Cant Connect to Win2008 Server from 1 of several subnets

Discussion in 'Windows Networking' started by Scott Townsend, Oct 9, 2008.

  1. So I have three Server machines
    10.1.0.10 Win2003 Server DC
    10.1.0.17 Win2008 Server DC/File Server
    10.1.0.19 Win2008 Server Hyper-V Server

    Nothing fancy on the servers.


    I can Ping all of them from the router's Ethernet Interface (on the
    same Subnet)
    If I ping using the Serial 0 as the source Address, I can only Ping .
    10 and .19

    Same if I go from the servers to 10.254.0.37, 10.1.0.17 cannot Ping.

    10.1.0.17 can ping things in other Subnets, just not from Serial0 of
    the 1 router ...


    To Troubleshoot. I added an IP Address to 10.1.0.17 , 10.1.016.
    Did the Ping tests again. I could not Ping 10.1.0.16.

    I Removed 10.1.0.16 from 10.1.0.17 and added it to 10.1.0.10

    So not 10.1.0.10 and 10.1.0.16 are the same machine.
    I can now Ping 10.1.0.16....

    So its the Server that is preventing it somehow...

    Any Suggestions?
     
    Scott Townsend, Oct 9, 2008
    #1
    1. Advertisements

  2. Possibles:

    1. ACLs on the LAN router that you don't know are there

    2. Improper TCP/IP Config on the Servers,...particulary in the area of the
    Mask or DFG

    3. Invalid or improper "static routes" on the servers that you don't know
    are there

    4. Flaw in the LAN's "routing scheme"

    5. Host-Based "firewalls" on some, all, or any of the machines involved that
    either aren't configured properly or just should not be there to begin with.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Oct 9, 2008
    #2
    1. Advertisements

  3. Thank you for your reply...

    1) There are no ACLs on the router as this is just a Site to Site router
    that we want all traffic to pass.

    2) The Mask on the servers & Ethernet0 on the routers are all 255.255.0.0
    The Mask on the Serial Port is 255.255.255.252,
    DFG?

    3) I've done a Route Print on the servers/routers and everything looks in
    order.

    4) Every other machine I've tried can reach the Reuters's Serial Port and
    the far end devices on the other end of the remote router.

    5) Firewall is off on the machine that does not work.


    Since the machine that does not work is on the same Switch as the machine
    next to it and it can talk to the router's serial port just fine, I would
    think that the Router is set up to handle the traffic and pass the data.

    If I took an IP on the machine that didn't work and moved that IP to a
    machine that does work and now that IP address does work... It has to be
    something on the machine...

    Scott<-
     
    Scott Townsend, Oct 9, 2008
    #3
  4. Being a site-to-Site link greatly increases the chance of my forth
    suggestion:

    4. Flaw in the LAN's "routing scheme"
    Ethernet segments should not be allowed to grow above 250-300
    Hosts,..therefore you should be using 255.255.255.0. The 255.255.0.0 would
    be used in routing tables to supernet IP segments into a single route table
    entry to make the route table more efficient if the network design dictated
    that. It is doubtful that this is your problem,..but is something to
    consider.

    The "252" mask is normal for a WAN link,..no problem there.
    I agree, but at the moment there is nothing that jumps out at me. I don't
    have any other suggestions right now.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Oct 9, 2008
    #4
  5. We don't really have too many hosts in each of the Class B Subnets. but we
    use parts of the Subnet for Different devices.

    10.x.0.x servers
    10.x.1.x Other IT Items, WiFi, Printers, etc
    10.x.2.x Spare
    10.x.3.x DHCP for Clients
    10.x.4.x DHCP for Clients.
    10.x.5.x Engineer's Testbed.
    10.x.6.x Tech Support Testbed.
    Etc....

    Anyway... I found the issue... I had the Gateway Address set for the
    Firewall and not the Router.

    Which is interesting, As the firewall has a Static Route for the 10.254.0.36
    Subnet that points to the default router that I changed the machine with the
    issues to.

    So Machine pointed -> Firewall
    Firewall Pointed 10.254.0.36 to 10.1.0.1

    When I pointed machine -> 10.1.0.1 as default Gateway All is well...

    One of the reasons I like to have my Servers DHCP with Reservations...
    Though since this was a DC, hard to do that... (-:

    Thanks!
     
    Scott Townsend, Oct 9, 2008
    #5
  6. That's not good. It makes it very difficult to put it back the way it
    should be because you have to re-address everything outside of the third
    octect you choose the LAN to be. If everything was inside just one of
    those, then you just change the Masks and it is fixed. That is really going
    to come back and bite you some day. It also waists a lot of addresses since
    you can't use all of them because the subnet would be too big,..yet at the
    same time you can't use them for anything else.

    The first time you have to setup a Site-to-Site VPN or some kind of Private
    Link with some other network,...and they happen to use, say, 10.x.4.x,..you
    are going to be really screwed. The more addresses you eat up needlessly
    the greater chance of a future address conflict in future projects.
    Ah, yes,..this is the kind of thing I was suspecting.

    Many more modern Firewalls do not "back route" like the old ones did. This
    is a situation where there are multiple IP Segments behind a
    Firewall,..while yet the Clients in the same segment as the Firewall use the
    Firewall as the DFG *instead* of the LAN Router. This causes the Firewall to
    have to loop the client "back" to the LAN Router to get to other
    segments,..thereby causing the Firewall to act as a LAN Router.

    For security reasons I am not sure I understand well enought to explain,
    firewall manufactures may not let their products do this. Microsoft stopped
    allowing ISA Server to do that sometime after the release of ISA2004,..I
    don't remember if it was "out of the box" or after a certain Service Pack
    level.

    So in summary,...the Firewall in a multi-segment LAN should *never* be the
    Default Gateway of any Client. The Clients should always use one of the LAN
    Routers as a DFG and then let the LAN's Routing Scheme amongst the LAN
    Routers determine if something needs to go to the Firewall and then decide
    how to get it to the Firewall. At least this is the case with NAT-Based
    Firewalls. But with systems based on Winsock Proxying or on CERN Compliant
    Web Proxying, they operate by completely different methods and DFGs do not
    even play into those at all,..so the firewall never has to be in the default
    routing path to begin with.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Oct 10, 2008
    #6
  7. Scott Townsend

    Morgan che Guest

    Hi,

    I am writing to see if you have any update on this issue. If you need
    further assistance, please feel free to post here.

    Have a good day.
    Sincerely
    Morgan Che
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    --->Reply-To: "Scott Townsend" <>
    --->From: "Scott Townsend" <>
    --->References: <#>
    <>
    <e4$>
    <>
    --->In-Reply-To: <>
    --->Subject: Re: Cant Connect to Win2008 Server from 1 of several subnets
    --->Date: Thu, 9 Oct 2008 13:39:36 -0700
    --->Lines: 80
    --->MIME-Version: 1.0
    --->Content-Type: text/plain;
    ---> format=flowed;
    ---> charset="iso-8859-1";
    ---> reply-type=response
    --->Content-Transfer-Encoding: 7bit
    --->X-Priority: 3
    --->X-MSMail-Priority: Normal
    --->X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
    --->X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
    --->Message-ID: <eKg#>
    --->Newsgroups: microsoft.public.windows.server.networking
    --->NNTP-Posting-Host: hbg-smt 204.145.245.49
    --->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
    --->Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.windows.server.networking:14938
    --->X-Tomcat-NG: microsoft.public.windows.server.networking
    --->
    --->We don't really have too many hosts in each of the Class B Subnets. but
    we
    --->use parts of the Subnet for Different devices.
    --->
    --->10.x.0.x servers
    --->10.x.1.x Other IT Items, WiFi, Printers, etc
    --->10.x.2.x Spare
    --->10.x.3.x DHCP for Clients
    --->10.x.4.x DHCP for Clients.
    --->10.x.5.x Engineer's Testbed.
    --->10.x.6.x Tech Support Testbed.
    --->Etc....
    --->
    --->Anyway... I found the issue... I had the Gateway Address set for the
    --->Firewall and not the Router.
    --->
    --->Which is interesting, As the firewall has a Static Route for the
    10.254.0.36
    --->Subnet that points to the default router that I changed the machine
    with the
    --->issues to.
    --->
    --->So Machine pointed -> Firewall
    --->Firewall Pointed 10.254.0.36 to 10.1.0.1
    --->
    --->When I pointed machine -> 10.1.0.1 as default Gateway All is well...
    --->
    --->One of the reasons I like to have my Servers DHCP with Reservations...
    --->Though since this was a DC, hard to do that... (-:
    --->
    --->Thanks!
    --->
    --->
    --->
    --->--->> --->>> Thank you for your reply...
    --->>>
    --->>> 1) There are no ACLs on the router as this is just a Site to Site
    router
    --->>> that we want all traffic to pass.
    --->>
    --->> Being a site-to-Site link greatly increases the chance of my forth
    --->> suggestion:
    --->>
    --->> 4. Flaw in the LAN's "routing scheme"
    --->>
    --->>> 2) The Mask on the servers & Ethernet0 on the routers are all
    255.255.0.0
    --->>> The Mask on the Serial Port is 255.255.255.252,
    --->>> DFG?
    --->>
    --->> Ethernet segments should not be allowed to grow above 250-300
    --->> Hosts,..therefore you should be using 255.255.255.0. The
    255.255.0.0
    --->> would be used in routing tables to supernet IP segments into a single
    --->> route table entry to make the route table more efficient if the
    network
    --->> design dictated that. It is doubtful that this is your problem,..but
    is
    --->> something to consider.
    --->>
    --->> The "252" mask is normal for a WAN link,..no problem there.
    --->>
    --->>> Since the machine that does not work is on the same Switch as the
    machine
    --->>> next to it and it can talk to the router's serial port just fine, I
    would
    --->>> think that the Router is set up to handle the traffic and pass the
    data.
    --->>>
    --->>> If I took an IP on the machine that didn't work and moved that IP to
    a
    --->>> machine that does work and now that IP address does work... It has
    to be
    --->>> something on the machine...
    --->>
    --->> I agree, but at the moment there is nothing that jumps out at me. I
    don't
    --->> have any other suggestions right now.
    --->>
    --->> --
    --->> Phillip Windell
    --->> www.wandtv.com
    --->>
    --->> The views expressed, are my own and not those of my employer, or
    --->> Microsoft,
    --->> or anyone else associated with me, including my cats.
    --->> -----------------------------------------------------
    --->>
    --->>
    --->
    --->
     
    Morgan che, Nov 4, 2008
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.