4

I am hoping someone can shed some light on this one...

I have two Windows 2003 DC's - both running DNS, there are several Windows 2008 R2 and one Windows 2012 Standard server running as member servers - they are all on the same subnet.

Until today, we had no issues with resolving internet addresses via these systems.

SonicWall NSA240 is the firewall.

  • Earlier today I was browsing the internet, no issues at all. I accidentally configured a VM with the same IP address as the firewall (missed out a digit). This was resolved quickly. No changes were made to the firewall.

  • Soon after this I tried to browse a site and found that I couldn't

  • I bounced on to both DC's and tried to resolve internet IPs - neither worked

  • pinging internet addresses also fails

  • running tests from the firewall is successful - I can complete DNS resolution and ping tests

This led me to believe that the problem was internal - but nothing in relation to DNS has been changed.

However, not being able to ping internet IP addresses leads me to the Firewall.

DNS setup as follows on both DCs:

  • DNS forwarders to 8.8.8.8 and 8.8.4.4. plus two ISP DNS servers
  • Root hints are showing correctly on both systems
  • Both servers are configured identically - both servers fail recursive DNS test
  • Both server cannot ping external addresses (and neither can any device on network)

I have been scratching my head for a while now - all suggestions welcome!

Ken
  • 61
  • 3
  • 1
    Having a VM with the same ip address as the firewall means that some internal clients may have cached the MAC address for the VM when trying to ARP resolve the ip address of the firewall, which would explain the behavior you're seeing **BUT** I would have expected the ARP cache on your Windows machines to have expired by now and to have flushed that MAC address. Nevertheless it's worth a look. What do you see if you ping the ip address of the firewall from a Windows machine and then view the ARP cache on that machine? Is the firewall's ip address resolving to the correct MAC address? – joeqwerty Jan 02 '15 at 17:44
  • Also, assuming you're using managed switches, what port is the MAC address of the firewall registered to in the switches MAC address table? Is it correct? – joeqwerty Jan 02 '15 at 17:46
  • The ARP cache is showing the MAC address of the firewall. Thanks for the quick suggestion. – Ken Jan 02 '15 at 18:05
  • I should also add that I see the DNS query being passed by the firewall e.g. 17:56:36 Jan 02 602 Network Debug DNS packet allowed 8.8.8.8, 53, X3 FIREWALLIP, 49153, X3 udp. – Ken Jan 02 '15 at 18:38
  • I would focus on one problem at a time. Ping failures imply a general connectivity issue. Name resolution failures imply a DNS issue. I would tackle the ping issue first. Can you ping from a client to the firewall? If so, can you ping from a client to 8.8.8.8 or 8.8.4.4? – joeqwerty Jan 02 '15 at 18:44
  • I can ping the firewall but cannot ping 8.8.8.8 or 8.8.4.4. – Ken Jan 02 '15 at 19:18
  • OK, so leave DNS to the side for now. It seems like it's strictly a connectivity problem. Do you have a means to capture network traffic at the firewall? What do the firewall logs say? I'm assuming you're allowing outbound ICMP at the firewall and allowing the inbound response? To rule out a simple ICMP blocking problem, can you telnet to any external hosts, such as telnet to port 25 of an external email server? – joeqwerty Jan 02 '15 at 19:21
  • ICMP is allowed (and always has been). I cannot Telnet to external hosts. Capturing traffic at firewall by increasing logging levels or via Wireshark? I've already increased logging levels so that I can see DNS query attempts passing through. – Ken Jan 02 '15 at 19:34
  • Something else to add to the mix - I can also see ICMP packets being passed by firewall.... 19:46:54 Jan 02 598 Network Debug ICMP packet from LAN allowed 192.x.x.x, X0 FIREWALL_LAN_IP, X0 icmp – Ken Jan 02 '15 at 19:48
  • Trying to gather my thoughts. What does a tracert to 8.8.8.8 show? Could this be a routing problem? What does the routing table on the firewall look like? Can you capture traffic on the outside of the firewall with Wireshark? You may need to configure port mirroring/monitoring or connect the interface to a hub (if you have one) in order to plug your workstation in to do a capture. – joeqwerty Jan 02 '15 at 20:33
  • I think I am getting there.... default gateway is where the tracert ends - it does not reach firewall..... the default gateway is a Cisco 2811 router, which has a 0.0.0.0 route to the firewall on same subnet. – Ken Jan 02 '15 at 20:45
  • so the router is in front of the firewall (inside)? What does the MAC address table on the router show for the firewall ip address? What does the MAC address table on the firewall show for the router ip address? Can you ping the firewall from the router? Can you ping the router from the firewall? – joeqwerty Jan 02 '15 at 20:52
  • Pings between Router to Firewall NO, Firewall to Router YES. Correct, router is in front of firewall. The ARP entry on the router shows the correct MAC address for the firewall. – Ken Jan 02 '15 at 21:52
  • OK. Sorry, I should have asked, do you allow PING to the firewall? If not, then pinging the firewall is a red herring. Can you run a tracert from the router to 8.8.8.8? If so, do you get the same results in that the tracert stops at the firewall? Can you post the routing table from the router and the firewall? – joeqwerty Jan 02 '15 at 21:56
  • Yes, ping is allowed to X0 and X3 (WAN). CORRECTION, I can ping Router from Firewall..... but I cannot tracert or ping past FIREWALL from anywhere... – Ken Jan 02 '15 at 22:15
  • Network setup is: – Ken Jan 02 '15 at 22:18
  • I have to ask the obvious one - have you tried power cycling the firewall? – Steve365 Jan 03 '15 at 09:00
  • Yes, I am actually onsite just now. Power cycled firewall and WAN router. The problem is definitely with the firewall - I've isolated the firewall LAN connection and connected a laptop directly to it - same issue - nothing passing through from LAN to WAN. I can browse when connected direct to the WAN router. Suspect policy is at fault (or firewall itself).... Now, I need to check logs on firewall to see what has changed. – Ken Jan 03 '15 at 12:51
  • Worked it out - Sonicwall had disabled Permitted LAN->WAN services due to error in policy - Can't mix management and non-management services..... AAArrggghhh!!! Anyway, thanks to those of you who responded - Once I had found the erroneous Service entry and enabled the firewall rules related to LAN \ WAN services - bingo, all working again.... was way too tired yesterday to suss this out, had to leave it and come back - lesson learned..... – Ken Jan 03 '15 at 13:40

1 Answers1

2

Resolved - Sonicwall service policy entry included a HTTPS Management rule - this created a mismatch and the device disabled permitted LAN -> WAN services and protocols.... was only whilst I was onsite that I was able to see exactly what was going on.

Ken
  • 61
  • 3