Re: Curious networking anomaly in Win7 Pro box
Oh, I'm no Spock - that's a hard-learned lesson for me, with occasional reminders needed. BTW: This issue was resolved via a wipe and reload. User is now happy. Kurt On Wed, Feb 1, 2012 at 14:19, Kim Longenbaugh k...@colonialsavings.com wrote: Well said, Mr. Spock -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 3:57 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box True, but at this point it's beyond my control, so emotional investment in the outcome is pointless.. On Wed, Feb 1, 2012 at 13:04, Jonathan Link jonathan.l...@gmail.com wrote: Or not...if it's a wipe and rebuild we will never know... On Wed, Feb 1, 2012 at 4:01 PM, Kurt Buff kurt.b...@gmail.com wrote: LOL. Patience, grasshopper... Kurt On Wed, Feb 1, 2012 at 12:49, Kim Longenbaugh k...@colonialsavings.com wrote: The suspense is killing me... :) -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 2:08 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box I've just learned that he's on the road on an emergency service call. I may not hear from him for days... Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh k...@colonialsavings.com wrote: The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally
RE: Curious networking anomaly in Win7 Pro box
:) -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, February 03, 2012 2:33 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Oh, I'm no Spock - that's a hard-learned lesson for me, with occasional reminders needed. BTW: This issue was resolved via a wipe and reload. User is now happy. Kurt On Wed, Feb 1, 2012 at 14:19, Kim Longenbaugh k...@colonialsavings.com wrote: Well said, Mr. Spock -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 3:57 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box True, but at this point it's beyond my control, so emotional investment in the outcome is pointless.. On Wed, Feb 1, 2012 at 13:04, Jonathan Link jonathan.l...@gmail.com wrote: Or not...if it's a wipe and rebuild we will never know... On Wed, Feb 1, 2012 at 4:01 PM, Kurt Buff kurt.b...@gmail.com wrote: LOL. Patience, grasshopper... Kurt On Wed, Feb 1, 2012 at 12:49, Kim Longenbaugh k...@colonialsavings.com wrote: The suspense is killing me... :) -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 2:08 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box I've just learned that he's on the road on an emergency service call. I may not hear from him for days... Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh k...@colonialsavings.com wrote: The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs
RE: Curious networking anomaly in Win7 Pro box
The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
Haven't heard from him yet today. I've pinged him via email - we'll see if he tried it, or if he just decided to wipe and reinstall... Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh k...@colonialsavings.com wrote: The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body
Re: Curious networking anomaly in Win7 Pro box
I've just learned that he's on the road on an emergency service call. I may not hear from him for days... Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh k...@colonialsavings.com wrote: The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Curious networking anomaly in Win7 Pro box
The suspense is killing me... :) -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 2:08 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box I've just learned that he's on the road on an emergency service call. I may not hear from him for days... Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh k...@colonialsavings.com wrote: The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http
Re: Curious networking anomaly in Win7 Pro box
LOL. Patience, grasshopper... Kurt On Wed, Feb 1, 2012 at 12:49, Kim Longenbaugh k...@colonialsavings.com wrote: The suspense is killing me... :) -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 2:08 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box I've just learned that he's on the road on an emergency service call. I may not hear from him for days... Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh k...@colonialsavings.com wrote: The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com
Re: Curious networking anomaly in Win7 Pro box
Or not...if it's a wipe and rebuild we will never know... On Wed, Feb 1, 2012 at 4:01 PM, Kurt Buff kurt.b...@gmail.com wrote: LOL. Patience, grasshopper... Kurt On Wed, Feb 1, 2012 at 12:49, Kim Longenbaugh k...@colonialsavings.com wrote: The suspense is killing me... :) -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 2:08 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box I've just learned that he's on the road on an emergency service call. I may not hear from him for days... Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh k...@colonialsavings.com wrote: The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint
Re: Curious networking anomaly in Win7 Pro box
On Wed, Feb 1, 2012 at 3:49 PM, Kim Longenbaugh k...@colonialsavings.com wrote: I've just learned that he's on the road on an emergency service call. I may not hear from him for days... The suspense is killing me... :) That reminds me of: http://www.gifbin.com/982501 ;-) (No offense intended.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Curious networking anomaly in Win7 Pro box
Hahahaha, the old see other side joke for the information age. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, February 01, 2012 3:06 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box On Wed, Feb 1, 2012 at 3:49 PM, Kim Longenbaugh k...@colonialsavings.com wrote: I've just learned that he's on the road on an emergency service call. I may not hear from him for days... The suspense is killing me... :) That reminds me of: http://www.gifbin.com/982501 ;-) (No offense intended.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
True, but at this point it's beyond my control, so emotional investment in the outcome is pointless.. On Wed, Feb 1, 2012 at 13:04, Jonathan Link jonathan.l...@gmail.com wrote: Or not...if it's a wipe and rebuild we will never know... On Wed, Feb 1, 2012 at 4:01 PM, Kurt Buff kurt.b...@gmail.com wrote: LOL. Patience, grasshopper... Kurt On Wed, Feb 1, 2012 at 12:49, Kim Longenbaugh k...@colonialsavings.com wrote: The suspense is killing me... :) -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 2:08 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box I've just learned that he's on the road on an emergency service call. I may not hear from him for days... Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh k...@colonialsavings.com wrote: The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage
RE: Curious networking anomaly in Win7 Pro box
Well said, Mr. Spock -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 3:57 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box True, but at this point it's beyond my control, so emotional investment in the outcome is pointless.. On Wed, Feb 1, 2012 at 13:04, Jonathan Link jonathan.l...@gmail.com wrote: Or not...if it's a wipe and rebuild we will never know... On Wed, Feb 1, 2012 at 4:01 PM, Kurt Buff kurt.b...@gmail.com wrote: LOL. Patience, grasshopper... Kurt On Wed, Feb 1, 2012 at 12:49, Kim Longenbaugh k...@colonialsavings.com wrote: The suspense is killing me... :) -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, February 01, 2012 2:08 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box I've just learned that he's on the road on an emergency service call. I may not hear from him for days... Kurt On Wed, Feb 1, 2012 at 06:41, Kim Longenbaugh k...@colonialsavings.com wrote: The trace routes weren't informative? -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 4:21 PM To: NT System Admin Issues Subject: Re: Curious networking anomaly in Win7 Pro box Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
RE: Curious networking anomaly in Win7 Pro box
Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
On Tue, Jan 31, 2012 at 1:55 PM, Kurt Buff kurt.b...@gmail.com wrote: We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. What does the network look like? Is it just one big broadcast domain? One physical switch? One IP network, with the firewall being the next-hop route for the troublesome PC? Does the destination MAC address in the wayward Ethernet frames match the MAC address of the next-hop gateway? Can you put a sniffer on the wire between the machine and the switch (or mirror/monitor that switch port)? I wonder if something else is intercepting the traffic, or if the PC is trying to ARP for the hosts or something silly like that. Or even a malfunctioning or misconfigured switch. (If the local network is sufficiently simple this may be redundant.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
Not dropping in the sense you mean - I'd still see a traceroute or other ICMP packets in tcpdump, but they wouldn't go anywhere. More to the point, pings to multiple addresses on the same remote subnet are treated the same, and when he's doing the unsuccessful pings, there's nothing in tcpdump - just nothing. AFAICT, it's simply not reaching the office's firewall at all. Also, no other machine is having this difficulty - if they can ping one address on the remote subnet, they can ping all. I even went so far as to have him specify the TTL in the pings at 254, with a timeout of 300ms (usual response time is ~200m, and I didn't want to wait the full 1000ms). As further background, the network firewalls I have are Sidewinders (now known as McAfee Enterprise Secure firewalls, since the acquisition) and are a hardened version of FreeBSD. I can ssh into the box, run tcpdump just like any other *nix and see what's coming across the wire. Kurt On Tue, Jan 31, 2012 at 13:01, Steve Kradel skra...@zetetic.net wrote: Doesn't this imply you are dropping at least some ICMP at the firewall, then? On Tue, Jan 31, 2012 at 3:45 PM, Kurt Buff kurt.b...@gmail.com wrote: No drops at the firewall. Forgot to have him do a traceroute - the firewall doesn't allow traceroutes to pass through it, so that doesn't usually occur to me, but in this case it would prove useful. I'll have him try that. Kurt On Tue, Jan 31, 2012 at 11:04, Kim Longenbaugh k...@colonialsavings.com wrote: Compare trace routes from the anomalous machine to the devices you can connect to with trace routes to the ones you can't. Check firewall logs for drops. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 31, 2012 12:56 PM To: NT System Admin Issues Subject: Curious networking anomaly in Win7 Pro box All, Just one machine in our UK office is affected, and I haven't been able to figure it out. All other machines seem to be working fine. This one laptop cannot talk to a few addresses in our US server subnet. For instance, this machine can ping the file server, and the Exchange server, but not the DCs, nor a new terminal server, nor the address of the router on that subnet. However, all of the machines he's trying to ping by name resolve to correct IP addresses. We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. I did a 'route print', to see if there were something odd there, but saw nothing interesting. A malware scan came up clean - and it's a new install of Win7 Pro over XP. I turned off any services that looked interesting, including the Aventail connection service, the Windows firewall, and a couple of others, with no change in result. Haven't had a chance to examine the event logs on the laptop. The laptop is probably going to be wiped before I can work with him on it again, but I'm still very curious. Has anyone seen anything like this before? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
On Tue, Jan 31, 2012 at 14:20, Ben Scott mailvor...@gmail.com wrote: On Tue, Jan 31, 2012 at 1:55 PM, Kurt Buff kurt.b...@gmail.com wrote: We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. What does the network look like? Is it just one big broadcast domain? One physical switch? One IP network, with the firewall being the next-hop route for the troublesome PC? Does the destination MAC address in the wayward Ethernet frames match the MAC address of the next-hop gateway? Can you put a sniffer on the wire between the machine and the switch (or mirror/monitor that switch port)? I wonder if something else is intercepting the traffic, or if the PC is trying to ARP for the hosts or something silly like that. Or even a malfunctioning or misconfigured switch. (If the local network is sufficiently simple this may be redundant.) It's one subnet for everything in that office, with the firewall as the gateway, no managed switch (I've been trying for years to get one there). The machine that are unreachable are in a remote subnet - along with some machines that *are* reachable in that same subnet - and no other machine. I'm checking to see if it does the same tricks when on wifi - when these tests were performed he had that switched off. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
On Tue, Jan 31, 2012 at 14:20, Ben Scott mailvor...@gmail.com wrote: On Tue, Jan 31, 2012 at 1:55 PM, Kurt Buff kurt.b...@gmail.com wrote: We put Wireshark on this machine, and it thinks its emitting the ICMP packets, but when I fired up tcpdump on the internal interface of the firewall for his office, I verified that it was not seeing packets for those machines that he was trying to ping, and it was seeing packets for the machines to which he was able to connect. What does the network look like? Is it just one big broadcast domain? One physical switch? One IP network, with the firewall being the next-hop route for the troublesome PC? Does the destination MAC address in the wayward Ethernet frames match the MAC address of the next-hop gateway? Can you put a sniffer on the wire between the machine and the switch (or mirror/monitor that switch port)? I wonder if something else is intercepting the traffic, or if the PC is trying to ARP for the hosts or something silly like that. Or even a malfunctioning or misconfigured switch. (If the local network is sufficiently simple this may be redundant.) I just confirmed, it's happening to the customer when he's wireless-only as well as wired-only. (he's staying up late tonight, working from home, and answering emails. That's dedication for you...) Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
On Tue, Jan 31, 2012 at 6:51 PM, Kurt Buff kurt.b...@gmail.com wrote: I just confirmed, it's happening to the customer when he's wireless-only as well as wired-only. (he's staying up late tonight, working from home, and answering emails. That's dedication for you...) Wait, does that mean it's happening both on his home network as well as the office network? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
On Tue, Jan 31, 2012 at 15:54, Ben Scott mailvor...@gmail.com wrote: On Tue, Jan 31, 2012 at 6:51 PM, Kurt Buff kurt.b...@gmail.com wrote: I just confirmed, it's happening to the customer when he's wireless-only as well as wired-only. (he's staying up late tonight, working from home, and answering emails. That's dedication for you...) Wait, does that mean it's happening both on his home network as well as the office network? No - it just means he's answering emails about observed behavior from in the office. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
On Tue, Jan 31, 2012 at 6:11 PM, Kurt Buff kurt.b...@gmail.com wrote: It's one subnet for everything in that office, with the firewall as the gateway, no managed switch (I've been trying for years to get one there). Okay, so, basically, one big collision domain, one dumb switch. A wireless access point plugged into the switch. Firewall/router plugged into that same switch. Yah? The machine that are unreachable are in a remote subnet - along with some machines that *are* reachable in that same subnet - and no other machine. Hmmm, that's interesting. Rules out most routing problems, unless they're individual host routes. Rules out firewall misconfigurations the same way. Rules out most data dependent problems. happening ... when he's wireless-only as well as wired-only That rules out the network transceiver, or even the medium (cable). Curiouser and curiouser. I'd still check the MAC addresses with your sniffer, make sure the frame's it's sending are indeed addressed to the firewall/gateway. Although I can't imagine what would cause that, at this stage. (I was thinking a static ARP entry, but that would (again) break other things on the same destination network.) Can you walk someone through getting a sniffer going on another machine, and plugging that in between the problem laptop and the switch? At this point I'm wondering if maybe what the sniffer on the laptop is seeing isn't accurate (i.e., things are getting screwed up further down in the network stack). -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
On Tue, Jan 31, 2012 at 16:33, Ben Scott mailvor...@gmail.com wrote: On Tue, Jan 31, 2012 at 6:11 PM, Kurt Buff kurt.b...@gmail.com wrote: It's one subnet for everything in that office, with the firewall as the gateway, no managed switch (I've been trying for years to get one there). Okay, so, basically, one big collision domain, one dumb switch. A wireless access point plugged into the switch. Firewall/router plugged into that same switch. Yah? Broadcast domain, but yes, you are correct. I believe they've strung together a couple of switches, but not more than that. The machine that are unreachable are in a remote subnet - along with some machines that *are* reachable in that same subnet - and no other machine. Hmmm, that's interesting. Rules out most routing problems, unless they're individual host routes. Rules out firewall misconfigurations the same way. Rules out most data dependent problems. Which is why I was curios to pint out the routing table on the laptop. There were no anomalies on that. happening ... when he's wireless-only as well as wired-only That rules out the network transceiver, or even the medium (cable). Curiouser and curiouser. I'd still check the MAC addresses with your sniffer, make sure the frame's it's sending are indeed addressed to the firewall/gateway. Although I can't imagine what would cause that, at this stage. (I was thinking a static ARP entry, but that would (again) break other things on the same destination network.) Can you walk someone through getting a sniffer going on another machine, and plugging that in between the problem laptop and the switch? At this point I'm wondering if maybe what the sniffer on the laptop is seeing isn't accurate (i.e., things are getting screwed up further down in the network stack). If he wants to work on this further, I'll suggest that. He's made noises about wiping it and starting over, and that might be simplest. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
That might be the only real way to do it sounds like something went wrong during the upgrade process from XP to 7. Jon On Tue, Jan 31, 2012 at 7:43 PM, Kurt Buff kurt.b...@gmail.com wrote: On Tue, Jan 31, 2012 at 16:33, Ben Scott mailvor...@gmail.com wrote: On Tue, Jan 31, 2012 at 6:11 PM, Kurt Buff kurt.b...@gmail.com wrote: It's one subnet for everything in that office, with the firewall as the gateway, no managed switch (I've been trying for years to get one there). Okay, so, basically, one big collision domain, one dumb switch. A wireless access point plugged into the switch. Firewall/router plugged into that same switch. Yah? Broadcast domain, but yes, you are correct. I believe they've strung together a couple of switches, but not more than that. The machine that are unreachable are in a remote subnet - along with some machines that *are* reachable in that same subnet - and no other machine. Hmmm, that's interesting. Rules out most routing problems, unless they're individual host routes. Rules out firewall misconfigurations the same way. Rules out most data dependent problems. Which is why I was curios to pint out the routing table on the laptop. There were no anomalies on that. happening ... when he's wireless-only as well as wired-only That rules out the network transceiver, or even the medium (cable). Curiouser and curiouser. I'd still check the MAC addresses with your sniffer, make sure the frame's it's sending are indeed addressed to the firewall/gateway. Although I can't imagine what would cause that, at this stage. (I was thinking a static ARP entry, but that would (again) break other things on the same destination network.) Can you walk someone through getting a sniffer going on another machine, and plugging that in between the problem laptop and the switch? At this point I'm wondering if maybe what the sniffer on the laptop is seeing isn't accurate (i.e., things are getting screwed up further down in the network stack). If he wants to work on this further, I'll suggest that. He's made noises about wiping it and starting over, and that might be simplest. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
On Tue, Jan 31, 2012 at 7:43 PM, Kurt Buff kurt.b...@gmail.com wrote: Okay, so, basically, one big collision domain, one dumb switch. A wireless access point plugged into the switch. Firewall/router plugged into that same switch. Yah? Broadcast domain, but yes, you are correct. Er, yes. Thinko on my part. He's made noises about wiping it and starting over, and that might be simplest. Yah. Pity it's always the really interesting problems that seem to be associated with wipe-and-reload as the most sensible fix. So many mysteries go unsolved... -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Curious networking anomaly in Win7 Pro box
On Tue, Jan 31, 2012 at 17:25, Ben Scott mailvor...@gmail.com wrote: On Tue, Jan 31, 2012 at 7:43 PM, Kurt Buff kurt.b...@gmail.com wrote: Okay, so, basically, one big collision domain, one dumb switch. A wireless access point plugged into the switch. Firewall/router plugged into that same switch. Yah? Broadcast domain, but yes, you are correct. Er, yes. Thinko on my part. He's made noises about wiping it and starting over, and that might be simplest. Yah. Pity it's always the really interesting problems that seem to be associated with wipe-and-reload as the most sensible fix. So many mysteries go unsolved... Yup. I think in this case the time cost may well be too high... Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin