[bzowk]

Good Morning All -

I've got a client's DC running Windows 2008 that I'm trying to troubleshoot a strange issue on.

Yesterday, we had one of the hard drives go out. We replaced it and the RAID successfully rebuilt itself. I don't know if this caused the issue, but when in the server I found out the following:

Issue
The server can successfully resolve DNS and ping all internal hosts. However - it cannot ping external (internet) ones. It does resolve their hostnames, though.

I've tried/checked the following:

- Verified IP configuration is correct (running IPv4 - not IPv6)
- tracert to external ip 8.8.8.8 doesn't resolve anything (on another windows server on same domain, it does)
- Must RDP to different windows server on network, then rdp to server having issue to connect
- Tried disabling NIC on server, re-enabling a different physical one, then configuring it's IP info the same
- Tested again this morning after RAID rebuild was complete - nogo
- The server is a DC and manages DNS - all entries look good
- Windows Firewall is Off
- Compared settings for Windows Routing Role to another similarally configured DC
- Pointed to other DNS server as primary instead of itself
- Verified DNS forwarders were correct.

The server is Windows Server 2008 SP2 x64.

I took a small capture of traffic using WireShark while trying to ping 8.8.8.8. The capture is attached. The txt file is plain txt and the 2nd file may be downloaded, renamed, and opened in WireShark for easier reading. They are the same capture.

Any ideas? Thanks!

[joeqwerty]

Not to be rude, but who cares if you can't ping any external ip addresses?

Here are my thoughts:

1. There's a firewall somewhere blocking outbound ICMP Echo Request packets from the server or blocking the inbound ICMP Echo Reply.

2. DNS resolution works correctly, so no DNS issue exists.

3. There isn't a service or program (that I'm aware of) that relies on a successful ping, so the failure of your ping is meaningless.

4. Stop using ping incorrectly. Ping is a tool to check for basic network connectivity/functionallity ONLY if you know for a fact that both systems involved (the pingee and the pinger) should send and receive ICMP echo request and ICMP echo reply packets with no interference from any other entity (firewalls, ACL's on routers, etc). As it is, you don't know for a fact whether or not you should be getting the ICMP Echo Reply. Have you checked the firewall on your server? On the router? At the ingress/egress of your network? At your ISP?

5. As it is, all you've proven is that the server can't ping any external ip address, which in and of itself, means nothing and tells you nothing about the state of your server and/or network.

6. Does the servers inability to get a response from its ping have any bearing whatsoever on any of the services the server is providing?

I don't mean to be harsh, but I see so many posts of the kind "Oh Noe! I can't ping. The Internetz are down!". When in actuallity, you're using the wrong tool for the wrong problem. As it stands, I fail to see what your actual, real life problem is.

[bzowk]

Thanks for your reply - but....

The reason I said I couldn't ping any IP addresses is because I cannot access anything extenally going in or out. I cannot go to web pages, FTP hosts, nor RDP in or out. Maybe I should have mentioned that, but figured it was assumed.

Here are replies to each of your statements:

1. The Windows Firewall is off. There is no other firewall on the server whatsoever.

2. I agree, but still think it's relevant information considering the issue.

3. The reason I mentioned ping is from a testing standpoint. I can ping other sites (like a Google DNS server 8.8.8. from other servers on the same domain, but not this one.

4. Read #3 above

5. Read #4 above

6. Read #5 above

Hopefully by now you can see what it is exactly I'm trying to do... Thanks for the lecture, though...

[tehcamel]

Quote:

Originally Posted by joeqwerty

3. There isn't a service or program (that I'm aware of) that relies on a successful ping, so the failure of your ping is meaningless.

just to be persnickety.. :P
some routers will use ping for dead-peer-detection or dead-gateway-detection so as to failover..

[wullieb1]

Can you get to your gateway???

If you can then you need to check your gateway to see why this server is not allowed out of the network.

Have you changed the IP address at all???

Really could be any number of reasons why this is happening. First port of call is to always check the gateway.

[JeremyW]

I looked at the capture and I have two things for you to check:
1) Make sure the server is configured with the proper default gateway
2) It looks like you're using a Watchguard firewall. Check the firewall's "Blocked Sites" to see if it has the server's IP address listed. If so you can remove it and create an exception.

The reason DNS is working is probably because the server asks the internal DNS server for the record and the other server has no issue getting out.

[bzowk]

JeremyW - you are right on the money...



After recently finding that the gateway could not be pinged, it all started to make sense.



As it turns out, there was a rule in the firewall (Watchguard) which kept that server from talking. No one know how it got there (hmm), but not that it's gone, it's back up 100%.


I appreciate everyone's time that helped out - Thanks!

[JeremyW]

Glad to help.