Workgroup not accessible - fixed

[John Steele]

I have been getting the message "Workgroup not accessible. You may not have
permission to access..." intermittently on one of my computers name WK02.
The other two computer in the workgroup are fine, although they are unable
to see WK02 as members of the workgroup. They can still access shares and
printers on WK02 even though they cannot browse the computer. All Workgroup
computers are XP (2 running Pro, one running Home) with full updates.

I have fixed the problem and have generated this post in the hope it will
help someone else. It would also be interesting if any experts could give an
explanation as to what is actually going wrong.

I discovered that if one of the other two computers were switched on first
(i.e. they became the master browser) then WK02 was visible to them and WK02
could browse the workgroup correctly. If WK02 was switched on first (the
normal situation as it is a desktop, the other two are laptops) then the
workgroup browsing fails.

After eliminating all other factors, and some research with Ethereal, I
discovered that it was the Windows firewall that was blocking the UDP ports
137 and 138. The Advanced setting for file and printer sharing was Own
Network as one would expect. The firewall log showed these were being
blocked. See below for port 138:

2005-04-15 09:36:44 DROP UDP 192.168.x.101 192.168.x.255 138 138
211 - - - - - - - RECEIVE

This is a broadcast message being sent out to the subnet from 192.168.x.101
and the receiving of this message being blocked by the firewall.

I changed the setting to custom using the network setting of
192.168.x.0/255.255.255.0 (x is the local subnet number) for both these UDP
ports and SUCCESS. The computer now behaves as expected.

I did try changing my network to a static IP address.
I did try disabling my other firewall (Kerio 2.5.1) to eliminate that from
the equation - no different
I did try enabling and disabling the Windows firewall several times and
found the results consistent

My other two computers have alterative firewall products and these have
disabled the Windows firewall. Everything else works.

The question remains - why is putting a custom scope, set to my network
address/subnet mask, any different from the default? I notice that the log
shows a mask of 192.168.x.255 rather than the 255.255.255.0 that one would
normally expect.

John Steele

 

[Haggis]

I have been getting the message "Workgroup not accessible. You may not have
permission to access..." intermittently on one of my computers name WK02.
The other two computer in the workgroup are fine, although they are unable
to see WK02 as members of the workgroup. They can still access shares and
printers on WK02 even though they cannot browse the computer. All Workgroup
computers are XP (2 running Pro, one running Home) with full updates.

I have fixed the problem and have generated this post in the hope it will
help someone else. It would also be interesting if any experts could give
an explanation as to what is actually going wrong.

I discovered that if one of the other two computers were switched on first
(i.e. they became the master browser) then WK02 was visible to them and
WK02 could browse the workgroup correctly. If WK02 was switched on first
(the normal situation as it is a desktop, the other two are laptops) then
the workgroup browsing fails.

After eliminating all other factors, and some research with Ethereal, I
discovered that it was the Windows firewall that was blocking the UDP
ports 137 and 138. The Advanced setting for file and printer sharing was
Own Network as one would expect. The firewall log showed these were being
blocked. See below for port 138:

2005-04-15 09:36:44 DROP UDP 192.168.x.101 192.168.x.255 138 138
211 - - - - - - - RECEIVE

This is a broadcast message being sent out to the subnet from
192.168.x.101 and the receiving of this message being blocked by the
firewall.

I changed the setting to custom using the network setting of
192.168.x.0/255.255.255.0 (x is the local subnet number) for both these
UDP ports and SUCCESS. The computer now behaves as expected.

I did try changing my network to a static IP address.
I did try disabling my other firewall (Kerio 2.5.1) to eliminate that from
the equation - no different
I did try enabling and disabling the Windows firewall several times and
found the results consistent

My other two computers have alterative firewall products and these have
disabled the Windows firewall. Everything else works.

The question remains - why is putting a custom scope, set to my network
address/subnet mask, any different from the default? I notice that the log
shows a mask of 192.168.x.255 rather than the 255.255.255.0 that one would
normally expect.

John Steele

thanks for the post :>

when you turned WK02 on first , it became master browser ..and with those
ports blocked ..could not gather required information from the network

by changing the IP to a range that was not blocked...the master browser
functions are operating normally

192.168.x.101 to 255 blocked , so your change to 192.168.x.0 is not in that
range (subnet for all 192.168.x.0-255 should be 255.255.255.0)

 

[John Steele]

--snip


thanks for the post :>

when you turned WK02 on first , it became master browser ..and with those
ports blocked ..could not gather required information from the network

by changing the IP to a range that was not blocked...the master browser
functions are operating normally

192.168.x.101 to 255 blocked , so your change to 192.168.x.0 is not in
that range (subnet for all 192.168.x.0-255 should be 255.255.255.0)

I understand the point about WK02 becoming the master browser.

My point is that the firewall configuration should not have blocked these
ports. The source IP address in the message is within my local network, it
is the IP address of WK02 receiving the message which must by definition be
on my local network. The destination address is 192.168.x.255 which is the
broadcast address for the subnet. This must also be within the local
network. My local subnet is 192.168.x.0 with a subnet mask of 255.255.255.0.
This is what ipcofig reports.

I am an experienced network design engineer who has a thorough understanding
of IP networking. What I don't understand is why the Windows firewall is
behaving as it is. There should be no difference between "local network"
and the custom values I entered.

John Steele
www.soroban.co.uk