• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Router issues to one subnet

B

Brazen

Diamond Member
Ok, this is probably to weird and has stumped my IT department all day

Here is our setup: from our ISP connection to a 3COM switch which is then connected to our SonicWALL Pro-VX firewall/router. All of our network, except for a few special servers, are behind the SonicWALL and using NAT. Our own webserver is located at our ISP and on the same subnet as our firewall.

Here is our problem: computers behind the firewall can not connect to our webserver. through the firewall's config, I tried pinging our websever - nada, but it can ping anywhere else in the world. We have some extra public IPs so I set up a workstation with a public IP and plugged it in to the 3COM switch (hence not through the firewall) and pinged the webserver and it worked.

So I changed the IP of the SonicWALL to that of the workstation (and of course unplugged the workstation) and made sure the TCP/IP info matched EXACTLY and tried pinging the webserver from the SonicWALL - nada.

So I'm thinkin whatever is blocking the SonicWALL from our own webserver must be going by MAC address. I unplug the SonicWALL, spoof it's MAC and copy it's IP info to a linksys router, plug in the linksys, plug in a workstation to the linksys so the outside world should think this is the exact same router as the SonicWALL, but I CAN reach our webserver through the linksys.

Now this is were it gets real WEIRD: I hook the SonicWALL back up, and I can reach our webserver!! But only for like ten minutes and then our webserver again returns no reply. So I plug the linksys back in again, it works, I plug the SonicWALL back in and it works again for like ten minutes!?!

Any thoughts on what is going on?
 
When you try to ping your webserver are you doing it from your firewall or from one of your servers behind the firewall?

In any case, some traceroutes would be useful. Do one when it works so we see a complete route and do one with the SonicWall so we can see where the problem is.
 
I try pinging the webserver from the firewall and also from a workstation behind the firewall, they both fail.

I did a traceroute from the firewall which got as far as the ISP's gateway and that was it. Later this afternoon I will do a traceroute from a workstation that is not behind the firewall and to see exactly what should come up, but I'm pretty sure it should just be from the firewall, to the ISP's gateway, to the webserver.
 
all it tells you is if the ping got a response or not. And pinging the webserver just says no response.
 
well, I was mistaken about the tracert apparently. When running a tracert from the firewall to the webserver, it returns nothing. When running a tracert from a workstation connected directly to the ISP (not behind the firewall) it returns only 1 hop, and that is the webserver.
 
post all IP addresses (internal/external firewall interfaces, gateways, subnet masks and dns entries)

post all host IP settings (ip addy, mask, gateway, dns)
 
I don't think any of this matters, none of this was changed anyway, but here ya go:

ISP gateway: x.y.z.3
webserver: x.y.z.25
outside firewall: x.y.z.11
outside subnet: 255.255.255.224

Inside is all private IPs and I'm pinging from the firewall anyway, so that doesn't matter. It has no problem communicating with DNS, and it won't ping by ip anyway.
 
by the way, pinging the FQDN does return the correct IP, but no response then from the server.... if this gives anyone any ideas.
 
Originally posted by: Brazen
by the way, pinging the FQDN does return the correct IP, but no response then from the server.... if this gives anyone any ideas.
Click to expand...

that's what I was thinking is that you have an incorrect IP somewhere or a mask/routing problem.

its pretty unusual to have the internal and external IP (which if I assume a class C net) networks the same so what are the masks?

actually a 255.255.255.224 mask means that your internal and external IP addresses are part of the same network. That could definately cause a routing problem with your firewall.

can you do a raw physical and logical diagram?

something like this

---isp---|--3com switch--|--Firewall--|---another switch---|---server/host---|

Its almost impossible to troubleshoot something like this without drawing it out/thinking the routing/flows through.
 
Well, since I'm pinging from the firewall itself, it would look like this:

---isp---|--3com switch--|--Firewall--|
 
Originally posted by: Brazen
Well, since I'm pinging from the firewall itself, it would look like this:

---isp---|--3com switch--|--Firewall--|
Click to expand...

a full diagram would help. I believe you have a routing/mask issue or maybe even a layer 2 problem if both the firewall's external interface and webserver are plugged into the same switch...that's a network no-no.
 
the webserver is at the ISP, it is not behind another router though, as evidenced by a workstation with an outside IP plugged in to the 3com running a tracert. The ISP swears up and down that they did not make any changes the day we started having this problem, but who knows... the guys at our ISP have not shown themselves to be the brightest bulbs in the bunch. Come to think of it, I might head on over there and switch some stuff around.
 
Originally posted by: Brazen
I did a traceroute from the firewall which got as far as the ISP's gateway and that was it. Later this afternoon I will do a traceroute from a workstation that is not behind the firewall and to see exactly what should come up, but I'm pretty sure it should just be from the firewall, to the ISP's gateway, to the webserver.
Click to expand...

The fact your traceroute is hitting the ISP makes it sound like it is answering the ARP requests from the firewall. Do you know if proxy-arp is enabled on the ips's interface to you?

I'm not familiar with sonicwall devices in general, but is there a way to look at the arp cache? If so is the mac address for the ip of the webserver showing the correct mac address or the mac address of the isp?
 
Originally posted by: Brazen
the webserver is at the ISP, it is not behind another router though, as evidenced by a workstation with an outside IP plugged in to the 3com running a tracert. The ISP swears up and down that they did not make any changes the day we started having this problem, but who knows... the guys at our ISP have not shown themselves to be the brightest bulbs in the bunch. Come to think of it, I might head on over there and switch some stuff around.
Click to expand...

I have to say this.

But quite honestly you are not listening to me. This is a very common problem and you will not do the necessary steps to troubleshoot it and instead refute to blaming it on the provider and not your own actions of mucking with stuff. The host is behind (on the internal interaface of the sonicwall firewall right?) a firewall IS a router by essence of being a layer3/4 device. But still you have the external and internal ip networks of this firewall on the same subnet.

You absolutely refuse to follow the normal troubleshooting steps. Start at layer 1 and work your way up.

good luck.
 
Originally posted by: spidey07
Originally posted by: Brazen
the webserver is at the ISP, it is not behind another router though, as evidenced by a workstation with an outside IP plugged in to the 3com running a tracert. The ISP swears up and down that they did not make any changes the day we started having this problem, but who knows... the guys at our ISP have not shown themselves to be the brightest bulbs in the bunch. Come to think of it, I might head on over there and switch some stuff around.
Click to expand...

I have to say this.

But quite honestly you are not listening to me. This is a very common problem and you will not do the necessary steps to troubleshoot it and instead refute to blaming it on the provider and not your own actions of mucking with stuff. The host is behind (on the internal interaface of the sonicwall firewall right?) a firewall IS a router by essence of being a layer3/4 device. But still you have the external and internal ip networks of this firewall on the same subnet.

You absolutely refuse to follow the normal troubleshooting steps. Start at layer 1 and work your way up.

good luck.
Click to expand...


Look Spidey, first of all I never blamed anything on our provider, but I am going to go do some troubleshooting on that end.

Second of all, the host is not behind the firewall and the internal and external networks of the firewall are not on the same subnet. I have already explained all of this.

Finally, I don't "muck" with stuff. It does not make you look better to give insults when you can't follow what is going on.

...but thanks for trying...
 
perhaps a stupid question:


They are using 3 bits (27 overall) for the network portion in the last octect of the subnet if your subnet mask is 255.255.255.224

w.x.y.z/27


According to the IP's you posted

ISP gateway: x.y.z.3
webserver: x.y.z.25
outside firewall: x.y.z.11

Those are all on subnet 000

Do you have the equivalent of ip subnet-zero enabled so that you can use a 0 subnet?
 
Originally posted by: Brazen
Originally posted by: spidey07
Originally posted by: Brazen
the webserver is at the ISP, it is not behind another router though, as evidenced by a workstation with an outside IP plugged in to the 3com running a tracert. The ISP swears up and down that they did not make any changes the day we started having this problem, but who knows... the guys at our ISP have not shown themselves to be the brightest bulbs in the bunch. Come to think of it, I might head on over there and switch some stuff around.
Click to expand...

I have to say this.

But quite honestly you are not listening to me. This is a very common problem and you will not do the necessary steps to troubleshoot it and instead refute to blaming it on the provider and not your own actions of mucking with stuff. The host is behind (on the internal interaface of the sonicwall firewall right?) a firewall IS a router by essence of being a layer3/4 device. But still you have the external and internal ip networks of this firewall on the same subnet.

You absolutely refuse to follow the normal troubleshooting steps. Start at layer 1 and work your way up.

good luck.
Click to expand...


Look Spidey, first of all I never blamed anything on our provider, but I am going to go do some troubleshooting on that end.

Second of all, the host is not behind the firewall and the internal and external networks of the firewall are not on the same subnet. I have already explained all of this.

Finally, I don't "muck" with stuff. It does not make you look better to give insults when you can't follow what is going on.

...but thanks for trying...
Click to expand...

Don;t let him get to ya😉
 
Originally posted by: Goosemaster
perhaps a stupid question:


They are using 3 bits (27 overall) for the network portion in the last octect of the subnet if your subnet mask is 255.255.255.224

w.x.y.z/27


According to the IP's you posted

ISP gateway: x.y.z.3
webserver: x.y.z.25
outside firewall: x.y.z.11

Those are all on subnet 000

Do you have the equivalent of ip subnet-zero enabled so that you can use a 0 subnet?
Click to expand...

frankly, I just use what our ISP told us to use, which has been working fine for years. Just today we had to restart our firewall three times (haven't had to do this before) because it wasn't routing ANY traffic to the WAN. So my boss is chalk it up to hardware failure and ordered a new firewall. This one was only three years old, pretty young for a router if you ask me, but he still wants to go with the same brand when we could get CISCO for the same price.
 
Originally posted by: classy
Does it work longer than 10 minutes with the linksys?
Click to expand...

Yes, I had the linksys plugged in for like 2 hours, and it worked fine the whole time.

I don't know, could it really be some weird hardware glitch? It seems so odd that it would only affect our ISP's webserver.
 
Originally posted by: Brazen
Originally posted by: classy
Does it work longer than 10 minutes with the linksys?
Click to expand...

Yes, I had the linksys plugged in for like 2 hours, and it worked fine the whole time.

I don't know, could it really be some weird hardware glitch? It seems so odd that it would only affect our ISP's webserver.
Click to expand...

Hmmm thats a toughie. If everything works fine with the linksys then you know the problem lies with the router. As far as IP related stuff I would see that as being irrelavant. Because it wouldn't work at all. Maybe its some kind of policy kicking in somehwere. And it affects the communication between the Sonicwall and the webserver. I am unfamilar with Sonicwall configuration so I can't comment. All these IP addresses are static correct? My gut feeling says it lies with that routers table. Can you enter a static route entry for the subnet the webserver is on in the Sonicwall? And double check the configuration setup for the Sonicwall. Then I would call Sonic if you haven't already done that.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top