router loses all traffic apart from incoming on port 25.

hi,

there is an intermittent problem with a BT supplied siemens 5830 router.

i'm not on site but this is what i've gleaned.

the internet service provided is by BT connect and is where they supply the
line activation and a router. this was originally a BT 5861 but due to it
being damaged during electrical work it has been replaced by a siemens
5830. since then there have been intermittent network problems -
everything else is the same as before.

several times a day the network loses internet connectivity almost
completely. it seems to be fixed by restarting the siemens (but i'm not
100% sure of about this).

BT are saying that everything is fine their end.

the customer has 6 usable static IP addresses assigned - the siemens router
uses one of the addresses itself - another address has been assigned to the
WAN port of a netgear FVS318 which is connected directly to one of the LAN
ports on the siemens router.

as far as i'm aware - the seimens should receive traffic for all 6 IP
addresses and pass traffic not for itself through to its LAN side - the
netgear will then receive traffic for the IP address which it has been
assigned with.

also, the siemens should be set up as no-nat.

i'm more familiar with setups where there is one static IP address supplied.

this seemed to be the setup in place when i was first called to the client.
they had a d-link gateway/router then which i replaced with the netgear due
to VPN capabilities.

the PC's pick up network settings via DHCP from the netgear and request web
pages via the netgear using NAT. no server is involved.

when the connection goes down almost everything stops - no web pages for the
PC's and the VPN stops responding.

however, they have their own unix email server on site, the email traffic is
port forwarded from the netgear to this server, and this traffic is *not*
affected.

so most normal traffic stops completely - but incoming traffic on port 25 is
forwarded normally and quickly no problem at all.



an ideas gratefully received - this is a training college and the students
carry out online exams which time out and are declared void. a quick fix
for this would be fantastic help.


my own ideas:

1. maybe the siemens router is at fault - although it is a brand new siemens
5830 it is the only hardware component which is different from their
original setup.

maybe i should get hold of a BT/alcatel 5861 - someone suggested ebay and
they are available - and set it up myself.

i don't want to experiment with the siemens as at least there is usually
connectivity at the moment and i have no other connection to fall back on.

2. maybe the netgear was damaged when the buildings electrical power was
switched off and then on again.

3. something on their LAN is infected and is nailing the connection in
bursts. all PC's are locked down using group policies which only allow a
limited applications to run - but, there are PC's which i've not set up
which are an unknown to me. they are supposed to have AV stuff installed
but...

to check it i could insert a hub into the connection and monitor the traffic
using ethereal.

even the led's on the switches could show something - unfortunately the
client is reluctant to pay my time to sit around and wait for the
connection to fail. some maintenance work is due so maybe i could go in to
carry it out and wait for the network problem at the same time.

there is a central switch connected after the netgear so i could isolate
network segments relatively easily.



for now i'm running a traceroute every 5 mins via a script on a unix box and
directing the output to a text file - i'll check it tomorrow. the
traceroute command seems to run slowly over the VPN but the output looks
normal.

in fact, now i've been running a console session over the VPN for a while i
realise how bad the connection now is.

it is bad for about 1-2 minutes - then normal for 1-2 minutes - and then bad
for 1-2 mins and so on.

too late now to do much else.

as always - telnet to port 25 which is forwarded to the mail server responds
fine.

as mentioned, any ideas gratefully received.

kev

kevin bailey wrote:

> 3. something on their LAN is infected and is nailing the connection in
> bursts. all PC's are locked down using group policies which only allow a
> limited applications to run - but, there are PC's which i've not set up
> which are an unknown to me. they are supposed to have AV stuff installed
> but...

If group policies (I presume you mean a Windows server based LAN?) were
that good we would not need anti-virus and anti-spam software.

There are PC's you have not set-up - they could be the problem - the
ones you have set-up could be the problem - you don't know. Can't you
check the AV remotely? Isn't it centrally managed on the LAN?

> it is bad for about 1-2 minutes - then normal for 1-2 minutes - and then bad
> for 1-2 mins and so on.
[snip]

> as mentioned, any ideas gratefully received.

This doesn't sound like a router problem at all - I would check all the
PC's for a virus that is flooding the router with traffic. It could be a
DoS attack from the outside.

I would also consider whether the client is worth having - if as you
have said elsewhere they are reluctant to pay you to resolve it
properly. You have to know when to quit - and sometimes it isn't your
technical knowledge that decides this.

Colin Forrester wrote:

> kevin bailey wrote:
>
>> 3. something on their LAN is infected and is nailing the connection in
>> bursts. all PC's are locked down using group policies which only allow a
>> limited applications to run - but, there are PC's which i've not set up
>> which are an unknown to me. they are supposed to have AV stuff installed
>> but...
>
> If group policies (I presume you mean a Windows server based LAN?) were
> that good we would not need anti-virus and anti-spam software.

i find the group policies are quite good and do fix a couple issues:

1. stops the users from fiddling around with (and breaking) their own PC's.

2. because only apps from a limited list are allowed to run it catches
viruses trying to run before the AV apps catch up. i've actually been in
the office at the time this has happened.

3. users don't run as admins which again prevents problems.

>
> There are PC's you have not set-up - they could be the problem - the
> ones you have set-up could be the problem - you don't know. Can't you
> check the AV remotely? Isn't it centrally managed on the LAN?
>


no central management - there are a batch of machines which i've had nothing
to do with.

>> it is bad for about 1-2 minutes - then normal for 1-2 minutes - and then
>> bad for 1-2 mins and so on.
> [snip]
>
>> as mentioned, any ideas gratefully received.
>
> This doesn't sound like a router problem at all - I would check all the
> PC's for a virus that is flooding the router with traffic. It could be a
> DoS attack from the outside.

i'll look into it - they're getting desparate and i think want me to come in
to have a look.

to check out if it is DoS from outside then i'll activate snort on the
netgear - hopefully there's something similar on the siemens.


>
> I would also consider whether the client is worth having - if as you
> have said elsewhere they are reluctant to pay you to resolve it
> properly. You have to know when to quit - and sometimes it isn't your
> technical knowledge that decides this.

appreciate that but i've worked with them for about three years and they've
been happy to pay for work. the single crashing win2k server has been
replaced by two unix boxes, UPS have been installed, switches upgraded and
i set up the main admin offices PC's to pick up roaming profiles and policy
stuff from samba on the unix box since when there's been no (touch wood)
infections. also, there are now off-site backups using REV drives which
aren't cheap.

they've just seen this as a BT problem because the router was supplied by
BT.


as you say - it may be a nasty coincidence that a PC somewhere is infected
at the same time as the router was being sorted out.

i'll be recommending a couple of things today.

thanks,

kev

"kevin bailey" <(E-Mail Removed)> wrote in message
news:dv55k3$4tb$1$(E-Mail Removed)...
> hi,
>
> there is an intermittent problem with a BT supplied siemens 5830 router.

Never assume - it can cause you to waste lots of time

<snip>

> when i was first called to the client.
> they had a d-link gateway/router then which i replaced with the netgear
> due
> to VPN capabilities.

<snip>

> 1. maybe the siemens router is at fault - although it is a brand new
> siemens
> 5830 it is the only hardware component which is different from their
> original setup.

A bit of a mismatch between those two statements.

If you'll forgive me for saying so, you seem to be trying to operate way
beyond your level of competence and experience. Isn't it time now to bow
out of this and introduce the customer to a company that has expertise in
the field?

Alastair wrote:

> "kevin bailey" <(E-Mail Removed)> wrote in message
> news:dv55k3$4tb$1$(E-Mail Removed)...
>> hi,
>>
>> there is an intermittent problem with a BT supplied siemens 5830 router.
>
> Never assume - it can cause you to waste lots of time
>
> <snip>

agreed, assumption is a bad thing


>
>> when i was first called to the client.
>> they had a d-link gateway/router then which i replaced with the netgear
>> due
>> to VPN capabilities.
>
> <snip>
>
>> 1. maybe the siemens router is at fault - although it is a brand new
>> siemens
>> 5830 it is the only hardware component which is different from their
>> original setup.
>
> A bit of a mismatch between those two statements.
>

not sure exactly what you mean.

they had prefectly ok internet connectivity - a 5861 blew - replaced by the
siemens 5830 - now a really poor connection.

the new siemens supplied is the only item different from the previous setup.

they may have another separate issue which just happens to have occurred
when the routers were replaced though. i can't personnally see that the
siemens is at fault - but that's assumption again.

> If you'll forgive me for saying so, you seem to be trying to operate way
> beyond your level of competence and experience. Isn't it time now to bow
> out of this and introduce the customer to a company that has expertise in
> the field?

i've installed BB for plenty of customers over ADSL using demon wires-only
service which have all worked fine. in conjunction with SAR, billion and
lately netgear routers. this includes wireless setups.

in fact i'd recommend demon/netgear to anyone because once installed
everything seems to work month in and month out.

i'm a programmer due to the main part of what i did at college but we did
study networking as well; WFWG, Novell, network hardware, layer model, etc
and have been involved with sorting out network issues on and off ever
since although admittedly mostly DB programming using 4GL stuff.

before BB was available i built my own router from a PC using unix and
created/configured my own firewall using raw ipchains - obviously this was
before ipchains was superceeded by iptables. this shared out an internet
connection over dialup between several PC's and macs and enabled me to
carry out huge downloads overnight.

then i built a virtual private network (VPN) router from a PC which worked
perfectly with a few clients in conjunction with an SAR router/modem set to
bridge mode.

i also built a router which connected as required via ISDN and did the job
far more efficiently than an existing SBS2000 machine.

so, if anyone can take a PC and turn it into a router/gateway/firewall
*without* using one of the easy ready made distros such as ipcop,
smoothwall etc then putting in some network settings via a web interface is
pretty straight forward.

agreed, i'm not familiar with the BT router and am used to demon's
wires-only service - but that's why i've posted to this group.
as i keep trying to point out - i've been a bit hamstrung in this case
because the client sees the problem as BT's and wants BT to sort it out.

network fine -BT router blows - BT replace router - network crap.

i'm going to check tomorrow and will let them know if they've just been
unlucky and an infected PC or something else has caused a problem at the
same time. i just need some hours authorised to trace it through.

the main issue has been the six times BT have been called, the six times
that BT have said they'll have to call back - and the six times that BT
have not called back.

also, i've been reluctant to touch the BT router because i was advised that
if BT found out that we'd touched 'their' router we'd be liable to huge
charges from BT.

it looks like the client is going to go ahead and allow me to try to source
a 5861 and then try to install it.

somebody mentioned that they can be installed from scratch - i'm hoping
there are no gotchas from BT.

also, any ideas for an equivalent to the 5861 which is more easy to get hold
of would be muh appreciated.

kev

"kevin bailey" <(E-Mail Removed)> wrote in message
news:dv655p$hda$1$(E-Mail Removed)...
> Alastair wrote:
>
>> "kevin bailey" <(E-Mail Removed)> wrote in message
>> news:dv55k3$4tb$1$(E-Mail Removed)...
>>> when i was first called to the client.
>>> they had a d-link gateway/router then which i replaced with the netgear
>>> due
>>> to VPN capabilities.
>>
>> <snip>
>>
>>> 1. maybe the siemens router is at fault - although it is a brand new
>>> siemens
>>> 5830 it is the only hardware component which is different from their
>>> original setup.
>>
>> A bit of a mismatch between those two statements.
>>
>
> not sure exactly what you mean.

In the first statement you say you replaced a D-Link unit with a Netgear
one.
In the second statement you say that the *only* change is the Siemens
router.
So if the first statement is true I can't see how the second one can be.

Alastair wrote:

> "kevin bailey" <(E-Mail Removed)> wrote in message
> news:dv655p$hda$1$(E-Mail Removed)...
>> Alastair wrote:
>>
>>> "kevin bailey" <(E-Mail Removed)> wrote in message
>>> news:dv55k3$4tb$1$(E-Mail Removed)...
>>>> when i was first called to the client.
>>>> they had a d-link gateway/router then which i replaced with the netgear
>>>> due
>>>> to VPN capabilities.
>>>
>>> <snip>
>>>
>>>> 1. maybe the siemens router is at fault - although it is a brand new
>>>> siemens
>>>> 5830 it is the only hardware component which is different from their
>>>> original setup.
>>>
>>> A bit of a mismatch between those two statements.
>>>
>>
>> not sure exactly what you mean.
>
> In the first statement you say you replaced a D-Link unit with a Netgear
> one.
> In the second statement you say that the *only* change is the Siemens
> router.
> So if the first statement is true I can't see how the second one can be.

ah sorry - i must have confused things.

the d-link was replaced by the netgear about two years ago.

the recent replacement was the BT 5861 was replaced by the siemens 5830.

kevin

"kevin bailey" <(E-Mail Removed)> wrote in message
news:dv6lnu$6b4$1$(E-Mail Removed)...
> Alastair wrote:
>
>> "kevin bailey" <(E-Mail Removed)> wrote in message
>> news:dv655p$hda$1$(E-Mail Removed)...
>>> Alastair wrote:
>>>
>>>> "kevin bailey" <(E-Mail Removed)> wrote in message
>>>> news:dv55k3$4tb$1$(E-Mail Removed)...
>>>>> when i was first called to the client.
>>>>> they had a d-link gateway/router then which i replaced with the
>>>>> netgear
>>>>> due
>>>>> to VPN capabilities.
>>>>
>>>> <snip>
>>>>
>>>>> 1. maybe the siemens router is at fault - although it is a brand new
>>>>> siemens
>>>>> 5830 it is the only hardware component which is different from their
>>>>> original setup.
>>>>
>>>> A bit of a mismatch between those two statements.
>>>>
>>>
>>> not sure exactly what you mean.
>>
>> In the first statement you say you replaced a D-Link unit with a Netgear
>> one.
>> In the second statement you say that the *only* change is the Siemens
>> router.
>> So if the first statement is true I can't see how the second one can be.
>
> ah sorry - i must have confused things.
>
> the d-link was replaced by the netgear about two years ago.
>
> the recent replacement was the BT 5861 was replaced by the siemens 5830.

I see - thanks for clearing that up.

kevin bailey wrote:
> <snip>

We had a similar problem at work following a BT upgrade to exchanges in
London. We had intermittent connectivity for several days. It was fixed
when we reconfigured our internal router/firewall (which had worked fine
b4 the upgrade) and/or BT finished the upgrade - I suspect that we will
never know which.

Could you treat the BT connection as a Demon 'bare wires'?

If you have a spare router that you can configure yourself, and the
client can stand a bit of downtime on their email server I would suggest
that you switch out the BT supplied router.

If your config works and BT's doesn't then client is happy - Network is
OK - BT are proved to be at fault. If your configuration gives no change
then it points to the outside network (again BT's problem but now with a
bit more info).

Provided you don't reconfigure the BT supplied router, I can't see that
you would be doing anything unreasonable given the lack of response from BT.

When you find the solution, please post it - it is nice to know how
these issues turn out

Regards

Phil
----------
take out my - britches for email