Network question

[zetsway]

Okay so I applied for a job and they asked me this question.

I couldn't answer it so more than likely I didn't get the job. Here's the question:

Your company has an Internet connection supplied to the LAN from a hardware firewall connected to a T1 router. During normal business
hours, the Internet goes down. After checking the T1 router and the corporate firewall, you find that the firewall has suffered a hardware failure. You
replace the hardware firewall with a spare firewall. The spare firewall is the exact same model and runs the same firmware. You use the
configuration file that was in production on the failed firewall. The configuration file is sound. You shutdown the old firewall and remove it from the
network and you install the new firewall with the same configuration file already in place. You cable the firewall properly and it starts normally. None
of the systems on your network can get out to the Internet. What is the highest probable cause for this issue and what do you do first to resolve the
issue? Also list other probable causes for the Internet connectivity issue.

Please I'm recking my brain here. I don't like questions like this because it doesn't show that you know how to do the work. In a real life situation I would be able to figure this out but I don't do well on test. Never have.

 

[Fardringle]

I don't have a lot of experience with T1 lines, but from what I have done my first guess would be that the telephone company turned down the signal on the T1 line when their system detected that it was no longer connected to the old firewall. We had this happen a lot at a company I used to work for whenever we moved networking equipment or replaced a T1 card in a router and we had to call the TelCo to get them to turn the T1 lines back on.

It may also be that the T1 card in the spare router is not compatible with the TelCo's system, or that you need to call them to have the new card enabled on their network.



I'm sure there are other things I'm missing since this isn't really my area of expertise but those are the things I would look at first.

 

[zetsway]

Thanks for your help. This isn't really mine either. I thought the job was for a Sys Admin (i.e. Active Directory, Exchange, etc.) but that would make sense what you said.

Thanks,

 

[spidey07]

Most likely scenario is the arp entry on the router for the "old" firewall. Need to clear the arp tables on this router or simply ping the router interface from the firewall. Traffic is going out, but on the return the router is still sending it to the layer2 address of the old firewall. After about 4 hours this would go away as the arp entry ages out but it's easyier to just clear the tables.

The T1 line isn't involved in the scenario because the router wasn't touched. Also a provider isn't going to shut down a line just because you don't have a CSU/DSU on it.

 

[nightowl]

There are any number of things that could be a problem in this situation. I would just start at the T1 connection and work my way back from there. First, if there was a CSU/DSU I would check that for errors. If there are errors there, then you call the telco. Keep in mind that the T1 could be on an external CSU/DSU or one integrated into a card in the router. If it is in the router then you need to make sure your hardware is okay. If L1 and L2 are okay then start checking L3, can you ping?

From there if all things look like they are working start testing connectivity from the router to the firewall and testing the firewall rules. To me there is no glaring issue that could be wrong in this situation. You just have to start eliminating possible problems and work from there. The number one thing not to do is start making changes to the environment until you know it is a problem.

One other thing that I thought of for the firewall is that does it have the correct license on it. There are some devices that only work in a failover mode and will not work on their own unless it is a failure scenario.

Edit: Spidey made a very good point with the ARP entry on the router. However, if it was directly connected that should have flushed the ARP table. If there was a L2 hop in there then it would be something to check for.

 

[jlazzaro]

+1 on arp or something with the firewall state table.

its not about answering the question correctly, but about thinking critically and coming up with something at least somewhat intelligent

 

[spidey07]

Originally posted by: jlazzaro
+1 on arp or something with the firewall state table.

its not about answering the question correctly, but about thinking critically and coming up with something at least somewhat intelligent

Yeah, this question is really very good. It's a good gauge of the ability to understand what is happening and where the trouble might be.

 

[Fardringle]

Originally posted by: spidey07
The T1 line isn't involved in the scenario because the router wasn't touched. Also a provider isn't going to shut down a line just because you don't have a CSU/DSU on it.

You're probably correct. Like I said, I don't have a lot of experience with T1 lines. I only made the comment that I did because our T1 provider did do exactly what I described very frequently if the CSU/DSU was turned off or disconnected for as little as five minutes. It was probably just the local telephone company being dumb (they have a solid and well-deserved reputation for that), but it happened enough that I thought it was worth mentioning.

 

[zetsway]

Originally posted by: spidey07

Originally posted by: jlazzaro
+1 on arp or something with the firewall state table.

its not about answering the question correctly, but about thinking critically and coming up with something at least somewhat intelligent

Yeah, this question is really very good. It's a good gauge of the ability to understand what is happening and where the trouble might be.

And in this scenario I would hire you

 

[spikespiegal]

Mac address is different on new Firewall.

(?????)

 

[ch33zw1z]

BS you cabled it correctly!!

 

[zetsway]

Originally posted by: ch33zw1z
BS you cabled it correctly!!

That's what I thought??

 

[spidey07]

I'm still going with ARP. It happens all the time and quite normal when you change L2/L3 address mappings like changing out a piece of gear.

 

[Svtman]

Originally posted by: spidey07
I'm still going with ARP. It happens all the time and quite normal when you change L2/L3 address mappings like changing out a piece of gear.

+1