Partial Internet Access?

About 36 hours ago, our network started experiencing sporadic internet
access problems. Several workstations can't access certain sites, like
weather.com, msn.com, and a few others. Most of these workstations are
DHCP clients, but even changing them to a static address doesn't
change anything. Moreso, our Intranet server with a static IP cannot
access these sites. My workstation, with static IP has no problem with
any of these sites. Same with my laptop which is DHCP.

We have a cable modem connected to a Win2003 server performing RRAS.
Additionally, we have an internal DNS server which is also our
Exchange server. We've had no problems with mail delivery. On the RRAS
server, I ran Wireshark (Ethereal) just looking at the packets between
our Intranet Server and browsing to weather.com. Below are the packets
captured:

No. Time Source Destination Protocol Info
1 0 10.1.1.2 63.111.69.12 TCP 1464 > http [SYN] Seq=0 Len=0 MSS=1460
2 0.021966 63.111.69.12 10.1.1.2 TCP http > 1464 [SYN, ACK] Seq=0
Ack=1 Win=8190 Len=0 MSS=1460
3 0.022138 10.1.1.2 63.111.69.12 TCP 1464 > http [ACK] Seq=1 Ack=1
Win=17520 Len=0
4 0.022663 10.1.1.2 63.111.69.12 HTTP GET / HTTP/1.1
5 0.062575 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
6 0.062991 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
7 0.063234 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
8 0.063373 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#1] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
9 0.06346 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#2] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
10 0.064484 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#3] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
11 0.093364 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
12 0.094781 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#4] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
13 0.119296 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
14 0.119645 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#5] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
15 0.142619 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
16 0.142999 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#6] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
17 0.171006 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
18 0.172441 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#7] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
19 0.198084 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
20 0.198463 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#8] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
21 0.222154 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
22 0.223583 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#9] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
23 0.246201 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
24 0.246589 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#10] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0
25 0.275507 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
0x06, off=1280)
26 0.276952 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#11] 1464 > http
[ACK] Seq=341 Ack=1 Win=17520 Len=0


This sequence happens for any of the sites that the server can't
connect to. I can't explain why this server and some of the
workstations are having this sudden problem. Any suggestions?

Thanks,

Ron

Could be a DNS problem. Are they all set up for the same dns servers?

"Ron" wrote:

> About 36 hours ago, our network started experiencing sporadic internet
> access problems. Several workstations can't access certain sites, like
> weather.com, msn.com, and a few others. Most of these workstations are
> DHCP clients, but even changing them to a static address doesn't
> change anything. Moreso, our Intranet server with a static IP cannot
> access these sites. My workstation, with static IP has no problem with
> any of these sites. Same with my laptop which is DHCP.
>
> We have a cable modem connected to a Win2003 server performing RRAS.
> Additionally, we have an internal DNS server which is also our
> Exchange server. We've had no problems with mail delivery. On the RRAS
> server, I ran Wireshark (Ethereal) just looking at the packets between
> our Intranet Server and browsing to weather.com. Below are the packets
> captured:
>
> No. Time Source Destination Protocol Info
> 1 0 10.1.1.2 63.111.69.12 TCP 1464 > http [SYN] Seq=0 Len=0 MSS=1460
> 2 0.021966 63.111.69.12 10.1.1.2 TCP http > 1464 [SYN, ACK] Seq=0
> Ack=1 Win=8190 Len=0 MSS=1460
> 3 0.022138 10.1.1.2 63.111.69.12 TCP 1464 > http [ACK] Seq=1 Ack=1
> Win=17520 Len=0
> 4 0.022663 10.1.1.2 63.111.69.12 HTTP GET / HTTP/1.1
> 5 0.062575 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 6 0.062991 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 7 0.063234 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 8 0.063373 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#1] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 9 0.06346 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#2] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 10 0.064484 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#3] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 11 0.093364 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 12 0.094781 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#4] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 13 0.119296 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 14 0.119645 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#5] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 15 0.142619 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 16 0.142999 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#6] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 17 0.171006 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 18 0.172441 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#7] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 19 0.198084 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 20 0.198463 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#8] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 21 0.222154 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 22 0.223583 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#9] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 23 0.246201 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 24 0.246589 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#10] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
> 25 0.275507 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> 0x06, off=1280)
> 26 0.276952 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#11] 1464 > http
> [ACK] Seq=341 Ack=1 Win=17520 Len=0
>
>
> This sequence happens for any of the sites that the server can't
> connect to. I can't explain why this server and some of the
> workstations are having this sudden problem. Any suggestions?
>
> Thanks,
>
> Ron
>
>

On Jun 14, 2:41 pm, Doug P <D...@discussions.microsoft.com> wrote:
> Could be a DNS problem. Are they all set up for the same dns servers?
>
>
>
> "Ron" wrote:
> > About 36 hours ago, our network started experiencing sporadic internet
> > access problems. Several workstations can't access certain sites, like
> > weather.com, msn.com, and a few others. Most of these workstations are
> > DHCP clients, but even changing them to a static address doesn't
> > change anything. Moreso, our Intranet server with a static IP cannot
> > access these sites. My workstation, with static IP has no problem with
> > any of these sites. Same with my laptop which is DHCP.
>
> > We have a cable modem connected to a Win2003 server performing RRAS.
> > Additionally, we have an internal DNS server which is also our
> > Exchange server. We've had no problems with mail delivery. On the RRAS
> > server, I ran Wireshark (Ethereal) just looking at the packets between
> > our Intranet Server and browsing to weather.com. Below are the packets
> > captured:
>
> > No. Time Source Destination Protocol Info
> > 1 0 10.1.1.2 63.111.69.12 TCP 1464 > http [SYN] Seq=0 Len=0 MSS=1460
> > 2 0.021966 63.111.69.12 10.1.1.2 TCP http > 1464 [SYN, ACK] Seq=0
> > Ack=1 Win=8190 Len=0 MSS=1460
> > 3 0.022138 10.1.1.2 63.111.69.12 TCP 1464 > http [ACK] Seq=1 Ack=1
> > Win=17520 Len=0
> > 4 0.022663 10.1.1.2 63.111.69.12 HTTP GET / HTTP/1.1
> > 5 0.062575 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 6 0.062991 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 7 0.063234 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 8 0.063373 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#1] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 9 0.06346 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#2] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 10 0.064484 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#3] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 11 0.093364 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 12 0.094781 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#4] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 13 0.119296 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 14 0.119645 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#5] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 15 0.142619 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 16 0.142999 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#6] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 17 0.171006 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 18 0.172441 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#7] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 19 0.198084 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 20 0.198463 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#8] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 21 0.222154 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 22 0.223583 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#9] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 23 0.246201 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 24 0.246589 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#10] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
> > 25 0.275507 63.111.69.12 10.1.1.2 IP Fragmented IP protocol (proto=TCP
> > 0x06, off=1280)
> > 26 0.276952 10.1.1.2 63.111.69.12 TCP [TCP Dup ACK 4#11] 1464 > http
> > [ACK] Seq=341 Ack=1 Win=17520 Len=0
>
> > This sequence happens for any of the sites that the server can't
> > connect to. I can't explain why this server and some of the
> > workstations are having this sudden problem. Any suggestions?
>
> > Thanks,
>
> > Ron- Hide quoted text -
>
> - Show quoted text -

Turns out it was an MTU problem. Somehow, all the interfaces on the
RRAS server had their MTU set to 1300. I suspect a Cisco VPN client
install made those changes. I went to an affected computer and changed
it's MTU value to 1300 and the problem web sites came up! What's
interesting is that is was only certain web site where this occurred.
I'm installing SP2 on the RRAS right now. Once it's done, I'll remove
the MTU settings and reboot it. It's been a very "educational" couple
of days!