Cant Connect to Win2008 Server from 1 of several subnets

So I have three Server machines
10.1.0.10 Win2003 Server DC
10.1.0.17 Win2008 Server DC/File Server
10.1.0.19 Win2008 Server Hyper-V Server

Nothing fancy on the servers.


I can Ping all of them from the router's Ethernet Interface (on the
same Subnet)
If I ping using the Serial 0 as the source Address, I can only Ping .
10 and .19

Same if I go from the servers to 10.254.0.37, 10.1.0.17 cannot Ping.

10.1.0.17 can ping things in other Subnets, just not from Serial0 of
the 1 router ...


To Troubleshoot. I added an IP Address to 10.1.0.17 , 10.1.016.
Did the Ping tests again. I could not Ping 10.1.0.16.

I Removed 10.1.0.16 from 10.1.0.17 and added it to 10.1.0.10

So not 10.1.0.10 and 10.1.0.16 are the same machine.
I can now Ping 10.1.0.16....

So its the Server that is preventing it somehow...

Any Suggestions?

"Scott Townsend" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> So I have three Server machines 10.1.0.10 Win2003 Server DC 10.1.0.17
> Win2008 Server DC/File Server 10.1.0.19 Win2008 Server Hyper-V Server

Possibles:

1. ACLs on the LAN router that you don't know are there

2. Improper TCP/IP Config on the Servers,...particulary in the area of the
Mask or DFG

3. Invalid or improper "static routes" on the servers that you don't know
are there

4. Flaw in the LAN's "routing scheme"

5. Host-Based "firewalls" on some, all, or any of the machines involved that
either aren't configured properly or just should not be there to begin with.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Thank you for your reply...

1) There are no ACLs on the router as this is just a Site to Site router
that we want all traffic to pass.

2) The Mask on the servers & Ethernet0 on the routers are all 255.255.0.0
The Mask on the Serial Port is 255.255.255.252,
DFG?

3) I've done a Route Print on the servers/routers and everything looks in
order.

4) Every other machine I've tried can reach the Reuters's Serial Port and
the far end devices on the other end of the remote router.

5) Firewall is off on the machine that does not work.


Since the machine that does not work is on the same Switch as the machine
next to it and it can talk to the router's serial port just fine, I would
think that the Router is set up to handle the traffic and pass the data.

If I took an IP on the machine that didn't work and moved that IP to a
machine that does work and now that IP address does work... It has to be
something on the machine...

Scott<-

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Scott Townsend" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> So I have three Server machines 10.1.0.10 Win2003 Server DC 10.1.0.17
>> Win2008 Server DC/File Server 10.1.0.19 Win2008 Server Hyper-V Server
>
> Possibles:
>
> 1. ACLs on the LAN router that you don't know are there
>
> 2. Improper TCP/IP Config on the Servers,...particulary in the area of the
> Mask or DFG
>
> 3. Invalid or improper "static routes" on the servers that you don't know
> are there
>
> 4. Flaw in the LAN's "routing scheme"
>
> 5. Host-Based "firewalls" on some, all, or any of the machines involved
> that either aren't configured properly or just should not be there to
> begin with.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

"Scott Townsend" <(E-Mail Removed)> wrote in message
news:e4$(E-Mail Removed)...
> Thank you for your reply...
>
> 1) There are no ACLs on the router as this is just a Site to Site router
> that we want all traffic to pass.

Being a site-to-Site link greatly increases the chance of my forth
suggestion:

4. Flaw in the LAN's "routing scheme"

> 2) The Mask on the servers & Ethernet0 on the routers are all 255.255.0.0
> The Mask on the Serial Port is 255.255.255.252,
> DFG?

Ethernet segments should not be allowed to grow above 250-300
Hosts,..therefore you should be using 255.255.255.0. The 255.255.0.0 would
be used in routing tables to supernet IP segments into a single route table
entry to make the route table more efficient if the network design dictated
that. It is doubtful that this is your problem,..but is something to
consider.

The "252" mask is normal for a WAN link,..no problem there.

> Since the machine that does not work is on the same Switch as the machine
> next to it and it can talk to the router's serial port just fine, I would
> think that the Router is set up to handle the traffic and pass the data.
>
> If I took an IP on the machine that didn't work and moved that IP to a
> machine that does work and now that IP address does work... It has to be
> something on the machine...

I agree, but at the moment there is nothing that jumps out at me. I don't
have any other suggestions right now.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

We don't really have too many hosts in each of the Class B Subnets. but we
use parts of the Subnet for Different devices.

10.x.0.x servers
10.x.1.x Other IT Items, WiFi, Printers, etc
10.x.2.x Spare
10.x.3.x DHCP for Clients
10.x.4.x DHCP for Clients.
10.x.5.x Engineer's Testbed.
10.x.6.x Tech Support Testbed.
Etc....

Anyway... I found the issue... I had the Gateway Address set for the
Firewall and not the Router.

Which is interesting, As the firewall has a Static Route for the 10.254.0.36
Subnet that points to the default router that I changed the machine with the
issues to.

So Machine pointed -> Firewall
Firewall Pointed 10.254.0.36 to 10.1.0.1

When I pointed machine -> 10.1.0.1 as default Gateway All is well...

One of the reasons I like to have my Servers DHCP with Reservations...
Though since this was a DC, hard to do that... (-:

Thanks!



"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Scott Townsend" <(E-Mail Removed)> wrote in message
> news:e4$(E-Mail Removed)...
>> Thank you for your reply...
>>
>> 1) There are no ACLs on the router as this is just a Site to Site router
>> that we want all traffic to pass.
>
> Being a site-to-Site link greatly increases the chance of my forth
> suggestion:
>
> 4. Flaw in the LAN's "routing scheme"
>
>> 2) The Mask on the servers & Ethernet0 on the routers are all 255.255.0.0
>> The Mask on the Serial Port is 255.255.255.252,
>> DFG?
>
> Ethernet segments should not be allowed to grow above 250-300
> Hosts,..therefore you should be using 255.255.255.0. The 255.255.0.0
> would be used in routing tables to supernet IP segments into a single
> route table entry to make the route table more efficient if the network
> design dictated that. It is doubtful that this is your problem,..but is
> something to consider.
>
> The "252" mask is normal for a WAN link,..no problem there.
>
>> Since the machine that does not work is on the same Switch as the machine
>> next to it and it can talk to the router's serial port just fine, I would
>> think that the Router is set up to handle the traffic and pass the data.
>>
>> If I took an IP on the machine that didn't work and moved that IP to a
>> machine that does work and now that IP address does work... It has to be
>> something on the machine...
>
> I agree, but at the moment there is nothing that jumps out at me. I don't
> have any other suggestions right now.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

"Scott Townsend" <(E-Mail Removed)> wrote in message
news:eKg%(E-Mail Removed)...

> 10.x.0.x servers
> 10.x.1.x Other IT Items, WiFi, Printers, etc
> 10.x.2.x Spare
> 10.x.3.x DHCP for Clients
> 10.x.4.x DHCP for Clients.
> 10.x.5.x Engineer's Testbed.
> 10.x.6.x Tech Support Testbed.
> Etc....

That's not good. It makes it very difficult to put it back the way it
should be because you have to re-address everything outside of the third
octect you choose the LAN to be. If everything was inside just one of
those, then you just change the Masks and it is fixed. That is really going
to come back and bite you some day. It also waists a lot of addresses since
you can't use all of them because the subnet would be too big,..yet at the
same time you can't use them for anything else.

The first time you have to setup a Site-to-Site VPN or some kind of Private
Link with some other network,...and they happen to use, say, 10.x.4.x,..you
are going to be really screwed. The more addresses you eat up needlessly
the greater chance of a future address conflict in future projects.

> Anyway... I found the issue... I had the Gateway Address set for the
> Firewall and not the Router.
>
> Which is interesting, As the firewall has a Static Route for the
> 10.254.0.36 Subnet that points to the default router that I changed the
> machine with the issues to.
>
> So Machine pointed -> Firewall
> Firewall Pointed 10.254.0.36 to 10.1.0.1
>
> When I pointed machine -> 10.1.0.1 as default Gateway All is well...

Ah, yes,..this is the kind of thing I was suspecting.

Many more modern Firewalls do not "back route" like the old ones did. This
is a situation where there are multiple IP Segments behind a
Firewall,..while yet the Clients in the same segment as the Firewall use the
Firewall as the DFG *instead* of the LAN Router. This causes the Firewall to
have to loop the client "back" to the LAN Router to get to other
segments,..thereby causing the Firewall to act as a LAN Router.

For security reasons I am not sure I understand well enought to explain,
firewall manufactures may not let their products do this. Microsoft stopped
allowing ISA Server to do that sometime after the release of ISA2004,..I
don't remember if it was "out of the box" or after a certain Service Pack
level.

So in summary,...the Firewall in a multi-segment LAN should *never* be the
Default Gateway of any Client. The Clients should always use one of the LAN
Routers as a DFG and then let the LAN's Routing Scheme amongst the LAN
Routers determine if something needs to go to the Firewall and then decide
how to get it to the Firewall. At least this is the case with NAT-Based
Firewalls. But with systems based on Winsock Proxying or on CERN Compliant
Web Proxying, they operate by completely different methods and DFGs do not
even play into those at all,..so the firewall never has to be in the default
routing path to begin with.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Hi,

I am writing to see if you have any update on this issue. If you need
further assistance, please feel free to post here.

Have a good day.
Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Reply-To: "Scott Townsend" <(E-Mail Removed)>
--->From: "Scott Townsend" <(E-Mail Removed)>
--->References: <#(E-Mail Removed)>
<(E-Mail Removed)>
<e4$(E-Mail Removed)>
<(E-Mail Removed)>
--->In-Reply-To: <(E-Mail Removed)>
--->Subject: Re: Cant Connect to Win2008 Server from 1 of several subnets
--->Date: Thu, 9 Oct 2008 13:39:36 -0700
--->Lines: 80
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> format=flowed;
---> charset="iso-8859-1";
---> reply-type=response
--->Content-Transfer-Encoding: 7bit
--->X-Priority: 3
--->X-MSMail-Priority: Normal
--->X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
--->Message-ID: <eKg#(E-Mail Removed)>
--->Newsgroups: microsoft.public.windows.server.networking
--->NNTP-Posting-Host: hbg-smt 204.145.245.49
--->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP06.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.networking:14938
--->X-Tomcat-NG: microsoft.public.windows.server.networking
--->
--->We don't really have too many hosts in each of the Class B Subnets. but
we
--->use parts of the Subnet for Different devices.
--->
--->10.x.0.x servers
--->10.x.1.x Other IT Items, WiFi, Printers, etc
--->10.x.2.x Spare
--->10.x.3.x DHCP for Clients
--->10.x.4.x DHCP for Clients.
--->10.x.5.x Engineer's Testbed.
--->10.x.6.x Tech Support Testbed.
--->Etc....
--->
--->Anyway... I found the issue... I had the Gateway Address set for the
--->Firewall and not the Router.
--->
--->Which is interesting, As the firewall has a Static Route for the
10.254.0.36
--->Subnet that points to the default router that I changed the machine
with the
--->issues to.
--->
--->So Machine pointed -> Firewall
--->Firewall Pointed 10.254.0.36 to 10.1.0.1
--->
--->When I pointed machine -> 10.1.0.1 as default Gateway All is well...
--->
--->One of the reasons I like to have my Servers DHCP with Reservations...
--->Though since this was a DC, hard to do that... (-:
--->
--->Thanks!
--->
--->
--->
--->"Phillip Windell" <(E-Mail Removed)> wrote in message
--->news:(E-Mail Removed)...
--->> "Scott Townsend" <(E-Mail Removed)> wrote in message
--->> news:e4$(E-Mail Removed)...
--->>> Thank you for your reply...
--->>>
--->>> 1) There are no ACLs on the router as this is just a Site to Site
router
--->>> that we want all traffic to pass.
--->>
--->> Being a site-to-Site link greatly increases the chance of my forth
--->> suggestion:
--->>
--->> 4. Flaw in the LAN's "routing scheme"
--->>
--->>> 2) The Mask on the servers & Ethernet0 on the routers are all
255.255.0.0
--->>> The Mask on the Serial Port is 255.255.255.252,
--->>> DFG?
--->>
--->> Ethernet segments should not be allowed to grow above 250-300
--->> Hosts,..therefore you should be using 255.255.255.0. The
255.255.0.0
--->> would be used in routing tables to supernet IP segments into a single
--->> route table entry to make the route table more efficient if the
network
--->> design dictated that. It is doubtful that this is your problem,..but
is
--->> something to consider.
--->>
--->> The "252" mask is normal for a WAN link,..no problem there.
--->>
--->>> Since the machine that does not work is on the same Switch as the
machine
--->>> next to it and it can talk to the router's serial port just fine, I
would
--->>> think that the Router is set up to handle the traffic and pass the
data.
--->>>
--->>> If I took an IP on the machine that didn't work and moved that IP to
a
--->>> machine that does work and now that IP address does work... It has
to be
--->>> something on the machine...
--->>
--->> I agree, but at the moment there is nothing that jumps out at me. I
don't
--->> have any other suggestions right now.
--->>
--->> --
--->> Phillip Windell
--->> www.wandtv.com
--->>
--->> The views expressed, are my own and not those of my employer, or
--->> Microsoft,
--->> or anyone else associated with me, including my cats.
--->> -----------------------------------------------------
--->>
--->>
--->
--->