Need help to track down web connection issue to our 2K3 server with one client/ISP/IP string?

Discussion in 'Windows Networking' started by Jimbo, Jan 19, 2004.

  1. Jimbo

    Jimbo Guest

    Hi everyone,

    We have been working on the situation below for about 4 days now and are at
    a complete loss. I will try to sum this up as briefly as possible, with the
    hope that someone might be able to offer us ideas on a resolution that we
    have yet to discover.

    First some general info:

    Our test server runs SBS2K3 with NO ISA installed. It has one NIC, connects
    to our cable ISP through a router. All incoming connections except VPN work
    perfectly, and the VPN issue is due only to firmware issue in the router. 2
    local clients are connected and part of our .local domain. Works perfectly.

    RWW and Companyweb sites are correctly published and do not allow anonymous
    access. Family members from home, work etc all can surf to our FQDN, and a
    login box pops in order for them to sign in before the page loads. They can
    also surf to our FQDN:444 and a box appears to have them log in to the
    Sharepoint "Companyweb" site.

    Just to be clear - everyone in the scenario above can surf to the FQDN and
    connect to the server via RWW or the Sharepoint site after logging in
    through the pop up box. There are no issues to report.


    Now the problem:

    We have one person in another location who just got DSL broadband. I built
    him the computer in question about 1 week ago and it has XPSP1 and all
    updates. This box was able to connect to the above sites when it was here
    in our office and connected via our router and ISP.

    When this person got connected via his DSL ISP, he tried to surf to our FQDN
    and the connection times out - no login box appears. He tried our FQDN:444
    and again, no login box appears. It does not get that far. This in and of
    itself, is odd behaviour.

    Please note: He can surf to any other website on the net. He can connect to
    other secure sites, such as his bank. His email and all other connectivity
    is perfect. We had him behind a router and then connected directly to his
    DSL modem - no change.

    He CAN Ping and Tracert to our server and he WAS prompted by our server to
    install the security certificate on his first visit attempt. So there IS a
    connection of some sort being made, but no login box ever appears and no
    page ever loads.

    We then briefly allowed anonymous access the our site and he still could not
    get a page to display. We changed his browser security and cookie settings,
    added us as a trusted site and still nothing. This was a useless step
    however as the same box was able to connect through our ISP - AND - if he
    connects to the internet using a dial-up modem (same ISP - same box) he CAN
    connect. This rules out his box and browser. And, that is the strangest
    part.


    So therefore, we must have a connectivity issue between this person's
    computer (and their DSL ISP) and our server connected to our cable broadband
    ISP. Again, all others who have tried can connect without trouble.


    Our other step was to query both ISP's, to see if there was an issue. Our
    ISP assured us it was not them (especially since all others who have
    attempted CAN connect). We contacted the DSL ISP of the person in question
    and they were baffled as well. Here is what happened with them:

    The tech support guy was able to connect from his terminal. No problem.
    However, when he and an upper level tech tried to connect using a test PC
    (connected via the same DSL modem as their customers) VOILA! He could not
    connect anymore! They thought perhaps this was an issue of their IP string
    being blocked by our "hosting company", since all of their DSL customers
    begin with 156.34.xxx.xxx. Their tech support terminals use a T3 with
    different IP's as do folks who use their dial-up service. Since I have no
    "hosting company" I checked our server, IIS etc... and we are not blocking
    any IP's that I can find anywhere.
    They also wrongly suggested that since we have a dynamic (persistent) IP,
    that maybe DynDNS was the problem. However, the site resolves when pinging
    or running a tracert, so unless this ISP blocks connection to IP's that are
    dynamic, this was a none started. And, they assures me that they didn't
    block anyone - just a port or two for security - as most ISP's do.

    So what can I do now? The client can ping/tracert/retrieve our certificate,
    but cannot load our site. Connectivity to our site / server is perfect
    otherwise. It now appears that this ISP (or their DSL IP's at least) cannot
    get a connection to our server. My depth of knowledge of internet
    connectivity protocols is limited, so I ask anyone to throw some ideas my
    way so that I may solve this.

    Please accept my thanks in advance,

    JS
     
    Jimbo, Jan 19, 2004
    #1
    1. Advertisements

  2. Hi,
    Get a netmon capture from the SBS server and from the remote, failing,
    client at the same time. Use Netcap on the XP client to get the capture.

    This could be caused by a black hole router on the route from the failing
    network to yours.
    What is the MTU size on the DSL router on the failing side?

    For more troubleshooting instructions:

    314825 How to Troubleshoot Black Hole Router Issues
    http://support.microsoft.com/?id=314825

    159211 Diagnoses and Treatment of Black Hole Routers
    http://support.microsoft.com/?id=159211

    The netmon captures should show the packets leaving one end and never
    reaching the other.

    Regards,
    Damian

    --
    Damian N. Leibaschoff, MS IST, MCSE
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via

    your newsreader so that others may learn and benefit

    from your issue.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Damian N Leibaschoff [MSFT], Jan 19, 2004
    #2
    1. Advertisements

  3. Jimbo

    Jimbo Guest

    HI Damian,

    We'll do the netcap this evening when I can get logged on the machine
    remotely to set it up. I'll disconnect the remote session however and get
    the user to do the actual running - no sense in complicating the data.

    The MTU on the DSL is the typical 1492 I believe - cable showing 1500 on our
    router. How could I verify these to be sure - by calling the DSL ISP?

    Black hole router ... now that would be an issue huh?

    JS
     
    Jimbo, Jan 19, 2004
    #3
  4. Jimbo

    Jimbo Guest

    PS:

    We have the DSL modem direct to XP box now, so likely MTU is default XP
    1480.

    JS
     
    Jimbo, Jan 19, 2004
    #4
  5. The most common problem is a router in the path that has a lower MTU and is
    just dropping the packets without telling anyone.
    The articles will describe steps to find out the maximum common MTU on the
    route.

    Regards,
    Damian

    --
    Damian N. Leibaschoff, MS IST, MCSE
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via

    your newsreader so that others may learn and benefit

    from your issue.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Damian N Leibaschoff [MSFT], Jan 19, 2004
    #5
  6. Jimbo

    Jimbo Guest

    Hi Damian,

    FIXED.

    MTU was the culprit and I have reported my findings to both ISP's, if they
    care to look into it.

    We adjusted the MTU on the remote computer and it is functioning perfectly.

    Thanks to everyone for pointing me in the right direction. As always, this
    is a wonderful group to turn to.

    JS
     
    Jimbo, Jan 19, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.