PDA

View Full Version : XP Pro machine can ping everyone except 1 machine



treysha
09-17-2006, 11:47 AM
Hi there is a strange problem.

There is this particular PC that is running XP Pro that can surf the net and see (and ping) all the other PCs EXCEPT our email server. It was working fine the past year, this problem just started two days ago.

All the other machines can see the email server just fine, and I've double checked more than once, all the network settings on ALL the PCs are exactly the same (ie dynamic IP, Subnet, DNS, etc.)

I'm perplexed; network card is working, cables are too, network settings are the same throughout, firewall is not blocking anything.

Does anyone have any ideas?

Erik
09-17-2006, 02:23 PM
Is this on a domain? What kind of mail server? Does it have any issues to ping other servers in the domani, if applicable? I am thinking it might be a domain level authnetication issue.

Are you able to send/receive mail from the PC on the mail server?

juniper
09-18-2006, 09:46 AM
Are you trying to ping the mail server by name or by IP address?
Try pinging by name then by IP this will check name resolution if neither work trace to the mail server
if its on a different subnet..

from PC to mail server IP
tracert x.x.x.x

from mail server to PC IP
tracert x.x.x.x


If on same subnet..
1. Check for IP conflict between the two boxes.
2. clear arp cache on both machines
3. reboot switch


To check connectivity bypassing server firewall telnet to the mail server on port 25

telnet x.x.x.x 25
helo


once connected type helo do you get a response?

Im not aware of any domain authentication policies that would cause ICMP to drop for a single host, The mail server
has to allow any host to connect to its port 25 if it recieves e-mail from the internet as well.

Erik
09-18-2006, 10:22 AM
Well it really depends if you do an internal and external Exchange. I have seen domains that block pings, and only allow authenticated domain PCs to do anything other than get an IP. It really depends on how tight security is. One place I work you can get an IP on any machine you connect, but unless it is a domain member that is all you can do network wise.

juniper
09-18-2006, 10:54 AM
I have seen domains that block pings, and only allow authenticated domain PCs to do anything other than get an IP.

Please enlighten me, Not sure what you are saying here. Are you saying there is a domain policy that only allows domain computers to get the IP address but it doesnt use ICMP? What protocol is used to get the IP address then? Or are you saying the firewall blocks ICMP and only authenticated hosts can send e-mail to the server on port 25 using SNMP authentication (this isnt a domain policy but rather a firewall setting for blocking ICMP and server running SNMP authentication)



Well it really depends if you do an internal and external Exchange.

Are you refering to SNMP authentication? only authenticated hosts can send mail to the server? (doesnt recieve e-mail from outside) Telnet to 25 should still work as telnet sets up the connection to authenticate to SNMP..

Variable
09-18-2006, 11:12 AM
I think Juniper means SMTP not SNMP. He was asking the right question about pinging an IP or name to diagnose it further. I would also check that the PC is on the network and if their is a domain whether the PC has domain access.

Erik
Probably any network set up for DHCP you can attach a PC and get a network address. If it is not joined to a domain that is about all it can do network wise.

juniper
09-18-2006, 11:32 AM
think Juniper means SMTP not SNMP. yeah thats what I meant LOL! rough weekend hehe.
doesnt help that Im setting up SNMP polling ATM either LOL!
Thanks variable!

My point was though SMTP authentication is not tide to ICMP or vice versa. he cant ping it so ICMP is being dropped
somewhere or redirected. Telneting to 25 will show a firewall in most cases.

Erik
09-18-2006, 06:51 PM
Honestly I am not really sure how it is done, as I don't work on any servers or policy settings at that site. My best guess would be that it gets an IP, but no gateway or something until you login to the domain and scripts are run. The startup scripts they run are probably a hundred plus pages of code (stored locally and updated at logoff). Yes any network doing DHCP will give an IP to nayone, but things can be manipulated in many different ways.

No, not SMTP authentication. Rather a seperate Exchange server in a DMZ open for all to accept incoming mail. Then a second Exchnage server inside the network which gets passed the emails through the firewall after being screened.

I work in some places that have pretty strict IT policies and really limit everything. Honestly it is a huge PITA as for some reason they can never get everything working properly, so they just have us go aorund and disable features they can't fix.

Anyway this is getting way OT, and is most likely not the case here.

juniper
09-19-2006, 11:06 AM
No, not SMTP authentication. Rather a seperate Exchange server in a DMZ open for all to accept incoming mail. Then a second Exchnage server inside the network which gets passed the emails through the firewall after being screened.


This is standard front end, back end setup (microsoft best practice for security) The Server in the DMZ will usualy host webaccess and be an MTA (message transfer agent) for the backend server that has the Exchange database and the two machines talk over a secured SSL port that needs opened in the firewall between the DMZ and internal mail server. This makes it so no external connections can directly attach to the exchange database server. Internal hosts will directly attach to internal server using RPC. (troubleshooting client to exchange server conectivity you use RPC pings just an FYI) Whatever unless port 25 is being blocked by a firewall between the internal and DMZ server the telnet will work. again this would be a firewall policy not domain.


My best guess would be that it gets an IP, but no gateway or something until you login to the domain and scripts are run.

This has nothing to do with domain policy as well this is a DHCP server set to not send gateway address and the login script propogates the field after the athentication (also not in policies its a custom written script in C++ or VB) So basicly they dissable routing until authenticated? Theory is good but the way they are doing it (if thats how their doing it) is kinda wacked LOL! Would be better served using the switches and firewalls with Dynamic ACLs with Dynamic port security with secureACS (TACAC+ or RADIUS) or something. (just my oppinion hehe)

Although I should clarify domain policies, To me domain policies are settings in AD security or other AD policies.
A general looser term used by others is all policies in the domain which is to vague IMHO pertaining to any equipment in the network whether its AD enabled or not. Kinda like saying the domain policy prevents spam to the mail server when actualy AD has nothing to do with it its the mail server subscribing to RBLs.

And yes we are getting off track hehe was hoping to learn somfin new. now waiting on original poster.

Erik
09-20-2006, 09:56 AM
Yes, I guess I was using the term domain policy sort of loosely here. I would agree that it should really just be referring to AD, and not everything and anything going on in the network.

They are VB scripts BTW. Why they decided to do things this way rather than using authentication by the 802.1x standard I have no clue. I suppose in theory it work well enough until you realize all one needs to do is manually set the proper IP information on any random PC they bring in.