IE Routing Problem

[DDJ]

After booting their machines, users on our network can open Internet
Explorer and browse. After a few minutes, of browsing, however, they get
the "Can't find page..." screen. When tested from each user's machine,
Pinging/Tracing works fine, whether going by IP address or domain name (for
that matter, Outlook Express, which is pointing to a public news server,
always works fine too). Our small network is a Win2000 Domain, with the
Domain Server also serving as the DNS Server for the local machines.

Can anybody give me some guidance in how to troubleshoot this issue? Since
packets seem to be getting routed properly (pinging.tracing works fine), I
am at a loss as to where to look for further info on this problem.

Thanks for any help!

Dan

 

[Kevin D. Goodknecht Sr. [MVP]]

In

After booting their machines, users on our network can
open Internet Explorer and browse. After a few minutes,
of browsing, however, they get the "Can't find page..."
screen. When tested from each user's machine,
Pinging/Tracing works fine, whether going by IP address
or domain name (for that matter, Outlook Express, which
is pointing to a public news server, always works fine
too). Our small network is a Win2000 Domain, with the
Domain Server also serving as the DNS Server for the
local machines.

Can anybody give me some guidance in how to troubleshoot
this issue? Since packets seem to be getting routed
properly (pinging.tracing works fine), I am at a loss as
to where to look for further info on this problem.

Are your clients using only the DC for DNS?

An ipconfig /all could be of help.

 

[DDJ]

Yes, they are using only the DC. I checked that...all values are correct
and consistent with the settings that have always been in place. That's why
I am thinking (along with the fact that all other routing using ping, etc
seems to be working) that this must have something to do with DNS settings
at the server level???

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Yes, they are using only the DC. I checked that...all
values are correct and consistent with the settings that
have always been in place. That's why I am thinking
(along with the fact that all other routing using ping,
etc seems to be working) that this must have something to
do with DNS settings at the server level???

I don't know I cannot see how DNS is configured, you don't say if DNS
resolves with nslookup, dig or netdig.
You didn't say what it has configured as its forwarder, if any. Where is the
ipconfig /all I asked for?
I don't have a clue and you haven't given one, other that it just quits
browsing. That can cover a lot of ground, I don't know if it is DNS or not I
have not ruled it out, yet. But, from what I've gather so for it is not DNS,
unless it is stuck in a forwarding loop. Does it forward to the router?
What does the router forward to?

 

[DDJ]

Let me try to answer your questions as follows:

No problem getting the IP address for various public domains using nslookup.
As mentioned previously, ping, traceit, etc. all seem to have no problems
from the effected machines...we just can't browse after a few minutes.

Don't know what dig or netdig is.

Here is the results from an ipconfig /all on one of the boxes that isn't
working:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : mybox
Primary DNS Suffix . . . . . . . : DDJ.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DDJ.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139(Ethernet
Adapter)
Physical Address. . . . . . . . . : 00-E0-18-CE-AD-2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.168.186
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.168.1
DNS Servers . . . . . . . . . . . : 192.168.168.187

Basic configuration:

Each box is pointed to a firewall as the gateway (192.168.168.1) and to the
DC as the DNS Server (192.168.168.187). The DC points to the ISP-provided
two DNS servers. The common firewall gateway (192.168.168.1) forwards to
the router (192.168.168.2) which forwards to the ISP's router.

Please let me know if this isn't what you were looking for. Thanks for your
persistence!

Dan

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Let me try to answer your questions as follows:

No problem getting the IP address for various public
domains using nslookup. As mentioned previously, ping,
traceit, etc. all seem to have no problems from the
effected machines...we just can't browse after a few
minutes.

Don't know what dig or netdig is.

Here is the results from an ipconfig /all on one of the
boxes that isn't working:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : mybox
Primary DNS Suffix . . . . . . . : DDJ.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DDJ.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek
RTL8139(Ethernet Adapter)
Physical Address. . . . . . . . . :
00-E0-18-CE-AD-2 DHCP Enabled. . . . . . . . . .
. : No IP Address. . . . . . . . . . . . :
192.168.168.186 Subnet Mask . . . . . . . . . . .
: 255.255.255.0 Default Gateway . . . . . . . . .
: 192.168.168.1 DNS Servers . . . . . . . . . . .
: 192.168.168.187

Basic configuration:

Each box is pointed to a firewall as the gateway
(192.168.168.1) and to the DC as the DNS Server
(192.168.168.187). The DC points to the ISP-provided two
DNS servers. The common firewall gateway (192.168.168.1)
forwards to the router (192.168.168.2) which forwards to
the ISP's router.

Let me get this straight, the DC is pointing to your ISP's DNS in its NIC?

Major problem, you cannot use any DNS other than the DNS server that has the
AD domain zone in any position on any domain member . The DC is a member,
too. Remove the ISP's DNS from the NIC and configuire them only as
forwarders in the DNS service properties.

 

[DDJ]

OK. I removed the ISP's DNS from the NIC (and replaced with the IP of the
DC, which is the DNS Server for the domain). Also, I checked DNS service
properties and the ISP's DNS are listed there as forwarders (didn't need to
change).

However, this didn't solve the problem from the other boxes on the network.
Any other thoughts? Or do you need some other info?

Thanks!

Dan

 

[Ace Fekay [MVP]]

In Kevin D. Goodknecht Sr. [MVP] <[email protected]> asked for help and I
offered my suggestions below:

Let me get this straight, the DC is pointing to your ISP's DNS in its
NIC?

Major problem, you cannot use any DNS other than the DNS server that
has the AD domain zone in any position on any domain member . The DC
is a member, too. Remove the ISP's DNS from the NIC and configuire
them only as forwarders in the DNS service properties.

Do you think he means "forwarded" to the ISP's DNS, and that the DCs are
actually only pointing to themselves for DNS (as required)?

If so, this might be an MTU issue or a firewall issue. Curious what rules
are in there? I'm not sure how the firewall which has a 192.168.168.1
address with the other NIC on the same segment, unless he's using OpenBSD
firewall in bridge mode where the packets are just arped across the
interfaces. I had that setup once before and works nicely, but never had any
issues with browser or name resolution. Maybe even its just that UDP 53 is
blocked.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Ace Fekay [MVP]]

In

OK. I removed the ISP's DNS from the NIC (and replaced with the IP
of the DC, which is the DNS Server for the domain). Also, I checked
DNS service properties and the ISP's DNS are listed there as
forwarders (didn't need to change).

However, this didn't solve the problem from the other boxes on the
network. Any other thoughts? Or do you need some other info?

Thanks!

Dan

If I may jump in, after you removed the ISP's DNS, I assume that the client
machines do not have the ISP's DNS in there as well and they were removed?

After you changed that on the DC/DNS, restart the DNS service, then run a
netdiag /v /fix. Then goto one of the machines on your domain, provided that
the ISPs addresses have been removed, and clear the client side cache with
an:
ipconfig /flushdns

Then open a new browser and try it again.

Also, let us know if you can ping www.yahoo.com.
Also, run nslookup for us:

nslookup (hit enter)

aol.com

(results show up here)

then try:

yahoo.com

(results show up here)



Then I would like you to try one more thing:

nslookup (hit enter)

set vc (hit enter)
aol.com (hit enter)

(results show up here)

then

yahoo.com (hit enter)

(results show up here)

Then paste the results for us please.

Thanks

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[DDJ]

The client machines did NOT have the ISP's DNS listed (they are all pointed
to the DC for DNS)

I restarted DNS on the DC, ran netdiag /v /fix, went to one of the machines
on the domain that wasn't working and ran ipconfig /flushdns. Opened a
browser, still didn't work.

See below for the info you requested...let me know if this isn't what you
wanted.

C:\>ping www.yahoo.com

Pinging www.yahoo.akadns.net [66.94.230.52] with 32 bytes of data:

Reply from 66.94.230.52: bytes=32 time=110ms TTL=51
Reply from 66.94.230.52: bytes=32 time=100ms TTL=51
Reply from 66.94.230.52: bytes=32 time=100ms TTL=51
Reply from 66.94.230.52: bytes=32 time=100ms TTL=51

Ping statistics for 66.94.230.52:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 100ms, Maximum = 110ms, Average = 102ms

C:\>nslookup
*** Can't find server name for address 192.168.168.187: Non-existent domain
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.168.187

aol.com

Server: UnKnown
Address: 192.168.168.187

Non-authoritative answer:
Name: aol.com
Addresses: 149.174.130.216, 205.188.145.213, 64.12.187.24

yahoo.com

Server: UnKnown
Address: 192.168.168.187

Non-authoritative answer:
Name: yahoo.com
Addresses: 216.109.124.73, 66.94.234.13, 66.94.231.98, 66.94.231.99
216.109.124.72

nslookup

Server: UnKnown
Address: 192.168.168.187

*** UnKnown can't find nslookup: Non-existent domain

set vc
aol.com

Server: UnKnown
Address: 192.168.168.187

Non-authoritative answer:
Name: aol.com
Addresses: 149.174.130.216, 205.188.145.213, 64.12.187.24

yahoo.com

Server: UnKnown
Address: 192.168.168.187

Non-authoritative answer:
Name: yahoo.com
Addresses: 216.109.124.73, 66.94.234.13, 66.94.231.98, 66.94.231.99
216.109.124.72

"Ace Fekay [MVP]"

 

[DDJ]

Also, FYI...

I was wondering about the response after entering nslookup, then Enter, so I
rebooted the client box and ran the same command again and got the following
response:

C:\>nslookup
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.168.187: Timed out
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.168.187

Since 192.168.168.187 is the DC and DNS Server, I know this means something
is wrong, but not what is wrong. Does this help in your analysis?
(interestingly, when I opened the browser after writing the above, it worked
fine the 1st, 2nd and 3rd time I opened it, but then failed on the 4th try).

Thanks!

The client machines did NOT have the ISP's DNS listed (they are all pointed
to the DC for DNS)

I restarted DNS on the DC, ran netdiag /v /fix, went to one of the machines
on the domain that wasn't working and ran ipconfig /flushdns. Opened a
browser, still didn't work.

See below for the info you requested...let me know if this isn't what you
wanted.

C:\>ping www.yahoo.com

Pinging www.yahoo.akadns.net [66.94.230.52] with 32 bytes of data:

Reply from 66.94.230.52: bytes=32 time=110ms TTL=51
Reply from 66.94.230.52: bytes=32 time=100ms TTL=51
Reply from 66.94.230.52: bytes=32 time=100ms TTL=51
Reply from 66.94.230.52: bytes=32 time=100ms TTL=51

Ping statistics for 66.94.230.52:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 100ms, Maximum = 110ms, Average = 102ms

C:\>nslookup
*** Can't find server name for address 192.168.168.187: Non-existent domain
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.168.187

aol.com

Server: UnKnown
Address: 192.168.168.187

Non-authoritative answer:
Name: aol.com
Addresses: 149.174.130.216, 205.188.145.213, 64.12.187.24

yahoo.com

Server: UnKnown
Address: 192.168.168.187

Non-authoritative answer:
Name: yahoo.com
Addresses: 216.109.124.73, 66.94.234.13, 66.94.231.98, 66.94.231.99
216.109.124.72

nslookup

Server: UnKnown
Address: 192.168.168.187

*** UnKnown can't find nslookup: Non-existent domain

set vc
aol.com

Server: UnKnown
Address: 192.168.168.187

Non-authoritative answer:
Name: aol.com
Addresses: 149.174.130.216, 205.188.145.213, 64.12.187.24

yahoo.com

Server: UnKnown
Address: 192.168.168.187

Non-authoritative answer:
Name: yahoo.com
Addresses: 216.109.124.73, 66.94.234.13, 66.94.231.98, 66.94.231.99
216.109.124.72

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

Also, FYI...

I was wondering about the response after entering nslookup, then Enter, so I
rebooted the client box and ran the same command again and got the following
response:

C:\>nslookup
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.168.187: Timed out
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.168.187

Since 192.168.168.187 is the DC and DNS Server, I know this means something
is wrong, but not what is wrong. Does this help in your analysis?
(interestingly, when I opened the browser after writing the above, it worked
fine the 1st, 2nd and 3rd time I opened it, but then failed on the 4th try).

Thanks!

Thanks for posting this information.

The time outs or domain not found message with nslookup is just saying you
either don't have a reverse zone created for 192.168.168.x or you do but
don't have a PTR entry for 192.168.168.187 (the DNS server itself). Just a
message.... not an error.

As for the nslookup results, resolution is working and seems you have UDP
and TCP 53 open and working on both! That was what the 'set vc' switch does,
it forces TCP since by default nslookup uses UDP.

So now I'm thinking its an MTU issue. Do you have cable or ADSL?
Check this MTU test out please:

http://help.expedient.com/broadband/mtu_ping_test.shtml

Is there a proxy setting in the browser's options?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[DDJ]

We have ADSL.

Ran the provided test. Although the Win2000 box I was using did not have an
MTU value in the registry, I added. Per the MTU test, the optimal setting
would be 1404. NOTE: that this is the setting in our firewall as well (says
something about "fragment outbound packets larger than 1404")

The browser does not have an proxy settings in place.

Tested browser after adding MTU value...still doesn't work. The firewall
forwards packets to the router, do routers generally provide for an MTU
setting?

Thanks!

 

[Ace Fekay [MVP]]

We have ADSL.

Ran the provided test. Although the Win2000 box I was using did not have an
MTU value in the registry, I added. Per the MTU test, the optimal setting
would be 1404. NOTE: that this is the setting in our firewall as well (says
something about "fragment outbound packets larger than 1404")

The browser does not have an proxy settings in place.

Tested browser after adding MTU value...still doesn't work. The firewall
forwards packets to the router, do routers generally provide for an MTU
setting?

Thanks!

Actually 1404 is really awfully low. The definition of an MTU is the actual
TCP packet size. The largest possible TCP packet size is 1500 bytes. ADSL
using PPPoE lowers the MTU to 1492, using up 8 bytes for the PPPoE overhead.
So 1492 is the common one I've seen it drop lower, depending on the ADSL
modem. The router will accomodate the modem. The lower it is, the more
difficulty there will be with IE and browsing.

What type of modem do you have?
What type of router do you have that is connected to the modem?

I was trying to re-read your previous response, but I apogize that I am
getting lost in your terminology. Here's what you previously posted:

======================

Each box is pointed to a firewall as the gateway
(192.168.168.1) and to the DC as the DNS Server
(192.168.168.187). The DC points to the ISP-provided two
DNS servers. The common firewall gateway (192.168.168.1)
forwards to the router (192.168.168.2) which forwards to
the ISP's router.

======================

Now this part (the paragraph below) is the part I really do not understand
because of the IP addresses that are mentioned, hence my previous thought
you were "arping" packets across an OpenBSD bridged firewall, which I know
not too many people use or know how to setup.
....

"The common firewall gateway (192.168.168.1)
forwards to the router (192.168.168.2) which forwards to
the ISP's router."

....

Now, let's break this down. Your 'firewall' is also your router? What brand
is it?
That "common firewall gateway (192.168.168.1) you mention, is that the above
firewall/router? Or are you saing that the firewall gateway and the router
are two different things? Or is the router actually an ADSL modem?

From the way you described that, it seems like that the 'common firewall
gateway with an IP of 192.168.168.1, which is connected to your internal
subnet, which your internal subnet uses as a gateway, has its other
interface (which by definition of a 'router') configured wtih an IP on the
same subnet and is connected to your ISP's router with an IP on the same
subnet as the internal subnet, but should be a totally different subnet. So
based on the terminology used, I am completey lost on how this is
configured.

Can you break that down for me?
What name brand router?
What name brand firewall?
What name brand modem (if it is)?


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[DDJ]

To try and make this easier to read, I have added my responses below...

have

Actually 1404 is really awfully low. The definition of an MTU is the actual
TCP packet size. The largest possible TCP packet size is 1500 bytes. ADSL
using PPPoE lowers the MTU to 1492, using up 8 bytes for the PPPoE overhead.
So 1492 is the common one I've seen it drop lower, depending on the ADSL
modem. The router will accomodate the modem. The lower it is, the more
difficulty there will be with IE and browsing.

I will change this after sending this message to see if it has any impact.
I remember that we originally changed it to accomodate a request from
SonicWall when setting up a VPN.

What type of modem do you have?
What type of router do you have that is connected to the modem?

We have a SonicWall SoHo 100 firewall (which is the IP = 192.168.168.1) and
an ActionTec DSL Modem/Router (LAN IP = 192.168.168.2, WAN IP should remain
private). All packets coming in through the ActionTec are routed to the
SonicWall. All client boxes point to the SonicWall as the Gateway and to
the DC (192.168.168.187) as the DNS. Should I not be posting all of this IP
info here for security reasons??? I have assumed that since they are
internal addresses, it doesn't matter, but let me know if you think
otherwise.

I was trying to re-read your previous response, but I apogize that I am
getting lost in your terminology. Here's what you previously posted:

======================
======================

Now this part (the paragraph below) is the part I really do not understand
because of the IP addresses that are mentioned, hence my previous thought
you were "arping" packets across an OpenBSD bridged firewall, which I know
not too many people use or know how to setup.
...
...

Now, let's break this down. Your 'firewall' is also your router? What brand
is it?
That "common firewall gateway (192.168.168.1) you mention, is that the above
firewall/router? Or are you saing that the firewall gateway and the router
are two different things? Or is the router actually an ADSL modem?

If I understand how this works correctly, the SonicWall is the router,
although all the SonicWall does is pass outgoing packets to the ActionTec
(in addition obviously to handling incoming packets from the ActionTec).

From the way you described that, it seems like that the 'common firewall
gateway with an IP of 192.168.168.1, which is connected to your internal
subnet, which your internal subnet uses as a gateway, has its other
interface (which by definition of a 'router') configured wtih an IP on the
same subnet and is connected to your ISP's router with an IP on the same
subnet as the internal subnet, but should be a totally different subnet. So
based on the terminology used, I am completey lost on how this is
configured.

I remember when we first set this up last year, I had also thought that we
needed to set the LAN side IP of the ActionTec to a different subnet than
the WAN side IP of the SonicWall (hope I said that right!). It was either
Qwest or SonicWall, however, that said we needed to do it this way. It WAS
working for some time though, so I am curious why it has gone crazy now.

Hopefully the above helps you understand. Let me know if not, and thanks
for your patience!

 

[Kevin D. Goodknecht Sr. [MVP]]

In

We have ADSL.

Ran the provided test. Although the Win2000 box I was
using did not have an MTU value in the registry, I added.
Per the MTU test, the optimal setting would be 1404.
NOTE: that this is the setting in our firewall as well
(says something about "fragment outbound packets larger
than 1404")

The browser does not have an proxy settings in place.

Tested browser after adding MTU value...still doesn't
work. The firewall forwards packets to the router, do
routers generally provide for an MTU setting?

They way you should really test this is to ping the routers gateway to see
what the MTU you can send to the gateway and use that setting on the NIC.
e.g. Pinging 65.65.91.214 with 1468 bytes of data:

Reply from 65.65.91.214: bytes=1468 time=151ms TTL=64
Reply from 65.65.91.214: bytes=1468 time=150ms TTL=64
Reply from 65.65.91.214: bytes=1468 time=150ms TTL=64
Reply from 65.65.91.214: bytes=1468 time=150ms TTL=64

Ping statistics for 65.65.91.214:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 150ms, Maximum = 151ms, Average = 150ms

W:\>ping 65.65.91.214 -f -l 1469

Pinging 65.65.91.214 with 1469 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 65.65.91.214:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

W:\>ping 65.65.91.214 -f -l 1473

Pinging 65.65.91.214 with 1473 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 65.65.91.214:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

What this means is that somewhere between this machine which was 1500, and
my router's gateway the MTU is 1468 because 1469 times out and the NIC
fragments 1473. So I set this machine to 1468 + 28 bytes overhead = 1496.
If the router is set to 1404 + 28= 1432 is the MTU you machine needs to be
to get past the router. You just set your machine to the highest number that
does not time out.

The way to figure your MTU is to start with a number ping the routers
gateway until you find a packet size that does not time out, add 28 and set
your MTU to that number.

 

[DDJ]

FYI, I changed the MTU to 1492 on both the firewall and the client box...no
change, browser still fails after a few minutes.

Dan

 

[Kevin D. Goodknecht Sr. [MVP]]

In

The way to figure your MTU is to start with a number ping
the routers gateway until you find a packet size that
does not time out, add 28 and set your MTU to that number.

In addition the new MTU setting requires a reboot, after which I got this:
W:\>ping 65.65.91.214 -f -l 1468

Pinging 65.65.91.214 with 1468 bytes of data:

Reply from 65.65.91.214: bytes=1468 time=150ms TTL=64
Reply from 65.65.91.214: bytes=1468 time=150ms TTL=64
Reply from 65.65.91.214: bytes=1468 time=150ms TTL=64
Reply from 65.65.91.214: bytes=1468 time=151ms TTL=64

Ping statistics for 65.65.91.214:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 150ms, Maximum = 151ms, Average = 150ms

W:\>ping 65.65.91.214 -f -l 1469

Pinging 65.65.91.214 with 1469 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 65.65.91.214:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

 

[DDJ]

Set the client box MTU to 1492 and the firewall's MTU to 1492.

Here's what I get when I run the ping you describe:

C:\>ping 63.228.79.254 -f -l 1464

Pinging 63.228.79.254 with 1464 bytes of data:

Reply from 63.228.79.254: bytes=1464 time=141ms TTL=2
Reply from 63.228.79.254: bytes=1464 time=130ms TTL=2
Reply from 63.228.79.254: bytes=1464 time=131ms TTL=2
Reply from 63.228.79.254: bytes=1464 time=130ms TTL=2

Ping statistics for 63.228.79.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% los
Approximate round trip times in milli-seconds:
Minimum = 130ms, Maximum = 141ms, Average = 133

C:\>ping 63.228.79.254 -f -l 1465

Pinging 63.228.79.254 with 1465 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 63.228.79.254:
Packets: Sent = 4, Received = 0, Lost = 4 (100% l
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms


I selected the 63.228.79.254 address to use because it was the second IP
listed when doing a tracerroute for www.yahoo.com. The first address listed
is our ActionTec modem (192.168.168.2), but I figured that was not the IP
you wanted me to use, correct? I assume the 63.228.79.254 address is the
address set to receive all packets coming from our network. The results are
the same if if use the 192.168.168.2 address. (Browser still fails).

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I selected the 63.228.79.254 address to use because it
was the second IP listed when doing a tracerroute for
www.yahoo.com. The first address listed is our ActionTec
modem (192.168.168.2), but I figured that was not the IP
you wanted me to use, correct? I assume the
63.228.79.254 address is the address set to receive all
packets coming from our network. The results are the
same if if use the 192.168.168.2 address. (Browser still
fails).

Browser fails, OK so lets go from there, does nslookup resolve the website
to an IP address?