Calling for help

[Guest]

Problem:

So what is happening is we have workstations that are using DHCP and well it
seems like after being connected for a while they will loose their connection
to be able to browse the internet do any kind of external nslookup or ping
any external IP Address but they can access any resource on the internal LAN.

When an IP die’s any machine with that IP can ping 10.0.2.1 (gateway) or any
internal machine on the Internal and DMZ LAN just fine, but not
210.86.17.129(Router Interface) or any ping able external IP.

Adding external DNS servers to the list makes no difference.

The IP that is 'dead' - you can set up another machine with that IP, and
then that machine won't have net access, but they can access (and of course
ping) everything on the internal network (including the internal interface of
any gateway).

The most curious thing is that existing TCP connections continue to work.
However, new TCP connections are denied (time out).

So if you have outlook open, which has keepalive connections to our external
exchange hosted by Mi8, that works just fine - but your browsing dies
(because those are all unique TCP connection requests).

Also observed that a dead IP becomes live again after some time – approx 75
minutes.

Doesn't sound anything whatsoever like a DNS issue to me - remember, we're
failing to ping the gateway's external IP address, not a DNS name.

Any suggestions on where to go from here or where to look?

 

[Chuck]

On Fri, 29 Jul 2005 06:56:04 -0700, "John Bonin" <John

Problem:

So what is happening is we have workstations that are using DHCP and well it
seems like after being connected for a while they will loose their connection
to be able to browse the internet do any kind of external nslookup or ping
any external IP Address but they can access any resource on the internal LAN.

When an IP die’s any machine with that IP can ping 10.0.2.1 (gateway) or any
internal machine on the Internal and DMZ LAN just fine, but not
210.86.17.129(Router Interface) or any ping able external IP.

Adding external DNS servers to the list makes no difference.

The IP that is 'dead' - you can set up another machine with that IP, and
then that machine won't have net access, but they can access (and of course
ping) everything on the internal network (including the internal interface of
any gateway).

The most curious thing is that existing TCP connections continue to work.
However, new TCP connections are denied (time out).

So if you have outlook open, which has keepalive connections to our external
exchange hosted by Mi8, that works just fine - but your browsing dies
(because those are all unique TCP connection requests).

Also observed that a dead IP becomes live again after some time – approx 75
minutes.

Doesn't sound anything whatsoever like a DNS issue to me - remember, we're
failing to ping the gateway's external IP address, not a DNS name.

Any suggestions on where to go from here or where to look?

John,

How about some detail about your network. You mention both a gateway and a
router. What is there between the gateway and router?

How long has this problem been observed? How mature is your network? What
changes have you made to your network, just before the problem was observed?

Is the problem active 7 x 24? Any pattern to what IP addresses lose ability per
your description?

 

[Guest]

Ok so the network looks something like this we have our Border Router (Cisco)
which plugs into a unmanaged Layer 2 switch the Firewall (PIX) also plugs
into that switch and also the unmanaged Layer 2 switches where all
workstations reside.

The problem started to occur when we implemented the new Cisco equipment.

This is a company we just acquired so there network was set up before with a
Linux firewall using ip tables also allowing everything in and out.

after doing some monitoring on the pix we noticed that there were a lot of
connections coming into and out of the PIX now there is only 20 users at
this location and we had 20,000 connections showing on the PIX.

After monitoring the connections we found a few machines that were infected
with virus, worms, etc..

We have since then cleaned all machines and removed any machines that were
establishing the connections.

The problem seems to occur when everyone is on the network around the middle
of the day.

The problem is not active 7 x 24.

No pattern to what IP addresses lose ability. (These are the IP's that have
been experiencing the problem so far 10.0.2.104 -201 -205 -217 -121 /24)

If we put that IP on another machine that machines shows the same signs.

After about 75 minutes the problem goes away for that IP.

 

[Chuck]

Ok so the network looks something like this we have our Border Router (Cisco)
which plugs into a unmanaged Layer 2 switch the Firewall (PIX) also plugs
into that switch and also the unmanaged Layer 2 switches where all
workstations reside.

The problem started to occur when we implemented the new Cisco equipment.

This is a company we just acquired so there network was set up before with a
Linux firewall using ip tables also allowing everything in and out.

after doing some monitoring on the pix we noticed that there were a lot of
connections coming into and out of the PIX now there is only 20 users at
this location and we had 20,000 connections showing on the PIX.

After monitoring the connections we found a few machines that were infected
with virus, worms, etc..

We have since then cleaned all machines and removed any machines that were
establishing the connections.

The problem seems to occur when everyone is on the network around the middle
of the day.

The problem is not active 7 x 24.

No pattern to what IP addresses lose ability. (These are the IP's that have
been experiencing the problem so far 10.0.2.104 -201 -205 -217 -121 /24)

If we put that IP on another machine that machines shows the same signs.

After about 75 minutes the problem goes away for that IP.

John,

OK, this sounds like more than a simple problem with Windows XP. My guess is
that your firewall is being overloaded, maybe from network activity from one of
the other computers.

Is this symptom related to the previous problem - your malware infection? Is
the malware problem still with you? What diagnostics did you run, to ensure
that they're clean? What precautions did you install on the computers, having
cleaned them?

I suspect that you should be asking for help in comp.security.firewalls, or
maybe microsoft.public.security. If you want to try the former, you'll need a
Usenet reader, unless you want to go with Google; the latter is also available
in Google, in addition to the Microsoft CDO web interface.
<http://groups.google.com/group/comp.security.firewalls>
<http://groups.google.com/group/microsoft.public.security>

 

[Guest]

Thanks I will look into that

John,

OK, this sounds like more than a simple problem with Windows XP. My guess is
that your firewall is being overloaded, maybe from network activity from one of
the other computers.

Is this symptom related to the previous problem - your malware infection? Is
the malware problem still with you? What diagnostics did you run, to ensure
that they're clean? What precautions did you install on the computers, having
cleaned them?

I suspect that you should be asking for help in comp.security.firewalls, or
maybe microsoft.public.security. If you want to try the former, you'll need a
Usenet reader, unless you want to go with Google; the latter is also available
in Google, in addition to the Microsoft CDO web interface.
<http://groups.google.com/group/comp.security.firewalls>
<http://groups.google.com/group/microsoft.public.security>