Re: Calling for help
- From: "John Bonin" <JohnBonin@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 29 Jul 2005 08:02:02 -0700
Ok so the network looks something like this we have our Border Router (Cisco)
which plugs into a unmanaged Layer 2 switch the Firewall (PIX) also plugs
into that switch and also the unmanaged Layer 2 switches where all
workstations reside.
The problem started to occur when we implemented the new Cisco equipment.
This is a company we just acquired so there network was set up before with a
Linux firewall using ip tables also allowing everything in and out.
after doing some monitoring on the pix we noticed that there were a lot of
connections coming into and out of the PIX now there is only 20 users at
this location and we had 20,000 connections showing on the PIX.
After monitoring the connections we found a few machines that were infected
with virus, worms, etc..
We have since then cleaned all machines and removed any machines that were
establishing the connections.
The problem seems to occur when everyone is on the network around the middle
of the day.
The problem is not active 7 x 24.
No pattern to what IP addresses lose ability. (These are the IP's that have
been experiencing the problem so far 10.0.2.104 -201 -205 -217 -121 /24)
If we put that IP on another machine that machines shows the same signs.
After about 75 minutes the problem goes away for that IP.
"Chuck" wrote:
> On Fri, 29 Jul 2005 06:56:04 -0700, "John Bonin" <John
> Bonin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> >Problem:
> >
> >So what is happening is we have workstations that are using DHCP and well it
> >seems like after being connected for a while they will loose their connection
> >to be able to browse the internet do any kind of external nslookup or ping
> >any external IP Address but they can access any resource on the internal LAN.
> >
> >When an IP die’s any machine with that IP can ping 10.0.2.1 (gateway) or any
> >internal machine on the Internal and DMZ LAN just fine, but not
> >210.86.17.129(Router Interface) or any ping able external IP.
> >
> >Adding external DNS servers to the list makes no difference.
> >
> >The IP that is 'dead' - you can set up another machine with that IP, and
> >then that machine won't have net access, but they can access (and of course
> >ping) everything on the internal network (including the internal interface of
> >any gateway).
> >
> >The most curious thing is that existing TCP connections continue to work.
> >However, new TCP connections are denied (time out).
> >
> >So if you have outlook open, which has keepalive connections to our external
> >exchange hosted by Mi8, that works just fine - but your browsing dies
> >(because those are all unique TCP connection requests).
> >
> >Also observed that a dead IP becomes live again after some time – approx 75
> >minutes.
> >
> >Doesn't sound anything whatsoever like a DNS issue to me - remember, we're
> >failing to ping the gateway's external IP address, not a DNS name.
> >
> >Any suggestions on where to go from here or where to look?
>
> John,
>
> How about some detail about your network. You mention both a gateway and a
> router. What is there between the gateway and router?
>
> How long has this problem been observed? How mature is your network? What
> changes have you made to your network, just before the problem was observed?
>
> Is the problem active 7 x 24? Any pattern to what IP addresses lose ability per
> your description?
>
> --
> Cheers,
> Chuck, MS-MVP [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My email is AT DOT
> actual address pchuck mvps org.
>
.
- Follow-Ups:
- Re: Calling for help
- From: Chuck
- Re: Calling for help
- References:
- Calling for help
- From: John Bonin
- Re: Calling for help
- From: Chuck
- Calling for help
- Prev by Date: Hijacked e-mail
- Next by Date: Can't connect wirelessly (update)
- Previous by thread: Re: Calling for help
- Next by thread: Re: Calling for help
- Index(es):
Relevant Pages
|
Loading
