Or not...if it's a wipe and rebuild we will never know... On Wed, Feb 1, 2012 at 4:01 PM, Kurt Buff <[email protected]> wrote:
> LOL. > > Patience, grasshopper... > > Kurt > > On Wed, Feb 1, 2012 at 12:49, Kim Longenbaugh <[email protected]> > wrote: > > The suspense is killing me... :) > > > > -----Original Message----- > > From: Kurt Buff [mailto:[email protected]] > > Sent: Wednesday, February 01, 2012 2:08 PM > > To: NT System Admin Issues > > Subject: Re: Curious networking anomaly in Win7 Pro box > > > > I've just learned that he's on the road on an emergency service call. > > > > I may not hear from him for days... > > > > Kurt > > > > On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh <[email protected]> > wrote: > >> The trace routes weren't informative? > >> > >> -----Original Message----- > >> From: Kurt Buff [mailto:[email protected]] > >> Sent: Tuesday, January 31, 2012 4:21 PM > >> To: NT System Admin Issues > >> Subject: Re: Curious networking anomaly in Win7 Pro box > >> > >> Not dropping in the sense you mean - I'd still see a traceroute or > >> other ICMP packets in tcpdump, but they wouldn't go anywhere. > >> > >> More to the point, pings to multiple addresses on the same remote > >> subnet are treated the same, and when he's doing the unsuccessful > >> pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply > >> not reaching the office's firewall at all. > >> > >> Also, no other machine is having this difficulty - if they can ping > >> one address on the remote subnet, they can ping all. > >> > >> I even went so far as to have him specify the TTL in the pings at 254, > >> with a timeout of 300ms (usual response time is ~200m, and I didn't > >> want to wait the full 1000ms). > >> > >> As further background, the network firewalls I have are Sidewinders > >> (now known as McAfee Enterprise Secure firewalls, since the > >> acquisition) and are a hardened version of FreeBSD. I can ssh into the > >> box, run tcpdump just like any other *nix and see what's coming across > >> the wire. > >> > >> Kurt > >> > >> On Tue, Jan 31, 2012 at 13:01, Steve Kradel <[email protected]> > wrote: > >>> Doesn't this imply you are dropping at least some ICMP at the > firewall, then? > >>> > >>> On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff <[email protected]> > wrote: > >>>> No drops at the firewall. > >>>> > >>>> Forgot to have him do a traceroute - the firewall doesn't allow > >>>> traceroutes to pass through it, so that doesn't usually occur to me, > >>>> but in this case it would prove useful. > >>>> > >>>> I'll have him try that. > >>>> > >>>> Kurt > >>>> > >>>> On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh < > [email protected]> wrote: > >>>>> Compare trace routes from the anomalous machine to the devices you > can connect to with trace routes to the ones you can't. > >>>>> Check firewall logs for drops. > >>>>> > >>>>> -----Original Message----- > >>>>> From: Kurt Buff [mailto:[email protected]] > >>>>> Sent: Tuesday, January 31, 2012 12:56 PM > >>>>> To: NT System Admin Issues > >>>>> Subject: Curious networking anomaly in Win7 Pro box > >>>>> > >>>>> All, > >>>>> > >>>>> Just one machine in our UK office is affected, and I haven't been > able > >>>>> to figure it out. All other machines seem to be working fine. > >>>>> > >>>>> This one laptop cannot talk to a few addresses in our US server > subnet. > >>>>> > >>>>> For instance, this machine can ping the file server, and the Exchange > >>>>> server, but not the DCs, nor a new terminal server, nor the address > of > >>>>> the router on that subnet. However, all of the machines he's trying > to > >>>>> ping by name resolve to correct IP addresses. > >>>>> > >>>>> We put Wireshark on this machine, and it thinks its emitting the ICMP > >>>>> packets, but when I fired up tcpdump on the internal interface of the > >>>>> firewall for his office, I verified that it was not seeing packets > for > >>>>> those machines that he was trying to ping, and it was seeing packets > >>>>> for the machines to which he was able to connect. > >>>>> > >>>>> I did a 'route print', to see if there were something odd there, but > >>>>> saw nothing interesting. > >>>>> > >>>>> A malware scan came up clean - and it's a new install of Win7 Pro > over XP. > >>>>> > >>>>> I turned off any services that looked interesting, including the > >>>>> Aventail connection service, the Windows firewall, and a couple of > >>>>> others, with no change in result. > >>>>> > >>>>> Haven't had a chance to examine the event logs on the laptop. The > >>>>> laptop is probably going to be wiped before I can work with him on it > >>>>> again, but I'm still very curious. Has anyone seen anything like this > >>>>> before? > >>>>> > >>>>> Kurt > >>> > >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >>> > >>> --- > >>> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >>> or send an email to [email protected] > >>> with the body: unsubscribe ntsysadmin > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
