I've just learned that he's on the road on an emergency service call. I may not hear from him for days...
Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh <[email protected]> wrote: > The trace routes weren't informative? > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Tuesday, January 31, 2012 4:21 PM > To: NT System Admin Issues > Subject: Re: Curious networking anomaly in Win7 Pro box > > Not dropping in the sense you mean - I'd still see a traceroute or > other ICMP packets in tcpdump, but they wouldn't go anywhere. > > More to the point, pings to multiple addresses on the same remote > subnet are treated the same, and when he's doing the unsuccessful > pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply > not reaching the office's firewall at all. > > Also, no other machine is having this difficulty - if they can ping > one address on the remote subnet, they can ping all. > > I even went so far as to have him specify the TTL in the pings at 254, > with a timeout of 300ms (usual response time is ~200m, and I didn't > want to wait the full 1000ms). > > As further background, the network firewalls I have are Sidewinders > (now known as McAfee Enterprise Secure firewalls, since the > acquisition) and are a hardened version of FreeBSD. I can ssh into the > box, run tcpdump just like any other *nix and see what's coming across > the wire. > > Kurt > > On Tue, Jan 31, 2012 at 13:01, Steve Kradel <[email protected]> wrote: >> Doesn't this imply you are dropping at least some ICMP at the firewall, then? >> >> On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff <[email protected]> wrote: >>> No drops at the firewall. >>> >>> Forgot to have him do a traceroute - the firewall doesn't allow >>> traceroutes to pass through it, so that doesn't usually occur to me, >>> but in this case it would prove useful. >>> >>> I'll have him try that. >>> >>> Kurt >>> >>> On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh <[email protected]> >>> wrote: >>>> Compare trace routes from the anomalous machine to the devices you can >>>> connect to with trace routes to the ones you can't. >>>> Check firewall logs for drops. >>>> >>>> -----Original Message----- >>>> From: Kurt Buff [mailto:[email protected]] >>>> Sent: Tuesday, January 31, 2012 12:56 PM >>>> To: NT System Admin Issues >>>> Subject: Curious networking anomaly in Win7 Pro box >>>> >>>> All, >>>> >>>> Just one machine in our UK office is affected, and I haven't been able >>>> to figure it out. All other machines seem to be working fine. >>>> >>>> This one laptop cannot talk to a few addresses in our US server subnet. >>>> >>>> For instance, this machine can ping the file server, and the Exchange >>>> server, but not the DCs, nor a new terminal server, nor the address of >>>> the router on that subnet. However, all of the machines he's trying to >>>> ping by name resolve to correct IP addresses. >>>> >>>> We put Wireshark on this machine, and it thinks its emitting the ICMP >>>> packets, but when I fired up tcpdump on the internal interface of the >>>> firewall for his office, I verified that it was not seeing packets for >>>> those machines that he was trying to ping, and it was seeing packets >>>> for the machines to which he was able to connect. >>>> >>>> I did a 'route print', to see if there were something odd there, but >>>> saw nothing interesting. >>>> >>>> A malware scan came up clean - and it's a new install of Win7 Pro over XP. >>>> >>>> I turned off any services that looked interesting, including the >>>> Aventail connection service, the Windows firewall, and a couple of >>>> others, with no change in result. >>>> >>>> Haven't had a chance to examine the event logs on the laptop. The >>>> laptop is probably going to be wiped before I can work with him on it >>>> again, but I'm still very curious. Has anyone seen anything like this >>>> before? >>>> >>>> Kurt >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
