+ Post New Thread
Results 1 to 8 of 8
Windows Thread, Urgent Help Needed: Can't ping or access website on a server behind a router in Technical; Full subject: Urgent Help Needed: Can't ping or access website on a server behind a router unless second NIC is ...
  1. #1
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15

    Urgent Help Needed: Can't ping or access website on a server behind a router

    Full subject: Urgent Help Needed: Can't ping or access website on a server behind a router unless second NIC is disabled
    I apologize for the extremely long post, but I'm posting this wherever I can to get help. None of our IT staff in the district can figure it out, and our ISP can't figure it out. If you could take 5 minutes to read this, any help would be greatly appreciated and I seriously thank you for your time in advance.

    ---

    Hey everyone,

    I've got a really odd and annoying issue that has just sprung up over the last few days. On the network, I've got a number of servers behind a Cisco router that is provided by our ISP and has a full class C external subnet assigned to it. I'm only using about 6 external addresses out of the more than 200 available. We have one main large network for the building that our users use, and that has a computer acting as a firewall. So the main internal network only uses 1 external IP address. The servers are all inside this corporate network with local IP addresses. I have several other devices in the building that require a dedicated external IP, and one of the servers has 2 NIC's, one NIC is internal [with a static internal IP address of course], 1 NIC is an external NIC with a static external IP address assigned to it. This is a critical server that is hosting a website application to the public. So my setup is that the internal port on the Cisco router plugs into a switch, and any device [including the external NIC on the mentioned server, and the main internal network for example] requiring an external IP address plugs into this. External IP's need to be assigned, as the Cisco router doesn't assign them.

    Stuck with me so far? Awesome, thank you! Now, this set up has worked great for around 4 years with absolutely no issues. Heck, we've even received a new router from our ISP [managed by the government, I don't have control over this unit] and things still continue to work. Here's where things get sketchy. I recently replaced a bunch of switches on our internal network on our patch panel/rack, and on this rack happens to be the router, and external switch. The external switch was an unmanaged 8 port switch, so I ended up replacing that with a rack mount 24 port switch to keep things clean. When I fired everything back up, our internal network came up, and had internet. The devices around the building that required an external IP and were patched directly into the external switch all came up, and are accessible from outside of the network. The only problem is with that one server with both an internal and external NIC. The website/services on that server hosted through the external NIC are unavailable from outside the router. Now, keep in mind that to me, the only thing that was changed between that external NIC and the Cisco router, was the switch. That's it. Even from inside of our main network, I can go to my desktop computer on the internal company network, pull up an internet browser, visit the publicly accessible [or so it should be] website, and it comes up. I watch the lights on the network equipment and follow the trace, and my computer is going to our gateway/firewall, out the external port to the switch, and straight through the switch into the external NIC on the server to pull the site. Perfect. But I can't view the website from outside of the router.

    I talked to someone from the ISP's support about it, and they were connected to the router and could ping inside to the server, but could not ping the server from outside the router. Gotta be a router issue on their side right? Wait. It gets weirder. After a couple hours of trying to figure out what was happening, I decided to try something. I brought down the Windows firewall on the affected server for both LAN and external NIC's, leaving the machine wide open as there is no hardware firewall between it and the switch>router, and I connected to the machine via RDC from the internal network, but typed in the external NIC's IP on the server to connect to [again, going out the firewall of our internal network, and through the switch to the server, never exiting the router], and of course, since the firewall was off, I was successful in connecting via RDC. But I then disabled the internal LAN adapter from my external IP session. My second RDC session that I had connected to using the main internal network adapter [the one I usually manage the server from at my desk] immediately cut out. Good so far. Low and behold, after disabling the LAN connection, the support representative could access the website from outside the router via the external NIC, and ping the server. I re-enabled the LAN connection on that server, and he couldn't access the website anymore.

    Thank you very much for reading this far, I really really appreciate your time. If you can offer any help as to why this is happening, that would be greatly appreciated, as I need to get this server up FAST. I don't want a bandaid fix, I need this server online the way it was. No changes were ever made over the last few days on the server, and everything was plugged in again properly after the switches were swapped out, and the support rep even removed all ACL's and firewall rules on the router to allow a 100% unrestricted straight pass through, and with the LAN connection on that affected server enabled, the external IP didn't serve the website outside the router. Keep in mind, when I accessed the website from inside our company network, even by specifying the external IP address in the web address bar to specify to only go via external [making sure I wasn't just using an internal path, despite that not even being available because of IIS configuration], it worked. The website came up. But would not serve outside of the router if the LAN port was enabled.

    Definitely one of the most confusing issues I've ever ran into, and the support people at Tier 1, Tier 2, and Tier 3 network operations support for the ISP were completely stumped. If you need any more information or clarification on anything I've described, please let me know.

    Thanks again!

  2. #2

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 460 Times in 336 Posts
    Rep Power
    140
    Ok so it's a multi homed server with 2 NICs...

    From your lengthy description my first guess is that you have defined a gateway address on the internal NIC?

  3. Thanks to m25man from:

    link470 (14th March 2012)

  4. #3
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Hello, thanks for your reply! That's right. On the internal NIC, the gateway address is the gateway of our firewall on the internal school network. On the external NIC, the gateway is the router. Each NIC only has one gateway defined. Despite that not being the recommended setup as servers only like one gateway, this setup has worked for ages. Why it's decided to quit now, I'm not quite sure.

    Since posting, I've also tried connecting to the external switch [a Dell PowerConnect 3324 managed switch] and reloading the default configuration, to make 100% sure that it was, in fact, a flat switch with no configuration. Absolutely no change. Still cannot access the website in question outside of the router. I've also dumped the ARP cache on the affected server.
    Last edited by link470; 14th March 2012 at 01:32 AM.

  5. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,139
    Thank Post
    860
    Thanked 2,692 Times in 2,282 Posts
    Blog Entries
    9
    Rep Power
    771
    Could check adapter binding order, remove the second default gateway or at leat lower its metric as it could be trying to return traffic through that link instead of the one it recived it from. This could be because both links are now 1gb/s ? and so the metric no longer picks the right route to return the request.

  6. Thanks to SYNACK from:

    link470 (14th March 2012)

  7. #5
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Good calls from both of you. The issue is now solved! I'd add a solved tag to the title but I can't edit past posts anymore. Just doing some thinking as to what may have caused it to go down suddenly after having worked for so long before and no configuration changes.

    I ended up removing the default gateway on the internal address, leaving only the IP/Subnet Mask/DNS1/DNS2, and the website from outside the router fired up instantly. So, why was this only an issue now? SYNACK, I think you may be onto something with the link speeds, although before, the external NIC was plugged into an 8 port 10/100 switch, and the internal was plugged into a 48 port 10/100 switch on the main rack. With the current setup, there's a 10/100/1000 switch as the backbone on the core internal network, and the internal NIC is now plugged into that, and the external is plugged into the rack mounted 24 port external switch, which is still 10/100 speed. So the only one that changed was the internal NIC is now on a gigabit switch.

    Does that make sense and could that be a valid reason that this happened?
    Last edited by link470; 14th March 2012 at 05:26 PM.

  8. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,139
    Thank Post
    860
    Thanked 2,692 Times in 2,282 Posts
    Blog Entries
    9
    Rep Power
    771
    Quote Originally Posted by link470 View Post
    Does that make sense and could that be a valid reason that this happened?
    Yes that is a valid reason. Windows assigns metrics to each link based on how fast they are and so it may have been reciving requests from an internet IP on the external interface but the return traffic would look at the routing table and find the fastest link (as far as it knew) back to the internet then send the reply that way. Because the internal link was faster its metric would have been better and so all return packets would have been trying to go out via the internal interface.

    By removing the internal default route it removed it from the routing table so that all traffic looking for the fastest way out to the internet would use the external link.

    You can still have it setup with two default gateways but you will need to manually adjust the link metric to preffer the external link despite the speed difference. This will give the external link presidence and make sure traffic flows properly.

  9. Thanks to SYNACK from:

    link470 (15th March 2012)

  10. #7

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 460 Times in 336 Posts
    Rep Power
    140
    Synack explained it all so well I won't waste any time repeating it.

    If you have two NICs in a server it's only going to have one of a few roles bridge, team or router.
    Each role requires a specific configuration.
    In your situation only the external NIC required a gateway entry so external packets can find the way to and from the web server.
    Your internal NIC doesn't need a gateway the server knows where it is! Everything else is handled by the routing table.

    Whats most worrying is that your Teir 1,2 & 3 support didn't think of it! It was the first thing that I thought of....

  11. Thanks to m25man from:

    link470 (15th March 2012)

  12. #8
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Thanks SYNACK and Geoff, I fully understand what happened now and why it only triggered after adding the faster switch to the internal network. That makes perfect sense. Much appreciated and thank you both for your time and advice!

SHARE:
+ Post New Thread

Similar Threads

  1. [SIMS] Urgent Help needed !! Can't logon to sims.net
    By artfulmatt in forum MIS Systems
    Replies: 13
    Last Post: 2nd December 2010, 11:02 PM
  2. EXTREMELY URGENT HELP NEEDED!
    By pritchardavid in forum Windows Server 2008 R2
    Replies: 15
    Last Post: 18th May 2010, 11:04 AM
  3. Replies: 4
    Last Post: 25th February 2009, 06:26 PM
  4. Urgent Help needed!
    By The_GuRu in forum Network and Classroom Management
    Replies: 27
    Last Post: 20th February 2008, 09:20 AM
  5. Replies: 11
    Last Post: 6th September 2007, 07:10 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •