell if there is a IPV6 DHCP Server somewhere?

At this point IPV6 is un-checked on all the workstations. The "Work" or "Public" network when IPV6 is enabled would point to them using IPV6 and incorrectly so wouldn't it?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 90

Expert Comment

by:John Hurst
ID: 41806604
So how can you tell if there is a IPV6 DHCP Server somewhere?

So far as I know, the same way as IPv4:  IPCONFIG /ALL will show the IPv6 DHCP server IP address.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41806611
Well... I gues we are back to the million dollar question. If what you say is correct then there is not IPV6 DHCP Server. So why, all of a sudden, is everything using IPV6?
0
 
LVL 6

Expert Comment

by:mickfinley
ID: 41806615
try unchecking IPV4 and you will notice that the pc will self assign a 169.x.x.x address, same is happening with IPv6, there is no server doing it, it's Windows on the local box doing it
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 125 total points
ID: 41806621
As per my previous comment..
https://www.experts-exchange.com/questions/28970863/Slow-Network.html?anchor=a41806594#a41805956

Clients will assign them self ipv6 address and it not necessarily linked to DHCP think of it as APIPA for ipv6..

the FE80 "link local address" confirms this.

https://4sysops.com/archives/ipv6-tutorial-part-6-site-local-addresses-and-link-local-addresses/
and
https://www.techopedia.com/definition/12720/automatic-private-ip-addressing-apipa

Seeing that you already disabled the IPv6 protocol on your client and the issue was resolved. On your server please confirm the following.

DirkMare
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41806628
You need to use a packet sniffer as I suggested earlier to see if IPv6 packets are flowing.

Just because IPCONFIG says there is an IPv6 local address does not mean it is using IPv6.
0
 
LVL 6

Assisted Solution

by:mickfinley
mickfinley earned 250 total points
ID: 41806637
using wireshark, i bet you see a horde of ipv6 packets coming from one workstation, turn that workstation ipv6 off and everything else will work. This sounds like it's a loop which ipv6 gets into over router solicitations, i've seen it a few times,  we have over 2000 workstations in my network, so you get to see lots of weirdness like this
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41806651
I turned on Comm View last night here and saw only one single machine running IPv6 - it really is uncommon (where I am and at this point in time).
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41807238
I kind of agree. This one computer that started the 6pm disconnect ... the internet would not work unless IPV8 was enabled. It is a suspect. So now that IPV6 is disabled on both the server and all workstations what do I want to enable on what and where should I run what packet capture utility?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41807249
You can install a packet capture program on a good working computer assuming everything is on one subnet.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41807277
Stupid question but if I install it on a workstation the only packets I will see are ones coming in to and going out of that workstation no? So if it isn't the problem workstation it won't help will it?

Don't people usually do port mirroring on the switch and use the server?
0
 
LVL 6

Expert Comment

by:mickfinley
ID: 41807280
I'm thinking the IPv6 packets in this case will be broadcasts, in which case wireshark might be able to be ran anywhere on the network.  If they are not broadcast, you'll need either a mirror port on your switch or a hub in line with the uplink port of the switch
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41807284
I see stuff from all workstations here using Comm View.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41807331
At this point, you have put so much into this, that it strikes me as indeed very reasonable to suggest you back up the Server, format it and reinstall Server 2012 R2. By all means engage a consultant to do this if this is not your native skill set.

Reset the Comcast modem, set up the server, make sure DHCP is properly set up only using the Server, then set up just one workstation and test before going too far.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41807348
That is not an option. It was a clean migration not more then three months ago. If disabling IPV6 on the server and workstations do the trick then so be it. It would, however, be nice to find out what, if anything, is spewing IPV6.

So... how about a quick lesson in Wireshark. I found out how to filter for IPV6 only but can't figure out what I am missing to start the capture....
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41807354
I use Comm View, not Wireshark so I cannot give you lessons in Wireshark. However it should show you (just like Comm View) packets and where they are from and where they are going to.

Quote from Wireshark  "The following methods can be used to start capturing packets with Wireshark:
1.You can double-click on an interface in the main window.
2.You can get an overview of the available interfaces using the “Capture Interfaces” dialog box (Capture → Options…).
0
 
LVL 6

Expert Comment

by:mickfinley
ID: 41807364
In the wireshark application, click <Capture>, select <interfaces>, Select the interface you want to use to capture, then click <Start>
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41807374
Well..... this could be a learning cure in and of itself. There are IPV6 packets flowing. The source and destination seem relativity constant. Since all workstations and server have IPV6 disabled where could these packets be originating from? The Comcast Router? Attached is some data.....
Capture.PNG
0
 
LVL 6

Expert Comment

by:mickfinley
ID: 41807382
Under the "Info" column:   Router Advertisement from xx:xx:xx:xx:xx(mac-address), find this mac-address in either the dhcp table or from arp on the switch
0
 
LVL 6

Expert Comment

by:mickfinley
ID: 41807387
the mac-address will point you to the ip address, which will point to the pc in question...looking at that output, I'm betting it's one of your servers.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41807391
I agree - the MAC address is there and the MAC address lines are all the same MAC. Look at your router.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41807425
The mac address is that of the Comcast router. So it is broadcasting? I attached two screen shots. The first is the summary. It lists a DHCPV6 Lease lease time but nowhere does it say if the DHCPV6 is enabled or disabled. At least with V4 it plainly states disables.

The second screenshot is where I thought I disabled IPV6. What did I miss?
Capture.PNG
Capture1.PNG
0
 
LVL 6

Expert Comment

by:mickfinley
ID: 41807434
uncheck Stateless(Auto-Config)
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41807437
The MAC address confirms what I thought from the packet capture.

I would got back to Comcast (it is there modem - right?) and get them to disable IPv6 again. It does not look you disabled it but there is no setting shown.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41807452
I can't say enough bad about Comcast. The whole thing started because they couldn't set the LAN IP of their router to 192.168.0.2. It was fixed at 10.1.10.1. That caused me to re-subnet around 10.1.10.1

Can't uncheck Stateless(Autoconfig). Not an option.....
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 125 total points
ID: 41807790
I have been watching Comm View for a couple of hours now in a location (my cottage) with about 20 buildings and numerous other connection.

One user is using IPv6 and they come and go. It is not (likely) any router here.

The whole thing started because they couldn't set the LAN IP of their router to 192.168.0.2  <-- Ask Comcast to put the router in Bridged mode, supply a commercial routers of your choice and set it how you wish.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41808741
Another tool I have (and I should have mentioned this) is Advanced IP Scanner. You can get this free from Famatech.

Download it, install it, and run it. Scan your local network and see what devices come up.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now