Win 2003 Server only talking with local Subnet

IO have an issue with a Win 2003 AD Server. It will only communicate
with computers within the same subnet. It refuses to talk to any other
machine or respond to requests from any other machine.

Machine is running Exchange 2003 and was a public DNS server.

There is no ip filtering on the network adapter.

Any thoughts?
BA

First thought: missing or incorrect default gateway.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT

Check to see if it can ping the default gateway. If you can't, check that
the IP for it is correct and if it is check your arp cache via arp -a to see
if there is a bad static entry for the default gateway's mac address. Also
see if it has an ipsec policy assigned to it. You can use the mmc snapins
for ip security monitor and ip security policy management to check for such.
It might also help to run the netdiag support tool on it. --- Steve


"Timothy Minahan" <(E-Mail Removed)> wrote in message
news:%23V%(E-Mail Removed)...
> IO have an issue with a Win 2003 AD Server. It will only communicate with
> computers within the same subnet. It refuses to talk to any other machine
> or respond to requests from any other machine.
>
> Machine is running Exchange 2003 and was a public DNS server.
>
> There is no ip filtering on the network adapter.
>
> Any thoughts?
> BA

Todd J Heron wrote:
> First thought: missing or incorrect default gateway.
>

Should have mentioned that - Gateway correct in both Card properties and
ipconfig /all

BA

An ipsec policy could still cause that behavior if one is assigned no matter
what IP address it uses as ipsec policy uses the syntax of "my ip address"
in the filter list. Assuming there is no ipsec policy, I would try to do a
tracert to an IP address on another network to see where it fails and to
make sure that it does use the default gateway to access the other network.
Does it have more than one network adapter and/or is it also running Remote
Access? -- Steve



"Timothy Minahan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> All of that checks out as normal. It can ping the gateway and if I change
> the ip address of this machine it has the same fault while the same IP on
> a different machine workd normally.
>
> Steven L Umbach wrote:
>> Check to see if it can ping the default gateway. If you can't, check that
>> the IP for it is correct and if it is check your arp cache via arp -a to
>> see if there is a bad static entry for the default gateway's mac address.
>> Also see if it has an ipsec policy assigned to it. You can use the mmc
>> snapins for ip security monitor and ip security policy management to
>> check for such. It might also help to run the netdiag support tool on
>> t. --- Steve
>>
>>
>> "Timothy Minahan" <(E-Mail Removed)> wrote in message
>> news:%23V%(E-Mail Removed)...
>>
>>>IO have an issue with a Win 2003 AD Server. It will only communicate
>>>with computers within the same subnet. It refuses to talk to any other
>>>machine or respond to requests from any other machine.
>>>
>>>Machine is running Exchange 2003 and was a public DNS server.
>>>
>>>There is no ip filtering on the network adapter.
>>>
>>>Any thoughts?
>>>BA
>>
>>

All of that checks out as normal. It can ping the gateway and if I
change the ip address of this machine it has the same fault while the
same IP on a different machine workd normally.

Steven L Umbach wrote:
> Check to see if it can ping the default gateway. If you can't, check that
> the IP for it is correct and if it is check your arp cache via arp -a to see
> if there is a bad static entry for the default gateway's mac address. Also
> see if it has an ipsec policy assigned to it. You can use the mmc snapins
> for ip security monitor and ip security policy management to check for such.
> It might also help to run the netdiag support tool on it. --- Steve
>
>
> "Timothy Minahan" <(E-Mail Removed)> wrote in message
> news:%23V%(E-Mail Removed)...
>
>>IO have an issue with a Win 2003 AD Server. It will only communicate with
>>computers within the same subnet. It refuses to talk to any other machine
>>or respond to requests from any other machine.
>>
>>Machine is running Exchange 2003 and was a public DNS server.
>>
>>There is no ip filtering on the network adapter.
>>
>>Any thoughts?
>>BA
>
>
>

There are no IPSec filters or policies running. There is only one NIC
with one IP Address and it can ping the firewall without issue. It does
not however find the firewall in a traceroute.

Here is some of the output if it helps:

C:\Documents and Settings\timothy>tracert <Some Public IP>

Tracing route to <Some Public IP> over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * ^C

C:\Documents and Settings\timothy>ping 192.168.110.10

Pinging 192.168.110.10 with 32 bytes of data:

Reply from 192.168.110.10: bytes=32 time<1ms TTL=128
Reply from 192.168.110.10: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.110.10:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Documents and Settings\timothy>route print

IPv4 Route Table
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 09 6b 0b ca b2 ...... Intel(R) PRO/100 VE Network Connection
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.110.10 192.168.110.80 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.110.0 255.255.255.0 192.168.110.80 192.168.110.80 20
192.168.110.80 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.110.255 255.255.255.255 192.168.110.80 192.168.110.80 20
224.0.0.0 240.0.0.0 192.168.110.80 192.168.110.80 20
255.255.255.255 255.255.255.255 192.168.110.80 192.168.110.80 1
Default Gateway: 192.168.110.10
================================================== =========================
Persistent Routes:
None


Steven L Umbach wrote:
> An ipsec policy could still cause that behavior if one is assigned no matter
> what IP address it uses as ipsec policy uses the syntax of "my ip address"
> in the filter list. Assuming there is no ipsec policy, I would try to do a
> tracert to an IP address on another network to see where it fails and to
> make sure that it does use the default gateway to access the other network.
> Does it have more than one network adapter and/or is it also running Remote
> Access? -- Steve
>
>
>
> "Timothy Minahan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>All of that checks out as normal. It can ping the gateway and if I change
>>the ip address of this machine it has the same fault while the same IP on
>>a different machine workd normally.
>>
>>Steven L Umbach wrote:
>>
>>>Check to see if it can ping the default gateway. If you can't, check that
>>>the IP for it is correct and if it is check your arp cache via arp -a to
>>>see if there is a bad static entry for the default gateway's mac address.
>>>Also see if it has an ipsec policy assigned to it. You can use the mmc
>>>snapins for ip security monitor and ip security policy management to
>>>check for such. It might also help to run the netdiag support tool on
>>>t. --- Steve
>>>
>>>
>>>"Timothy Minahan" <(E-Mail Removed)> wrote in message
>>>news:%23V%(E-Mail Removed). ..
>>>
>>>
>>>>IO have an issue with a Win 2003 AD Server. It will only communicate
>>>>with computers within the same subnet. It refuses to talk to any other
>>>>machine or respond to requests from any other machine.
>>>>
>>>>Machine is running Exchange 2003 and was a public DNS server.
>>>>
>>>>There is no ip filtering on the network adapter.
>>>>
>>>>Any thoughts?
>>>>BA
>>>
>>>
>

"Timothy Minahan" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Todd J Heron wrote:
> > First thought: missing or incorrect default gateway.

> Should have mentioned that - Gateway correct in both Card properties and
> ipconfig /all


Ding! Ding! "*both* card properties"? You can only have one Default
Gateway. One nic must be left bank. The fact that the GUI lets you put one
on each NIC is irrelevant, that is a fault in the GUI in that is does not
"grey out" the option when a Default Gateway already exists on another Nic.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I'm not seeing two Nics here. You implied in one of the earlier posts that
you had two nics with a gateway set on each.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Timothy Minahan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
=============================
> Active Routes:
> Network Destination Netmask Gateway Interface
Metric
> 0.0.0.0 0.0.0.0 192.168.110.10 192.168.110.80
20
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
1
> 192.168.110.0 255.255.255.0 192.168.110.80 192.168.110.80
20
> 192.168.110.80 255.255.255.255 127.0.0.1 127.0.0.1
20
> 192.168.110.255 255.255.255.255 192.168.110.80 192.168.110.80
20
> 224.0.0.0 240.0.0.0 192.168.110.80 192.168.110.80
20
> 255.255.255.255 255.255.255.255 192.168.110.80 192.168.110.80
1
> Default Gateway: 192.168.110.10
>
================================================== =========================

Hmm. I would check the firewall logs if a possibility to see if they report
any traffic dropped from that computer and why. Since you tried the same IP
address on another computer and it worked, I can only wonder if there is
some sort of mac filtering on the firewall or switches in the path to the
firewall that is blocking access. Did this problem just start up and if so
were there any configuration changes to the computer or network such as new
network adapter, change in firewall rules, change in security policy, etc?
If it is not too much a hassle try booting that server into safe mode with
networking to see if it makes a difference and running the netdiag support
tool [in regular mode] on it looking for problems including for winsock.
Beyond that it may be worthwhile to use a packet sniffer like Ethereal or
the built in netmon to monitor what happens when you do the tracert [
comparing to a computer where it works] though doing that on a production
server may flood you with captured packets unless you can configure a
capture filter which is why I like Ethereal over netmon - easier to use, at
least for me. Your routing table looks fine to me. --- Steve



"Timothy Minahan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> There are no IPSec filters or policies running. There is only one NIC
> with one IP Address and it can ping the firewall without issue. It does
> not however find the firewall in a traceroute.
>
> Here is some of the output if it helps:
>
> C:\Documents and Settings\timothy>tracert <Some Public IP>
>
> Tracing route to <Some Public IP> over a maximum of 30 hops
>
> 1 * * * Request timed out.
> 2 * * * Request timed out.
> 3 * * * Request timed out.
> 4 * * * Request timed out.
> 5 * * * Request timed out.
> 6 * ^C
>
> C:\Documents and Settings\timothy>ping 192.168.110.10
>
> Pinging 192.168.110.10 with 32 bytes of data:
>
> Reply from 192.168.110.10: bytes=32 time<1ms TTL=128
> Reply from 192.168.110.10: bytes=32 time<1ms TTL=128
>
> Ping statistics for 192.168.110.10:
> Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
> Minimum = 0ms, Maximum = 0ms, Average = 0ms
> Control-C
> ^C
> C:\Documents and Settings\timothy>route print
>
> IPv4 Route Table
> ================================================== =========================
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x10003 ...00 09 6b 0b ca b2 ...... Intel(R) PRO/100 VE Network Connection
> ================================================== =========================
> ================================================== =========================
> Active Routes:
> Network Destination Netmask Gateway Interface
> Metric
> 0.0.0.0 0.0.0.0 192.168.110.10 192.168.110.80
> 20
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
> 1
> 192.168.110.0 255.255.255.0 192.168.110.80 192.168.110.80
> 20
> 192.168.110.80 255.255.255.255 127.0.0.1 127.0.0.1
> 20
> 192.168.110.255 255.255.255.255 192.168.110.80 192.168.110.80
> 20
> 224.0.0.0 240.0.0.0 192.168.110.80 192.168.110.80
> 20
> 255.255.255.255 255.255.255.255 192.168.110.80 192.168.110.80
> 1
> Default Gateway: 192.168.110.10
> ================================================== =========================
> Persistent Routes:
> None
>
>
> Steven L Umbach wrote:
>> An ipsec policy could still cause that behavior if one is assigned no
>> matter what IP address it uses as ipsec policy uses the syntax of "my ip
>> address" in the filter list. Assuming there is no ipsec policy, I would
>> try to do a tracert to an IP address on another network to see where it
>> fails and to make sure that it does use the default gateway to access the
>> other network. Does it have more than one network adapter and/or is it
>> also running Remote Access? -- Steve
>>
>>
>>
>> "Timothy Minahan" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>
>>>All of that checks out as normal. It can ping the gateway and if I
>>>change the ip address of this machine it has the same fault while the
>>>same IP on a different machine workd normally.
>>>
>>>Steven L Umbach wrote:
>>>
>>>>Check to see if it can ping the default gateway. If you can't, check
>>>>that the IP for it is correct and if it is check your arp cache via
>>>>arp -a to see if there is a bad static entry for the default gateway's
>>>>mac address. Also see if it has an ipsec policy assigned to it. You can
>>>>use the mmc snapins for ip security monitor and ip security policy
>>>>management to check for such. It might also help to run the netdiag
>>>>support tool on t. --- Steve
>>>>
>>>>
>>>>"Timothy Minahan" <(E-Mail Removed)> wrote in message
>>>>news:%23V%(E-Mail Removed) ...
>>>>
>>>>
>>>>>IO have an issue with a Win 2003 AD Server. It will only communicate
>>>>>with computers within the same subnet. It refuses to talk to any other
>>>>>machine or respond to requests from any other machine.
>>>>>
>>>>>Machine is running Exchange 2003 and was a public DNS server.
>>>>>
>>>>>There is no ip filtering on the network adapter.
>>>>>
>>>>>Any thoughts?
>>>>>BA
>>>>
>>>>
>>