The trace routes weren't informative? -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box
Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel <skra...@zetetic.net> wrote: > Doesn't this imply you are dropping at least some ICMP at the firewall, then? > > On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> No drops at the firewall. >> >> Forgot to have him do a traceroute - the firewall doesn't allow >> traceroutes to pass through it, so that doesn't usually occur to me, >> but in this case it would prove useful. >> >> I'll have him try that. >> >> Kurt >> >> On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh <k...@colonialsavings.com> >> wrote: >>> Compare trace routes from the anomalous machine to the devices you can >>> connect to with trace routes to the ones you can't. >>> Check firewall logs for drops. >>> >>> -----Original Message----- >>> From: Kurt Buff [mailto:kurt.b...@gmail.com] >>> Sent: Tuesday, January 31, 2012 12:56 PM >>> To: NT System Admin Issues >>> Subject: Curious networking anomaly in Win7 Pro box >>> >>> All, >>> >>> Just one machine in our UK office is affected, and I haven't been able >>> to figure it out. All other machines seem to be working fine. >>> >>> This one laptop cannot talk to a few addresses in our US server subnet. >>> >>> For instance, this machine can ping the file server, and the Exchange >>> server, but not the DCs, nor a new terminal server, nor the address of >>> the router on that subnet. However, all of the machines he's trying to >>> ping by name resolve to correct IP addresses. >>> >>> We put Wireshark on this machine, and it thinks its emitting the ICMP >>> packets, but when I fired up tcpdump on the internal interface of the >>> firewall for his office, I verified that it was not seeing packets for >>> those machines that he was trying to ping, and it was seeing packets >>> for the machines to which he was able to connect. >>> >>> I did a 'route print', to see if there were something odd there, but >>> saw nothing interesting. >>> >>> A malware scan came up clean - and it's a new install of Win7 Pro over XP. >>> >>> I turned off any services that looked interesting, including the >>> Aventail connection service, the Windows firewall, and a couple of >>> others, with no change in result. >>> >>> Haven't had a chance to examine the event logs on the laptop. The >>> laptop is probably going to be wiped before I can work with him on it >>> again, but I'm still very curious. Has anyone seen anything like this >>> before? >>> >>> Kurt > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
