Well said, Mr. Spock

-----Original Message-----
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, February 01, 2012 3:57 PM
To: NT System Admin Issues
Subject: Re: Curious networking anomaly in Win7 Pro box

True, but at this point it's beyond my control, so emotional
investment in the outcome is pointless..

On Wed, Feb 1, 2012 at 13:04, Jonathan Link <jonathan.l...@gmail.com> wrote:
> Or not...if it's a wipe and rebuild we will never know...
>
>
> On Wed, Feb 1, 2012 at 4:01 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> LOL.
>>
>> Patience, grasshopper...
>>
>> Kurt
>>
>> On Wed, Feb 1, 2012 at 12:49, Kim Longenbaugh <k...@colonialsavings.com>
>> wrote:
>> > The suspense is killing me...  :)
>> >
>> > -----Original Message-----
>> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> > Sent: Wednesday, February 01, 2012 2:08 PM
>> > To: NT System Admin Issues
>> > Subject: Re: Curious networking anomaly in Win7 Pro box
>> >
>> > I've just learned that he's on the road on an emergency service call.
>> >
>> > I may not hear from him for days...
>> >
>> > Kurt
>> >
>> > On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh <k...@colonialsavings.com>
>> > wrote:
>> >> The trace routes weren't informative?
>> >>
>> >> -----Original Message-----
>> >> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> >> Sent: Tuesday, January 31, 2012 4:21 PM
>> >> To: NT System Admin Issues
>> >> Subject: Re: Curious networking anomaly in Win7 Pro box
>> >>
>> >> Not dropping in the sense you mean - I'd still see a traceroute or
>> >> other ICMP packets in tcpdump, but they wouldn't go anywhere.
>> >>
>> >> More to the point, pings to multiple addresses on the same remote
>> >> subnet are treated the same, and when he's doing the unsuccessful
>> >> pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply
>> >> not reaching the office's firewall at all.
>> >>
>> >> Also, no other machine is having this difficulty - if they can ping
>> >> one address on the remote subnet, they can ping all.
>> >>
>> >> I even went so far as to have him specify the TTL in the pings at 254,
>> >> with a timeout of 300ms (usual response time is ~200m, and I didn't
>> >> want to wait the full 1000ms).
>> >>
>> >> As further background, the network firewalls I have are Sidewinders
>> >> (now known as McAfee Enterprise Secure firewalls, since the
>> >> acquisition) and are a hardened version of FreeBSD. I can ssh into the
>> >> box, run tcpdump just like any other *nix and see what's coming across
>> >> the wire.
>> >>
>> >> Kurt
>> >>
>> >> On Tue, Jan 31, 2012 at 13:01, Steve Kradel <skra...@zetetic.net>
>> >> wrote:
>> >>> Doesn't this imply you are dropping at least some ICMP at the
>> >>> firewall, then?
>> >>>
>> >>> On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff <kurt.b...@gmail.com>
>> >>> wrote:
>> >>>> No drops at the firewall.
>> >>>>
>> >>>> Forgot to have him do a traceroute - the firewall doesn't allow
>> >>>> traceroutes to pass through it, so that doesn't usually occur to me,
>> >>>> but in this case it would prove useful.
>> >>>>
>> >>>> I'll have him try that.
>> >>>>
>> >>>> Kurt
>> >>>>
>> >>>> On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh
>> >>>> <k...@colonialsavings.com> wrote:
>> >>>>> Compare trace routes from the anomalous machine to the devices you
>> >>>>> can connect to with trace routes to the ones you can't.
>> >>>>> Check firewall logs for drops.
>> >>>>>
>> >>>>> -----Original Message-----
>> >>>>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> >>>>> Sent: Tuesday, January 31, 2012 12:56 PM
>> >>>>> To: NT System Admin Issues
>> >>>>> Subject: Curious networking anomaly in Win7 Pro box
>> >>>>>
>> >>>>> All,
>> >>>>>
>> >>>>> Just one machine in our UK office is affected, and I haven't been
>> >>>>> able
>> >>>>> to figure it out. All other machines seem to be working fine.
>> >>>>>
>> >>>>> This one laptop cannot talk to a few addresses in our US server
>> >>>>> subnet.
>> >>>>>
>> >>>>> For instance, this machine can ping the file server, and the
>> >>>>> Exchange
>> >>>>> server, but not the DCs, nor a new terminal server, nor the address
>> >>>>> of
>> >>>>> the router on that subnet. However, all of the machines he's trying
>> >>>>> to
>> >>>>> ping by name resolve to correct IP addresses.
>> >>>>>
>> >>>>> We put Wireshark on this machine, and it thinks its emitting the
>> >>>>> ICMP
>> >>>>> packets, but when I fired up tcpdump on the internal interface of
>> >>>>> the
>> >>>>> firewall for his office, I verified that it was not seeing packets
>> >>>>> for
>> >>>>> those machines that he was trying to ping, and it was seeing packets
>> >>>>> for the machines to which he was able to connect.
>> >>>>>
>> >>>>> I did a 'route print', to see if there were something odd there, but
>> >>>>> saw nothing interesting.
>> >>>>>
>> >>>>> A malware scan came up clean - and it's a new install of Win7 Pro
>> >>>>> over XP.
>> >>>>>
>> >>>>> I turned off any services that looked interesting, including the
>> >>>>> Aventail connection service, the Windows firewall, and a couple of
>> >>>>> others, with no change in result.
>> >>>>>
>> >>>>> Haven't had a chance to examine the event logs on the laptop. The
>> >>>>> laptop is probably going to be wiped before I can work with him on
>> >>>>> it
>> >>>>> again, but I'm still very curious. Has anyone seen anything like
>> >>>>> this
>> >>>>> before?
>> >>>>>
>> >>>>> Kurt
>> >>>
>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >>>
>> >>> ---
>> >>> To manage subscriptions click here:
>> >>> http://lyris.sunbelt-software.com/read/my_forums/
>> >>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> >>> with the body: unsubscribe ntsysadmin
>> >>
>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >>
>> >> ---
>> >> To manage subscriptions click here:
>> >> http://lyris.sunbelt-software.com/read/my_forums/
>> >> or send an email to listmana...@lyris.sunbeltsoftware.com
>> >> with the body: unsubscribe ntsysadmin
>> >>
>> >>
>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >>
>> >> ---
>> >> To manage subscriptions click here:
>> >> http://lyris.sunbelt-software.com/read/my_forums/
>> >> or send an email to listmana...@lyris.sunbeltsoftware.com
>> >> with the body: unsubscribe ntsysadmin
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >
>> > ---
>> > To manage subscriptions click here:
>> > http://lyris.sunbelt-software.com/read/my_forums/
>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>> > with the body: unsubscribe ntsysadmin
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >
>> > ---
>> > To manage subscriptions click here:
>> > http://lyris.sunbelt-software.com/read/my_forums/
>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>> > with the body: unsubscribe ntsysadmin
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Reply via email to