Need help to track down web connection issue to our 2K3 server with one client/ISP/IP string?

Hi everyone,

We have been working on the situation below for about 4 days now and are at
a complete loss. I will try to sum this up as briefly as possible, with the
hope that someone might be able to offer us ideas on a resolution that we
have yet to discover.

First some general info:

Our test server runs SBS2K3 with NO ISA installed. It has one NIC, connects
to our cable ISP through a router. All incoming connections except VPN work
perfectly, and the VPN issue is due only to firmware issue in the router. 2
local clients are connected and part of our .local domain. Works perfectly.

RWW and Companyweb sites are correctly published and do not allow anonymous
access. Family members from home, work etc all can surf to our FQDN, and a
login box pops in order for them to sign in before the page loads. They can
also surf to our FQDN:444 and a box appears to have them log in to the
Sharepoint "Companyweb" site.

Just to be clear - everyone in the scenario above can surf to the FQDN and
connect to the server via RWW or the Sharepoint site after logging in
through the pop up box. There are no issues to report.


Now the problem:

We have one person in another location who just got DSL broadband. I built
him the computer in question about 1 week ago and it has XPSP1 and all
updates. This box was able to connect to the above sites when it was here
in our office and connected via our router and ISP.

When this person got connected via his DSL ISP, he tried to surf to our FQDN
and the connection times out - no login box appears. He tried our FQDN:444
and again, no login box appears. It does not get that far. This in and of
itself, is odd behaviour.

Please note: He can surf to any other website on the net. He can connect to
other secure sites, such as his bank. His email and all other connectivity
is perfect. We had him behind a router and then connected directly to his
DSL modem - no change.

He CAN Ping and Tracert to our server and he WAS prompted by our server to
install the security certificate on his first visit attempt. So there IS a
connection of some sort being made, but no login box ever appears and no
page ever loads.

We then briefly allowed anonymous access the our site and he still could not
get a page to display. We changed his browser security and cookie settings,
added us as a trusted site and still nothing. This was a useless step
however as the same box was able to connect through our ISP - AND - if he
connects to the internet using a dial-up modem (same ISP - same box) he CAN
connect. This rules out his box and browser. And, that is the strangest
part.


So therefore, we must have a connectivity issue between this person's
computer (and their DSL ISP) and our server connected to our cable broadband
ISP. Again, all others who have tried can connect without trouble.


Our other step was to query both ISP's, to see if there was an issue. Our
ISP assured us it was not them (especially since all others who have
attempted CAN connect). We contacted the DSL ISP of the person in question
and they were baffled as well. Here is what happened with them:

The tech support guy was able to connect from his terminal. No problem.
However, when he and an upper level tech tried to connect using a test PC
(connected via the same DSL modem as their customers) VOILA! He could not
connect anymore! They thought perhaps this was an issue of their IP string
being blocked by our "hosting company", since all of their DSL customers
begin with 156.34.xxx.xxx. Their tech support terminals use a T3 with
different IP's as do folks who use their dial-up service. Since I have no
"hosting company" I checked our server, IIS etc... and we are not blocking
any IP's that I can find anywhere.
They also wrongly suggested that since we have a dynamic (persistent) IP,
that maybe DynDNS was the problem. However, the site resolves when pinging
or running a tracert, so unless this ISP blocks connection to IP's that are
dynamic, this was a none started. And, they assures me that they didn't
block anyone - just a port or two for security - as most ISP's do.

So what can I do now? The client can ping/tracert/retrieve our certificate,
but cannot load our site. Connectivity to our site / server is perfect
otherwise. It now appears that this ISP (or their DSL IP's at least) cannot
get a connection to our server. My depth of knowledge of internet
connectivity protocols is limited, so I ask anyone to throw some ideas my
way so that I may solve this.

Please accept my thanks in advance,

JS

Hi,
Get a netmon capture from the SBS server and from the remote, failing,
client at the same time. Use Netcap on the XP client to get the capture.

This could be caused by a black hole router on the route from the failing
network to yours.
What is the MTU size on the DSL router on the failing side?

For more troubleshooting instructions:

314825 How to Troubleshoot Black Hole Router Issues
http://support.microsoft.com/?id=314825

159211 Diagnoses and Treatment of Black Hole Routers
http://support.microsoft.com/?id=159211

The netmon captures should show the packets leaving one end and never
reaching the other.

Regards,
Damian

--
Damian N. Leibaschoff, MS IST, MCSE
Microsoft Corporation

Get Secure! - www.microsoft.com/security

================================================== ===

When responding to posts, please "Reply to Group" via

your newsreader so that others may learn and benefit

from your issue.

================================================== ===

This posting is provided "AS IS" with no warranties, and confers no rights.
"Jimbo" <(E-Mail Removed)> wrote in message
news:u$(E-Mail Removed)...
> Hi everyone,
>
> We have been working on the situation below for about 4 days now and are
at
> a complete loss. I will try to sum this up as briefly as possible, with
the
> hope that someone might be able to offer us ideas on a resolution that we
> have yet to discover.
>
> First some general info:
>
> Our test server runs SBS2K3 with NO ISA installed. It has one NIC,
connects
> to our cable ISP through a router. All incoming connections except VPN
work
> perfectly, and the VPN issue is due only to firmware issue in the router.
2
> local clients are connected and part of our .local domain. Works
perfectly.
>
> RWW and Companyweb sites are correctly published and do not allow
anonymous
> access. Family members from home, work etc all can surf to our FQDN, and
a
> login box pops in order for them to sign in before the page loads. They
can
> also surf to our FQDN:444 and a box appears to have them log in to the
> Sharepoint "Companyweb" site.
>
> Just to be clear - everyone in the scenario above can surf to the FQDN and
> connect to the server via RWW or the Sharepoint site after logging in
> through the pop up box. There are no issues to report.
>
>
> Now the problem:
>
> We have one person in another location who just got DSL broadband. I built
> him the computer in question about 1 week ago and it has XPSP1 and all
> updates. This box was able to connect to the above sites when it was here
> in our office and connected via our router and ISP.
>
> When this person got connected via his DSL ISP, he tried to surf to our
FQDN
> and the connection times out - no login box appears. He tried our FQDN:444
> and again, no login box appears. It does not get that far. This in and of
> itself, is odd behaviour.
>
> Please note: He can surf to any other website on the net. He can connect
to
> other secure sites, such as his bank. His email and all other
connectivity
> is perfect. We had him behind a router and then connected directly to his
> DSL modem - no change.
>
> He CAN Ping and Tracert to our server and he WAS prompted by our server to
> install the security certificate on his first visit attempt. So there IS a
> connection of some sort being made, but no login box ever appears and no
> page ever loads.
>
> We then briefly allowed anonymous access the our site and he still could
not
> get a page to display. We changed his browser security and cookie
settings,
> added us as a trusted site and still nothing. This was a useless step
> however as the same box was able to connect through our ISP - AND - if he
> connects to the internet using a dial-up modem (same ISP - same box) he
CAN
> connect. This rules out his box and browser. And, that is the strangest
> part.
>
>
> So therefore, we must have a connectivity issue between this person's
> computer (and their DSL ISP) and our server connected to our cable
broadband
> ISP. Again, all others who have tried can connect without trouble.
>
>
> Our other step was to query both ISP's, to see if there was an issue. Our
> ISP assured us it was not them (especially since all others who have
> attempted CAN connect). We contacted the DSL ISP of the person in
question
> and they were baffled as well. Here is what happened with them:
>
> The tech support guy was able to connect from his terminal. No problem.
> However, when he and an upper level tech tried to connect using a test PC
> (connected via the same DSL modem as their customers) VOILA! He could not
> connect anymore! They thought perhaps this was an issue of their IP
string
> being blocked by our "hosting company", since all of their DSL customers
> begin with 156.34.xxx.xxx. Their tech support terminals use a T3 with
> different IP's as do folks who use their dial-up service. Since I have no
> "hosting company" I checked our server, IIS etc... and we are not blocking
> any IP's that I can find anywhere.
> They also wrongly suggested that since we have a dynamic (persistent) IP,
> that maybe DynDNS was the problem. However, the site resolves when
pinging
> or running a tracert, so unless this ISP blocks connection to IP's that
are
> dynamic, this was a none started. And, they assures me that they didn't
> block anyone - just a port or two for security - as most ISP's do.
>
> So what can I do now? The client can ping/tracert/retrieve our
certificate,
> but cannot load our site. Connectivity to our site / server is perfect
> otherwise. It now appears that this ISP (or their DSL IP's at least)
cannot
> get a connection to our server. My depth of knowledge of internet
> connectivity protocols is limited, so I ask anyone to throw some ideas my
> way so that I may solve this.
>
> Please accept my thanks in advance,
>
> JS
>
>

HI Damian,

We'll do the netcap this evening when I can get logged on the machine
remotely to set it up. I'll disconnect the remote session however and get
the user to do the actual running - no sense in complicating the data.

The MTU on the DSL is the typical 1492 I believe - cable showing 1500 on our
router. How could I verify these to be sure - by calling the DSL ISP?

Black hole router ... now that would be an issue huh?

JS


"Damian N Leibaschoff [MSFT]" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Hi,
> Get a netmon capture from the SBS server and from the remote, failing,
> client at the same time. Use Netcap on the XP client to get the capture.
>
> This could be caused by a black hole router on the route from the failing
> network to yours.
> What is the MTU size on the DSL router on the failing side?
>
> For more troubleshooting instructions:
>
> 314825 How to Troubleshoot Black Hole Router Issues
> http://support.microsoft.com/?id=314825
>
> 159211 Diagnoses and Treatment of Black Hole Routers
> http://support.microsoft.com/?id=159211
>
> The netmon captures should show the packets leaving one end and never
> reaching the other.
>
> Regards,
> Damian
>
> --
> Damian N. Leibaschoff, MS IST, MCSE
> Microsoft Corporation
>
> Get Secure! - www.microsoft.com/security
>
> ================================================== ===
>
> When responding to posts, please "Reply to Group" via
>
> your newsreader so that others may learn and benefit
>
> from your issue.
>
> ================================================== ===
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "Jimbo" <(E-Mail Removed)> wrote in message
> news:u$(E-Mail Removed)...
> > Hi everyone,
> >
> > We have been working on the situation below for about 4 days now and are
> at
> > a complete loss. I will try to sum this up as briefly as possible, with
> the
> > hope that someone might be able to offer us ideas on a resolution that
we
> > have yet to discover.
> >
> > First some general info:
> >
> > Our test server runs SBS2K3 with NO ISA installed. It has one NIC,
> connects
> > to our cable ISP through a router. All incoming connections except VPN
> work
> > perfectly, and the VPN issue is due only to firmware issue in the
router.
> 2
> > local clients are connected and part of our .local domain. Works
> perfectly.
> >
> > RWW and Companyweb sites are correctly published and do not allow
> anonymous
> > access. Family members from home, work etc all can surf to our FQDN,
and
> a
> > login box pops in order for them to sign in before the page loads. They
> can
> > also surf to our FQDN:444 and a box appears to have them log in to the
> > Sharepoint "Companyweb" site.
> >
> > Just to be clear - everyone in the scenario above can surf to the FQDN
and
> > connect to the server via RWW or the Sharepoint site after logging in
> > through the pop up box. There are no issues to report.
> >
> >
> > Now the problem:
> >
> > We have one person in another location who just got DSL broadband. I
built
> > him the computer in question about 1 week ago and it has XPSP1 and all
> > updates. This box was able to connect to the above sites when it was
here
> > in our office and connected via our router and ISP.
> >
> > When this person got connected via his DSL ISP, he tried to surf to our
> FQDN
> > and the connection times out - no login box appears. He tried our
FQDN:444
> > and again, no login box appears. It does not get that far. This in and
of
> > itself, is odd behaviour.
> >
> > Please note: He can surf to any other website on the net. He can
connect
> to
> > other secure sites, such as his bank. His email and all other
> connectivity
> > is perfect. We had him behind a router and then connected directly to
his
> > DSL modem - no change.
> >
> > He CAN Ping and Tracert to our server and he WAS prompted by our server
to
> > install the security certificate on his first visit attempt. So there IS
a
> > connection of some sort being made, but no login box ever appears and no
> > page ever loads.
> >
> > We then briefly allowed anonymous access the our site and he still could
> not
> > get a page to display. We changed his browser security and cookie
> settings,
> > added us as a trusted site and still nothing. This was a useless step
> > however as the same box was able to connect through our ISP - AND - if
he
> > connects to the internet using a dial-up modem (same ISP - same box) he
> CAN
> > connect. This rules out his box and browser. And, that is the strangest
> > part.
> >
> >
> > So therefore, we must have a connectivity issue between this person's
> > computer (and their DSL ISP) and our server connected to our cable
> broadband
> > ISP. Again, all others who have tried can connect without trouble.
> >
> >
> > Our other step was to query both ISP's, to see if there was an issue.
Our
> > ISP assured us it was not them (especially since all others who have
> > attempted CAN connect). We contacted the DSL ISP of the person in
> question
> > and they were baffled as well. Here is what happened with them:
> >
> > The tech support guy was able to connect from his terminal. No problem.
> > However, when he and an upper level tech tried to connect using a test
PC
> > (connected via the same DSL modem as their customers) VOILA! He could
not
> > connect anymore! They thought perhaps this was an issue of their IP
> string
> > being blocked by our "hosting company", since all of their DSL customers
> > begin with 156.34.xxx.xxx. Their tech support terminals use a T3 with
> > different IP's as do folks who use their dial-up service. Since I have
no
> > "hosting company" I checked our server, IIS etc... and we are not
blocking
> > any IP's that I can find anywhere.
> > They also wrongly suggested that since we have a dynamic (persistent)
IP,
> > that maybe DynDNS was the problem. However, the site resolves when
> pinging
> > or running a tracert, so unless this ISP blocks connection to IP's that
> are
> > dynamic, this was a none started. And, they assures me that they didn't
> > block anyone - just a port or two for security - as most ISP's do.
> >
> > So what can I do now? The client can ping/tracert/retrieve our
> certificate,
> > but cannot load our site. Connectivity to our site / server is perfect
> > otherwise. It now appears that this ISP (or their DSL IP's at least)
> cannot
> > get a connection to our server. My depth of knowledge of internet
> > connectivity protocols is limited, so I ask anyone to throw some ideas
my
> > way so that I may solve this.
> >
> > Please accept my thanks in advance,
> >
> > JS
> >
> >
>
>

PS:

We have the DSL modem direct to XP box now, so likely MTU is default XP
1480.

JS



"Damian N Leibaschoff [MSFT]" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Hi,
> Get a netmon capture from the SBS server and from the remote, failing,
> client at the same time. Use Netcap on the XP client to get the capture.
>
> This could be caused by a black hole router on the route from the failing
> network to yours.
> What is the MTU size on the DSL router on the failing side?
>
> For more troubleshooting instructions:
>
> 314825 How to Troubleshoot Black Hole Router Issues
> http://support.microsoft.com/?id=314825
>
> 159211 Diagnoses and Treatment of Black Hole Routers
> http://support.microsoft.com/?id=159211
>
> The netmon captures should show the packets leaving one end and never
> reaching the other.
>
> Regards,
> Damian
>
> --
> Damian N. Leibaschoff, MS IST, MCSE
> Microsoft Corporation
>
> Get Secure! - www.microsoft.com/security
>
> ================================================== ===
>
> When responding to posts, please "Reply to Group" via
>
> your newsreader so that others may learn and benefit
>
> from your issue.
>
> ================================================== ===
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "Jimbo" <(E-Mail Removed)> wrote in message
> news:u$(E-Mail Removed)...
> > Hi everyone,
> >
> > We have been working on the situation below for about 4 days now and are
> at
> > a complete loss. I will try to sum this up as briefly as possible, with
> the
> > hope that someone might be able to offer us ideas on a resolution that
we
> > have yet to discover.
> >
> > First some general info:
> >
> > Our test server runs SBS2K3 with NO ISA installed. It has one NIC,
> connects
> > to our cable ISP through a router. All incoming connections except VPN
> work
> > perfectly, and the VPN issue is due only to firmware issue in the
router.
> 2
> > local clients are connected and part of our .local domain. Works
> perfectly.
> >
> > RWW and Companyweb sites are correctly published and do not allow
> anonymous
> > access. Family members from home, work etc all can surf to our FQDN,
and
> a
> > login box pops in order for them to sign in before the page loads. They
> can
> > also surf to our FQDN:444 and a box appears to have them log in to the
> > Sharepoint "Companyweb" site.
> >
> > Just to be clear - everyone in the scenario above can surf to the FQDN
and
> > connect to the server via RWW or the Sharepoint site after logging in
> > through the pop up box. There are no issues to report.
> >
> >
> > Now the problem:
> >
> > We have one person in another location who just got DSL broadband. I
built
> > him the computer in question about 1 week ago and it has XPSP1 and all
> > updates. This box was able to connect to the above sites when it was
here
> > in our office and connected via our router and ISP.
> >
> > When this person got connected via his DSL ISP, he tried to surf to our
> FQDN
> > and the connection times out - no login box appears. He tried our
FQDN:444
> > and again, no login box appears. It does not get that far. This in and
of
> > itself, is odd behaviour.
> >
> > Please note: He can surf to any other website on the net. He can
connect
> to
> > other secure sites, such as his bank. His email and all other
> connectivity
> > is perfect. We had him behind a router and then connected directly to
his
> > DSL modem - no change.
> >
> > He CAN Ping and Tracert to our server and he WAS prompted by our server
to
> > install the security certificate on his first visit attempt. So there IS
a
> > connection of some sort being made, but no login box ever appears and no
> > page ever loads.
> >
> > We then briefly allowed anonymous access the our site and he still could
> not
> > get a page to display. We changed his browser security and cookie
> settings,
> > added us as a trusted site and still nothing. This was a useless step
> > however as the same box was able to connect through our ISP - AND - if
he
> > connects to the internet using a dial-up modem (same ISP - same box) he
> CAN
> > connect. This rules out his box and browser. And, that is the strangest
> > part.
> >
> >
> > So therefore, we must have a connectivity issue between this person's
> > computer (and their DSL ISP) and our server connected to our cable
> broadband
> > ISP. Again, all others who have tried can connect without trouble.
> >
> >
> > Our other step was to query both ISP's, to see if there was an issue.
Our
> > ISP assured us it was not them (especially since all others who have
> > attempted CAN connect). We contacted the DSL ISP of the person in
> question
> > and they were baffled as well. Here is what happened with them:
> >
> > The tech support guy was able to connect from his terminal. No problem.
> > However, when he and an upper level tech tried to connect using a test
PC
> > (connected via the same DSL modem as their customers) VOILA! He could
not
> > connect anymore! They thought perhaps this was an issue of their IP
> string
> > being blocked by our "hosting company", since all of their DSL customers
> > begin with 156.34.xxx.xxx. Their tech support terminals use a T3 with
> > different IP's as do folks who use their dial-up service. Since I have
no
> > "hosting company" I checked our server, IIS etc... and we are not
blocking
> > any IP's that I can find anywhere.
> > They also wrongly suggested that since we have a dynamic (persistent)
IP,
> > that maybe DynDNS was the problem. However, the site resolves when
> pinging
> > or running a tracert, so unless this ISP blocks connection to IP's that
> are
> > dynamic, this was a none started. And, they assures me that they didn't
> > block anyone - just a port or two for security - as most ISP's do.
> >
> > So what can I do now? The client can ping/tracert/retrieve our
> certificate,
> > but cannot load our site. Connectivity to our site / server is perfect
> > otherwise. It now appears that this ISP (or their DSL IP's at least)
> cannot
> > get a connection to our server. My depth of knowledge of internet
> > connectivity protocols is limited, so I ask anyone to throw some ideas
my
> > way so that I may solve this.
> >
> > Please accept my thanks in advance,
> >
> > JS
> >
> >
>
>

The most common problem is a router in the path that has a lower MTU and is
just dropping the packets without telling anyone.
The articles will describe steps to find out the maximum common MTU on the
route.

Regards,
Damian

--
Damian N. Leibaschoff, MS IST, MCSE
Microsoft Corporation

Get Secure! - www.microsoft.com/security

================================================== ===

When responding to posts, please "Reply to Group" via

your newsreader so that others may learn and benefit

from your issue.

================================================== ===

This posting is provided "AS IS" with no warranties, and confers no rights.
"Jimbo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> PS:
>
> We have the DSL modem direct to XP box now, so likely MTU is default XP
> 1480.
>
> JS
>
>
>
> "Damian N Leibaschoff [MSFT]" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
> > Hi,
> > Get a netmon capture from the SBS server and from the remote, failing,
> > client at the same time. Use Netcap on the XP client to get the capture.
> >
> > This could be caused by a black hole router on the route from the
failing
> > network to yours.
> > What is the MTU size on the DSL router on the failing side?
> >
> > For more troubleshooting instructions:
> >
> > 314825 How to Troubleshoot Black Hole Router Issues
> > http://support.microsoft.com/?id=314825
> >
> > 159211 Diagnoses and Treatment of Black Hole Routers
> > http://support.microsoft.com/?id=159211
> >
> > The netmon captures should show the packets leaving one end and never
> > reaching the other.
> >
> > Regards,
> > Damian
> >
> > --
> > Damian N. Leibaschoff, MS IST, MCSE
> > Microsoft Corporation
> >
> > Get Secure! - www.microsoft.com/security
> >
> > ================================================== ===
> >
> > When responding to posts, please "Reply to Group" via
> >
> > your newsreader so that others may learn and benefit
> >
> > from your issue.
> >
> > ================================================== ===
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > "Jimbo" <(E-Mail Removed)> wrote in message
> > news:u$(E-Mail Removed)...
> > > Hi everyone,
> > >
> > > We have been working on the situation below for about 4 days now and
are
> > at
> > > a complete loss. I will try to sum this up as briefly as possible,
with
> > the
> > > hope that someone might be able to offer us ideas on a resolution that
> we
> > > have yet to discover.
> > >
> > > First some general info:
> > >
> > > Our test server runs SBS2K3 with NO ISA installed. It has one NIC,
> > connects
> > > to our cable ISP through a router. All incoming connections except
VPN
> > work
> > > perfectly, and the VPN issue is due only to firmware issue in the
> router.
> > 2
> > > local clients are connected and part of our .local domain. Works
> > perfectly.
> > >
> > > RWW and Companyweb sites are correctly published and do not allow
> > anonymous
> > > access. Family members from home, work etc all can surf to our FQDN,
> and
> > a
> > > login box pops in order for them to sign in before the page loads.
They
> > can
> > > also surf to our FQDN:444 and a box appears to have them log in to the
> > > Sharepoint "Companyweb" site.
> > >
> > > Just to be clear - everyone in the scenario above can surf to the FQDN
> and
> > > connect to the server via RWW or the Sharepoint site after logging in
> > > through the pop up box. There are no issues to report.
> > >
> > >
> > > Now the problem:
> > >
> > > We have one person in another location who just got DSL broadband. I
> built
> > > him the computer in question about 1 week ago and it has XPSP1 and all
> > > updates. This box was able to connect to the above sites when it was
> here
> > > in our office and connected via our router and ISP.
> > >
> > > When this person got connected via his DSL ISP, he tried to surf to
our
> > FQDN
> > > and the connection times out - no login box appears. He tried our
> FQDN:444
> > > and again, no login box appears. It does not get that far. This in
and
> of
> > > itself, is odd behaviour.
> > >
> > > Please note: He can surf to any other website on the net. He can
> connect
> > to
> > > other secure sites, such as his bank. His email and all other
> > connectivity
> > > is perfect. We had him behind a router and then connected directly to
> his
> > > DSL modem - no change.
> > >
> > > He CAN Ping and Tracert to our server and he WAS prompted by our
server
> to
> > > install the security certificate on his first visit attempt. So there
IS
> a
> > > connection of some sort being made, but no login box ever appears and
no
> > > page ever loads.
> > >
> > > We then briefly allowed anonymous access the our site and he still
could
> > not
> > > get a page to display. We changed his browser security and cookie
> > settings,
> > > added us as a trusted site and still nothing. This was a useless step
> > > however as the same box was able to connect through our ISP - AND -
if
> he
> > > connects to the internet using a dial-up modem (same ISP - same box)
he
> > CAN
> > > connect. This rules out his box and browser. And, that is the
strangest
> > > part.
> > >
> > >
> > > So therefore, we must have a connectivity issue between this person's
> > > computer (and their DSL ISP) and our server connected to our cable
> > broadband
> > > ISP. Again, all others who have tried can connect without trouble.
> > >
> > >
> > > Our other step was to query both ISP's, to see if there was an issue.
> Our
> > > ISP assured us it was not them (especially since all others who have
> > > attempted CAN connect). We contacted the DSL ISP of the person in
> > question
> > > and they were baffled as well. Here is what happened with them:
> > >
> > > The tech support guy was able to connect from his terminal. No
problem.
> > > However, when he and an upper level tech tried to connect using a test
> PC
> > > (connected via the same DSL modem as their customers) VOILA! He could
> not
> > > connect anymore! They thought perhaps this was an issue of their IP
> > string
> > > being blocked by our "hosting company", since all of their DSL
customers
> > > begin with 156.34.xxx.xxx. Their tech support terminals use a T3 with
> > > different IP's as do folks who use their dial-up service. Since I
have
> no
> > > "hosting company" I checked our server, IIS etc... and we are not
> blocking
> > > any IP's that I can find anywhere.
> > > They also wrongly suggested that since we have a dynamic (persistent)
> IP,
> > > that maybe DynDNS was the problem. However, the site resolves when
> > pinging
> > > or running a tracert, so unless this ISP blocks connection to IP's
that
> > are
> > > dynamic, this was a none started. And, they assures me that they
didn't
> > > block anyone - just a port or two for security - as most ISP's do.
> > >
> > > So what can I do now? The client can ping/tracert/retrieve our
> > certificate,
> > > but cannot load our site. Connectivity to our site / server is
perfect
> > > otherwise. It now appears that this ISP (or their DSL IP's at least)
> > cannot
> > > get a connection to our server. My depth of knowledge of internet
> > > connectivity protocols is limited, so I ask anyone to throw some ideas
> my
> > > way so that I may solve this.
> > >
> > > Please accept my thanks in advance,
> > >
> > > JS
> > >
> > >
> >
> >
>
>

Hi Damian,

FIXED.

MTU was the culprit and I have reported my findings to both ISP's, if they
care to look into it.

We adjusted the MTU on the remote computer and it is functioning perfectly.

Thanks to everyone for pointing me in the right direction. As always, this
is a wonderful group to turn to.

JS


Damian N Leibaschoff [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The most common problem is a router in the path that has a lower MTU and
is
> just dropping the packets without telling anyone.
> The articles will describe steps to find out the maximum common MTU on the
> route.
>
> Regards,
> Damian
>
> --
> Damian N. Leibaschoff, MS IST, MCSE
> Microsoft Corporation
>
> Get Secure! - www.microsoft.com/security
>
> ================================================== ===
>
> When responding to posts, please "Reply to Group" via
>
> your newsreader so that others may learn and benefit
>
> from your issue.
>
> ================================================== ===
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "Jimbo" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > PS:
> >
> > We have the DSL modem direct to XP box now, so likely MTU is default XP
> > 1480.
> >
> > JS
> >
> >
> >
> > "Damian N Leibaschoff [MSFT]" <(E-Mail Removed)> wrote in
> > message news:(E-Mail Removed)...
> > > Hi,
> > > Get a netmon capture from the SBS server and from the remote, failing,
> > > client at the same time. Use Netcap on the XP client to get the
capture.
> > >
> > > This could be caused by a black hole router on the route from the
> failing
> > > network to yours.
> > > What is the MTU size on the DSL router on the failing side?
> > >
> > > For more troubleshooting instructions:
> > >
> > > 314825 How to Troubleshoot Black Hole Router Issues
> > > http://support.microsoft.com/?id=314825
> > >
> > > 159211 Diagnoses and Treatment of Black Hole Routers
> > > http://support.microsoft.com/?id=159211
> > >
> > > The netmon captures should show the packets leaving one end and never
> > > reaching the other.
> > >
> > > Regards,
> > > Damian
> > >
> > > --
> > > Damian N. Leibaschoff, MS IST, MCSE
> > > Microsoft Corporation
> > >
> > > Get Secure! - www.microsoft.com/security
> > >
> > > ================================================== ===
> > >
> > > When responding to posts, please "Reply to Group" via
> > >
> > > your newsreader so that others may learn and benefit
> > >
> > > from your issue.
> > >
> > > ================================================== ===
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > "Jimbo" <(E-Mail Removed)> wrote in message
> > > news:u$(E-Mail Removed)...
> > > > Hi everyone,
> > > >
> > > > We have been working on the situation below for about 4 days now and
> are
> > > at
> > > > a complete loss. I will try to sum this up as briefly as possible,
> with
> > > the
> > > > hope that someone might be able to offer us ideas on a resolution
that
> > we
> > > > have yet to discover.
> > > >
> > > > First some general info:
> > > >
> > > > Our test server runs SBS2K3 with NO ISA installed. It has one NIC,
> > > connects
> > > > to our cable ISP through a router. All incoming connections except
> VPN
> > > work
> > > > perfectly, and the VPN issue is due only to firmware issue in the
> > router.
> > > 2
> > > > local clients are connected and part of our .local domain. Works
> > > perfectly.
> > > >
> > > > RWW and Companyweb sites are correctly published and do not allow
> > > anonymous
> > > > access. Family members from home, work etc all can surf to our
FQDN,
> > and
> > > a
> > > > login box pops in order for them to sign in before the page loads.
> They
> > > can
> > > > also surf to our FQDN:444 and a box appears to have them log in to
the
> > > > Sharepoint "Companyweb" site.
> > > >
> > > > Just to be clear - everyone in the scenario above can surf to the
FQDN
> > and
> > > > connect to the server via RWW or the Sharepoint site after logging
in
> > > > through the pop up box. There are no issues to report.
> > > >
> > > >
> > > > Now the problem:
> > > >
> > > > We have one person in another location who just got DSL broadband. I
> > built
> > > > him the computer in question about 1 week ago and it has XPSP1 and
all
> > > > updates. This box was able to connect to the above sites when it
was
> > here
> > > > in our office and connected via our router and ISP.
> > > >
> > > > When this person got connected via his DSL ISP, he tried to surf to
> our
> > > FQDN
> > > > and the connection times out - no login box appears. He tried our
> > FQDN:444
> > > > and again, no login box appears. It does not get that far. This in
> and
> > of
> > > > itself, is odd behaviour.
> > > >
> > > > Please note: He can surf to any other website on the net. He can
> > connect
> > > to
> > > > other secure sites, such as his bank. His email and all other
> > > connectivity
> > > > is perfect. We had him behind a router and then connected directly
to
> > his
> > > > DSL modem - no change.
> > > >
> > > > He CAN Ping and Tracert to our server and he WAS prompted by our
> server
> > to
> > > > install the security certificate on his first visit attempt. So
there
> IS
> > a
> > > > connection of some sort being made, but no login box ever appears
and
> no
> > > > page ever loads.
> > > >
> > > > We then briefly allowed anonymous access the our site and he still
> could
> > > not
> > > > get a page to display. We changed his browser security and cookie
> > > settings,
> > > > added us as a trusted site and still nothing. This was a useless
step
> > > > however as the same box was able to connect through our ISP - AND -
> if
> > he
> > > > connects to the internet using a dial-up modem (same ISP - same box)
> he
> > > CAN
> > > > connect. This rules out his box and browser. And, that is the
> strangest
> > > > part.
> > > >
> > > >
> > > > So therefore, we must have a connectivity issue between this
person's
> > > > computer (and their DSL ISP) and our server connected to our cable
> > > broadband
> > > > ISP. Again, all others who have tried can connect without trouble.
> > > >
> > > >
> > > > Our other step was to query both ISP's, to see if there was an
issue.
> > Our
> > > > ISP assured us it was not them (especially since all others who have
> > > > attempted CAN connect). We contacted the DSL ISP of the person in
> > > question
> > > > and they were baffled as well. Here is what happened with them:
> > > >
> > > > The tech support guy was able to connect from his terminal. No
> problem.
> > > > However, when he and an upper level tech tried to connect using a
test
> > PC
> > > > (connected via the same DSL modem as their customers) VOILA! He
could
> > not
> > > > connect anymore! They thought perhaps this was an issue of their IP
> > > string
> > > > being blocked by our "hosting company", since all of their DSL
> customers
> > > > begin with 156.34.xxx.xxx. Their tech support terminals use a T3
with
> > > > different IP's as do folks who use their dial-up service. Since I
> have
> > no
> > > > "hosting company" I checked our server, IIS etc... and we are not
> > blocking
> > > > any IP's that I can find anywhere.
> > > > They also wrongly suggested that since we have a dynamic
(persistent)
> > IP,
> > > > that maybe DynDNS was the problem. However, the site resolves when
> > > pinging
> > > > or running a tracert, so unless this ISP blocks connection to IP's
> that
> > > are
> > > > dynamic, this was a none started. And, they assures me that they
> didn't
> > > > block anyone - just a port or two for security - as most ISP's do.
> > > >
> > > > So what can I do now? The client can ping/tracert/retrieve our
> > > certificate,
> > > > but cannot load our site. Connectivity to our site / server is
> perfect
> > > > otherwise. It now appears that this ISP (or their DSL IP's at
least)
> > > cannot
> > > > get a connection to our server. My depth of knowledge of internet
> > > > connectivity protocols is limited, so I ask anyone to throw some
ideas
> > my
> > > > way so that I may solve this.
> > > >
> > > > Please accept my thanks in advance,
> > > >
> > > > JS
> > > >
> > > >
> > >
> > >
> >
> >
>
>