Two servers can't communicate over VPN

I'm having trouble with two specific servers and I'm totally stumped. They
are connected via a VPN like everything else at these sites. Neither have
firewalls running. One is a DC the other is a member server. Both host DFS
roots, one of which they have in common. Both run Windows Server 2003.

These two servers cannot communicate at all. Both can ping everything else
and everything else can ping them but neither are communicating at all. I'm
not sure when this started because the DFS replication occurs through other
mesh links and I never noticed.

Since they don't communicate at all, it seems like a network issue. But
since both work with everything else, I don't know what else to try. Both
are resolving to the correct IP addresses, there are no HOSTS file entries,
and as I mentioned there are no firewalls involved.

Any ideas what to try next?

Do you receive any system error if you do net view \\remoteserveripaddress?

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"Rollie" <(E-Mail Removed)> wrote in message
news:060A594B-5E01-4676-BEE9-(E-Mail Removed)...
> I'm having trouble with two specific servers and I'm totally stumped.
> They
> are connected via a VPN like everything else at these sites. Neither have
> firewalls running. One is a DC the other is a member server. Both host
> DFS
> roots, one of which they have in common. Both run Windows Server 2003.
>
> These two servers cannot communicate at all. Both can ping everything
> else
> and everything else can ping them but neither are communicating at all.
> I'm
> not sure when this started because the DFS replication occurs through
> other
> mesh links and I never noticed.
>
> Since they don't communicate at all, it seems like a network issue. But
> since both work with everything else, I don't know what else to try. Both
> are resolving to the correct IP addresses, there are no HOSTS file
> entries,
> and as I mentioned there are no firewalls involved.
>
> Any ideas what to try next?

Yes, system error 53.

"Robert L (MS-MVP)" wrote:

> Do you receive any system error if you do net view \\remoteserveripaddress?
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
>
>
> "Rollie" <(E-Mail Removed)> wrote in message
> news:060A594B-5E01-4676-BEE9-(E-Mail Removed)...
> > I'm having trouble with two specific servers and I'm totally stumped.
> > They
> > are connected via a VPN like everything else at these sites. Neither have
> > firewalls running. One is a DC the other is a member server. Both host
> > DFS
> > roots, one of which they have in common. Both run Windows Server 2003.
> >
> > These two servers cannot communicate at all. Both can ping everything
> > else
> > and everything else can ping them but neither are communicating at all.
> > I'm
> > not sure when this started because the DFS replication occurs through
> > other
> > mesh links and I never noticed.
> >
> > Since they don't communicate at all, it seems like a network issue. But
> > since both work with everything else, I don't know what else to try. Both
> > are resolving to the correct IP addresses, there are no HOSTS file
> > entries,
> > and as I mentioned there are no firewalls involved.
> >
> > Any ideas what to try next?
>
>
>

In many cases, system error 53 is firewall or name resolution issue. Since
net view ip has the same error, I would focus on firewall. Can you ping the
remote server by IP? If yes, can you telnet port 135?

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"Rollie" <(E-Mail Removed)> wrote in message
news:8FA2ADE4-FE29-412C-880F-(E-Mail Removed)...
> Yes, system error 53.
>
> "Robert L (MS-MVP)" wrote:
>
>> Do you receive any system error if you do net view
>> \\remoteserveripaddress?
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>>
>>
>> "Rollie" <(E-Mail Removed)> wrote in message
>> news:060A594B-5E01-4676-BEE9-(E-Mail Removed)...
>> > I'm having trouble with two specific servers and I'm totally stumped.
>> > They
>> > are connected via a VPN like everything else at these sites. Neither
>> > have
>> > firewalls running. One is a DC the other is a member server. Both
>> > host
>> > DFS
>> > roots, one of which they have in common. Both run Windows Server 2003.
>> >
>> > These two servers cannot communicate at all. Both can ping everything
>> > else
>> > and everything else can ping them but neither are communicating at all.
>> > I'm
>> > not sure when this started because the DFS replication occurs through
>> > other
>> > mesh links and I never noticed.
>> >
>> > Since they don't communicate at all, it seems like a network issue.
>> > But
>> > since both work with everything else, I don't know what else to try.
>> > Both
>> > are resolving to the correct IP addresses, there are no HOSTS file
>> > entries,
>> > and as I mentioned there are no firewalls involved.
>> >
>> > Any ideas what to try next?
>>
>>
>>

No, neither server can telnet to port 135 on the other machine. They can
both telnet to 135 on machines on the remote subnets, though.

This made me think perhaps it was a weird ARP issue. Cleared the ARP caches
and no change.

I ran "netstat -an | findstr remoteipaddress" on each server. On the member
server, I got nothing. On the DC, it said SYN_SENT to ports 139 and 445 on
the member server. I don't know if that helps or not but it makes me lean
towards the member server is at fault.

Other than that, I suppose it could be one of the VPN servers. It's a
net-to-net connection though and nothing else is having trouble so I don't
really know what it would be that would be this specific.


"Robert L (MS-MVP)" wrote:

> In many cases, system error 53 is firewall or name resolution issue. Since
> net view ip has the same error, I would focus on firewall. Can you ping the
> remote server by IP? If yes, can you telnet port 135?
>

Have you or anyone else found a solution to this problem since the last post?


"Rollie" wrote:

> No, neither server can telnet to port 135 on the other machine. They can
> both telnet to 135 on machines on the remote subnets, though.
>
> This made me think perhaps it was a weird ARP issue. Cleared the ARP caches
> and no change.
>
> I ran "netstat -an | findstr remoteipaddress" on each server. On the member
> server, I got nothing. On the DC, it said SYN_SENT to ports 139 and 445 on
> the member server. I don't know if that helps or not but it makes me lean
> towards the member server is at fault.
>
> Other than that, I suppose it could be one of the VPN servers. It's a
> net-to-net connection though and nothing else is having trouble so I don't
> really know what it would be that would be this specific.
>
>
> "Robert L (MS-MVP)" wrote:
>
> > In many cases, system error 53 is firewall or name resolution issue. Since
> > net view ip has the same error, I would focus on firewall. Can you ping the
> > remote server by IP? If yes, can you telnet port 135?
> >
>

Well, yes and no.

Since nothing was adding up, I kept thinking it had to be some sort of ARP
or ethernet weirdness. I cleared ARP caches, restarted all switches,
restarted the VPN connections (IPSec), restarted all IPSec services on the
routers, and no change. When a scheduled down-time came up last weekend, I
restarted the remote VPN server/router and that did the trick.

So I'm still guessing it's some sort of ARPish issue. Unfortunately, I
couldn't find the actual issue so I'll have to chalk it up to black magic.

"MMT" wrote:

> Have you or anyone else found a solution to this problem since the last post?
>
>
> "Rollie" wrote:
>
> > No, neither server can telnet to port 135 on the other machine. They can
> > both telnet to 135 on machines on the remote subnets, though.
> >
> > This made me think perhaps it was a weird ARP issue. Cleared the ARP caches
> > and no change.
> >
> > I ran "netstat -an | findstr remoteipaddress" on each server. On the member
> > server, I got nothing. On the DC, it said SYN_SENT to ports 139 and 445 on
> > the member server. I don't know if that helps or not but it makes me lean
> > towards the member server is at fault.
> >
> > Other than that, I suppose it could be one of the VPN servers. It's a
> > net-to-net connection though and nothing else is having trouble so I don't
> > really know what it would be that would be this specific.
> >
> >
> > "Robert L (MS-MVP)" wrote:
> >
> > > In many cases, system error 53 is firewall or name resolution issue. Since
> > > net view ip has the same error, I would focus on firewall. Can you ping the
> > > remote server by IP? If yes, can you telnet port 135?
> > >
> >