Exactly. While it is possible for the problem to be a server-side config, it is more likely that there is a security setting tied to the switch port, or IP address or some protocol in use by the server.
I had a scenario where I built a new server to replace my old monitoring server and put it into a policy group on the firewall that limited traffic to it. Took me a while to figure that one out, even though I was the only person who had managed the devices in question. *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) *Harnessing the Advantages of Technology for the SMB market... * On Mon, Apr 25, 2011 at 12:30 PM, Ziots, Edward <ezi...@lifespan.org> wrote: > That is what I was getting at, an ACL on the router(s) that connect the B > segment to the A segment and vice-versa. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org > > Cell:401-639-3505 > > > > *From:* Andrew S. Baker [mailto:asbz...@gmail.com] > *Sent:* Monday, April 25, 2011 11:55 AM > > *To:* NT System Admin Issues > *Subject:* Re: frustrating network issue on two servers > > > > Are you sure this is an OS issue and not something having to do with > routers or switches or firewalls in between the devices? > > > > Have you considered running nMap against those two "problem" machines from > another system on their own subnet (and even from the machines themselves) > in order to isolate where the problem is coming from? > > > > Also, look at the routing table on the machines in question and see how it > differs from the machines that work. (Even if it appears to work via PING, > it could be different) > > > > I'd do all of these *before* I bothered with a reinstall... > > > > > *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) > *Harnessing the Advantages of Technology for the SMB market...** > * > * * > > > > On Mon, Apr 25, 2011 at 10:53 AM, G.Waleed Kavalec <kava...@gmail.com> > wrote: > > That is exactly where I am, but I cannot find a single factor on R1 or R2 > that would account for such a rule. > > > > All firewalls are off. > > > > I've compared Services on R1 and (working) R3. > > > > Especially: what kind of access control *only* affects connections from > another subnet? > > > > > > Sincerely > > Bald by Nightfall > > > > > > On Mon, Apr 25, 2011 at 9:14 AM, Ziots, Edward <ezi...@lifespan.org> > wrote: > > That looks better, > > > > But from B1 to a different R server on the A side. Shows that the ACL might > just be with the first R server ( you tested) > > > > Z > > > > > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org > > Cell:401-639-3505 > > > > *From:* G.Waleed Kavalec [mailto:kava...@gmail.com] > *Sent:* Monday, April 25, 2011 9:46 AM > > > *To:* NT System Admin Issues > *Subject:* Re: frustrating network issue on two servers > > > > Here is the nmap result from B1 to a different R server > > > > Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-25 08:42 Central > Daylight Time > > > > Nmap scan report for 192.168.2.134 > > Host is up (0.0092s latency). > > PORT STATE SERVICE > > 137/tcp closed netbios-ns > > 138/tcp closed netbios-dgm > > 139/tcp open netbios-ssn > > 445/tcp open microsoft-ds > > 1433/tcp open ms-sql-s > > > > Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds > > > > > > Doesn't this mean the routers are fine? > > > > > > > > On Mon, Apr 25, 2011 at 8:34 AM, Ziots, Edward <ezi...@lifespan.org> > wrote: > > Check your ACL’s on the router on the B side before it sends the traffic > over to the interface on the A side. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org > > Cell:401-639-3505 > > > > *From:* G.Waleed Kavalec [mailto:kava...@gmail.com] > *Sent:* Monday, April 25, 2011 9:31 AM > > > *To:* NT System Admin Issues > *Subject:* Re: frustrating network issue on two servers > > > > OK, I've had my cup of coffee and realized that '*filtered*' != 'open' > > > > Now I have to figure out why these ports are filtered, but only across the > subnet. > > > > > > On Mon, Apr 25, 2011 at 8:21 AM, G.Waleed Kavalec <kava...@gmail.com> > wrote: > > OK, success in nmap - still same symptoms in SQL and Browse > > > > NMAP -sS -P0 -p 137,138,139,445,1433 192.168.2.132 > > > > Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-25 08:16 Central > Daylight Time > > > > Nmap scan report for 192.168.2.132 > > Host is up. > > PORT STATE SERVICE > > 137/tcp filtered netbios-ns > > 138/tcp filtered netbios-dgm > > 139/tcp filtered netbios-ssn > > 445/tcp filtered microsoft-ds > > 1433/tcp filtered ms-sql-s > > > > Nmap done: 1 IP address (1 host up) scanned in 3.50 seconds > > > > > > Wonderful! NMAP assures me that nothing is wrong. But the patient is > still dead. > > > > > > On Sun, Apr 24, 2011 at 4:55 PM, Ziots, Edward <ezi...@lifespan.org> > wrote: > > C:\windows\system32>nmap -sS -P0 -p 137,138,139,445,1433 172.18.2.41 > > > > Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-24 17:54 Eastern > Daylight Time > > > > Nmap scan report for riavayadsp1.lsmaster.lifespan.org (172.18.2.41) > > Host is up. > > PORT STATE SERVICE > > 137/tcp filtered netbios-ns > > 138/tcp filtered netbios-dgm > > 139/tcp filtered netbios-ssn > > 445/tcp filtered microsoft-ds > > 1433/tcp filtered ms-sql-s > > > > Nmap done: 1 IP address (1 host up) scanned in 9.81 seconds > > > > Did the same command against one of my systems, with Windows 7 and NMAP > 5.5.1 and worked fine. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org > > Cell:401-639-3505 > > > > *From:* G.Waleed Kavalec [mailto:kava...@gmail.com] > *Sent:* Sunday, April 24, 2011 5:37 PM > > > *To:* NT System Admin Issues > *Subject:* Re: frustrating network issue on two servers > > > > The exact command I used was > > > > > > Nmap –sS –P0 –p 137,138,139,445,1433 192.168.2.132 > > > > This gave back the error I posted. > > > > > > On Sun, Apr 24, 2011 at 3:18 PM, Ziots, Edward <ezi...@lifespan.org> > wrote: > > I also scanned systems with Nmap 5.51 and the commands I gave earlier > worked fine. > > > > Without seeing the response from Nmap I can’t tell you if a router acl, or > firewall setting, is the culprit. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org > > Cell:401-639-3505 > > > > *From:* G.Waleed Kavalec [mailto:kava...@gmail.com] > *Sent:* Sunday, April 24, 2011 4:06 PM > > > *To:* NT System Admin Issues > *Subject:* Re: frustrating network issue on two servers > > > > Ipsec policy agent is running, no policies defined. > > > > > > On Sun, Apr 24, 2011 at 2:34 PM, Crawford, Scott <crawfo...@evangel.edu> > wrote: > > ipsec service running? any policies defined? > > > > Sent from my Palm Pre on the Now Network from Sprint > > > ------------------------------ > > On Apr 24, 2011 2:02 PM, G.Waleed Kavalec <kava...@gmail.com> wrote: > > All firewalls off. > > > > Once again, browse and SQL work fine from the same subnet/site. > > > > And ping from both, both directions. > > > > > > On Sun, Apr 24, 2011 at 1:08 PM, Ben N <bennordlan...@gmail.com> wrote: > > Any firewalls ? Either windwows or something else in between. Make sure > ports are open. Try telnet to port 445 to be sure. > > On Apr 24, 2011 10:59 AM, "G.Waleed Kavalec" <kava...@gmail.com> wrote: > > Nope. R1 or R1.ourdomain.local same symptoms. > > > > Ping yes - from either subnet. > > > > Browse no, SQL no - but ONLY fails from subnet B. > > > > > > On Sun, Apr 24, 2011 at 12:50 AM, Crawford, Scott <crawfo...@evangel.edu > >wrote: > > > >> does it matter if you use the fqdn? > >> > >> > >> > >> Sent from my Palm Pre on the Now Network from Sprint > >> > >> ------------------------------ > >> On Apr 23, 2011 11:16 PM, G.Waleed Kavalec <kava...@gmail.com> wrote: > >> > >> Thanks Tom, I'll give that a shot in the morning. > >> > >> > >> On Sat, Apr 23, 2011 at 9:39 PM, Tom Miller <tmil...@hnncsb.org> wrote: > >> > >>> Check the IP properties of the servers in question. I had an issue > >>> with week where one of my 2008 R2 servers couldn't ping, get to > anything. I > >>> went into the properties of IPv4, everthing looked good, then checked > the > >>> box to "verify" upon exit. Then all was well. Weird. May not apply, > just > >>> a suggestion. > >>> > >>> You can always uninstall/reinstall the file server role (can't remember > >>> the exact name of the role off-hand). > >>> > >>> >>> "G.Waleed Kavalec" 04/23/11 8:43 PM >>> > >>> Two sites, R and B. Same domain, different subnets. > >>> > >>> All R servers can see all B servers > >>> All B servers can see all R servers - EXCEPT TWO > >>> > >>> R1 and R2 see all B servers, browse folders etc. > >>> > >>> B servers can PING R1 and R2 just fine; R1 and R2 can PING B > >>> servers just fine. > >>> > >>> But B cannot browse R1 or R2 folders for nothing. > >>> > >>> Diagnose gives "file and print sharing resource R1 is online but isn't > >>> responding to connection attempts" > >>> > >>> > >>> Other R servers can browse R1 and R2 no problem. > >>> Other R servers can connect to R1 and R2 sql instances just fine. > >>> > >>> B servers can can browse other R servers no problem. > >>> B servers can can connect to other R servers sql instances just fine. > >>> > >>> > >>> Firewalls OFF, route statements confirmed (see: ping) > >>> > >>> All machines 2008 R2 up-to-date on patches. > >>> > >>> I **think** I have verified all necessary services are up. > >>> > >>> > >>> Arrrrggh ! > >>> > >>> -- > >>> > >>> __________________ > >>> Gregory Waleed Kavalec > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
