Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Client issue - no gateway reachable???
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Client issue - no gateway reachable??? - 8.May2008 9:41:49 AM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
I'm sorry for asking this again, but I still can't figure out what is missing.
I have a Server 2003 AD network with an ISA Server 2006 on the edge as a firewall and proxy server. It is supposed to be my default gateway, I think, but when I run netdiag from the PC at my desk I get the result:
[FATAL] NO GATEWAYS ARE REACHABLE
I have been getting this result for a while, but attributed it to the fact that I had 3 seperate gateway IPs bound to the external NIC (we have 4 /29 blocks) while I was waiting to get a new /25 subnet. Now I have moved all of my A records and CNAME entries over onto the new subnet and only have one gateway IP bound to the NIC, the LAN IP on the router for the new subnet. And I now get perfect results on the ISA Server when I run netdiag, but I always get the gateway not reachable result on clients.
The ISA server is also a caching only DNS server, with DNS running on my two server 2003 DCs. All are fully patched. BPA doesn't turn up anything on the ISA. I can still browse the internet from any client and webs are able to be published through the ISA without a problem.
Please help. Ask any question that will help me provide more information needed to resolve this as I don't know what else to add.
edit I should probably point out that I have the private LAN IP of the ISA Server set as the default gateway IP on client computers
EDIT 2 and I can't ping the ISA Server from my PC
< Message edited by manning -- 8.May2008 11:24:56 AM >
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 12.May2008 12:44:03 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
The ISA Firewall supports only a single default gateway, and that single default gateway should be on the external interface.
By default, you can't ping the ISA Firewall. There is a system policy rule that you can configure that will allow you to ping from management stations, if you like.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 12.May2008 2:30:50 PM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
quote:
ORIGINAL: tshinder
The ISA Firewall supports only a single default gateway, and that single default gateway should be on the external interface.
Yes, that is how my server is set up. As I stated I was stuck with the unsupported configuration of multiple gateways in the past because we had our webs spread across the small /29 subnets. Now that I have them all moved over to our new /25 subnet I only have one gateway address bound, the LAN IP on the router (which is a public IP) for that subnet, and it is bound to the external interface. I had hoped that would resolve the gateway error I mentioned above, but it has not.
Have I missed something in configuration? Did I miss creating a policy to make the ISA server a gateway? Is it maybe nothing to do with ISA and more to do with AD or DNS?
I looked at the routing table and it looks like everything to do with the interfaced updated.
Also, I just ran netdiag on the ISA server again and notice this result for the DC tests portion:
DC discovery test.......: Passed
DC list test........: Failed
Failed to enumerate DCs by using the browser [ERROR_NO_BROWSER_SERVERS_FOUND]
I hadn't noticed this failure before, though that doesn't mean it wasn't there. Again, this is on the ISA server itself, not a client.
quote:
ORIGINAL: tshinder
By default, you can't ping the ISA Firewall. There is a system policy rule that you can configure that will allow you to ping from management stations, if you like.
HTH,
Tom
OK, that is what I thought I remembered reading. Though shouldn't I be able to ping external addresses? I can't ping Microsoft for instance, neither by name nor IP
< Message edited by manning -- 14.May2008 9:17:40 AM >
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 14.May2008 10:12:31 AM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
You have to create rules for all access. If you didn't create a rule to allow the pings you're interested in, it won't work. The ISA Firewall isn't like a PIX or Dlink NAT device, it's a very high security firewall and doesn't allow any traffic unless you allow it by creating a rule.
What is the exact IP addressing information on each of the ISA Firewall's interfaces?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 14.May2008 10:37:48 AM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
Here is the exact config of the two interfaces:
quote:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator.privatenet>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : server01
Primary Dns Suffix . . . . . . . : privatenet.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : privatenet.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 S Server Adapter
Physical Address. . . . . . . . . : 00-0E-0C-BC-4B-B5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.10.10.5
10.10.10.250
Primary WINS Server . . . . . . . : 10.10.10.250
Ethernet adapter External Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Embedded Broadcom NetXtreme 5721 PCI-E Gi
gabit NIC
Physical Address. . . . . . . . . : 00-18-71-78-1A-20
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : xxx.133.221.252
Subnet Mask . . . . . . . . . . . : 255.255.255.128
IP Address. . . . . . . . . . . . : xxx.133.221.251
Subnet Mask . . . . . . . . . . . : 255.255.255.128
IP Address. . . . . . . . . . . . : xxx.133.221.250
Subnet Mask . . . . . . . . . . . : 255.255.255.128
IP Address. . . . . . . . . . . . : xxx.133.221.249
Subnet Mask . . . . . . . . . . . : 255.255.255.128
IP Address. . . . . . . . . . . . : xxx.133.221.130
Subnet Mask . . . . . . . . . . . : 255.255.255.128
Default Gateway . . . . . . . . . : xxx.133.221.129
NetBIOS over Tcpip. . . . . . . . : Disabled
< Message edited by manning -- 14.May2008 10:44:05 AM >
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 14.May2008 12:37:27 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
OK, that looks OK.
I don't understand this:
"Yes, that is how my server is set up. As I stated I was stuck with the unsupported configuration of multiple gateways in the past because we had our webs spread across the small /29 subnets. Now that I have them all moved over to our new /25 subnet I only have one gateway address bound, the LAN IP on the router (which is a public IP) for that subnet, and it is bound to the external interface. I had hoped that would resolve the gateway error I mentioned above, but it has not"
Are you saying that you had a router in front of the ISA Firewall, but don't any more, so you assigned the external interface of the ISA Firewall the IP address that used to be the LAN address of the router?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 14.May2008 1:17:13 PM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
quote:
ORIGINAL: tshinder
OK, that looks OK.
I don't understand this:
"Yes, that is how my server is set up. As I stated I was stuck with the unsupported configuration of multiple gateways in the past because we had our webs spread across the small /29 subnets. Now that I have them all moved over to our new /25 subnet I only have one gateway address bound, the LAN IP on the router (which is a public IP) for that subnet, and it is bound to the external interface. I had hoped that would resolve the gateway error I mentioned above, but it has not"
Are you saying that you had a router in front of the ISA Firewall, but don't any more, so you assigned the external interface of the ISA Firewall the IP address that used to be the LAN address of the router?
Thanks!
Tom
Hi Tom,
We still have a router in front of the ISA server. We updated our circuit so that we now have a /25 IP block as well as the 4 old /29 blocks. So, where in the past I didn't have enough addresses in any one /29 block for all of my webs, etc. I now do with the /25 block. The relevance of this is that when I was stuck with only the /29 blocks I had my webs spread across 3 of them and had to have 3 different gateway IPs bound on my external interface to publish them. Abviously not supported configuration and is what I had suspected was causing the client gateway issues.
So the IP I have defined on the external interface on the ISA server as its Default Gateway, xxx.133.221.129, is what is defined in the router config as the 'Router LAN IP' for the /25 subnet. I tried using the 'Customer Serial' IP address on the router, but I couldn't get webs and FTP I was publishing through the ISA to work. Plus I was still getting the gateway failure on client computers.
As a historical note, this is how we always had the old ISA 2000 server configured and it worked without a hitch. So for example if I had a /29 block starting with 2xx.44.155.232. the router was configured with .233 as its Router LAN IP, so I used that as the Gateway IP on the external interface on the ISA 2000 server. Everything worked just fine like that. No gateway failured on the clients.
The IPs would have been
2xx.44.155.232 = Network
2xx.44.155.233 = Router LAN IP
2xx.44.155.234 thru 238 = available
2xx.44.155.239 = Broadcast
There is a long story about why I had only one of the subnets bound on the old ISA server and had 3 bound on the new one, but it is really stupid and not worth the bandwidth at this point. It has to do with how the former administrator was publishing our websites.
Does any of the above help? Can I provide any other info that will help?
EDIT I think I found and corrected something to do with the DNS recursive test failing. However, the gateway error persists on all clients as does the DC list test failure on the ISA 2006 server itself. Also, the gateway issue is playing havoc with browsing. If I set the ISA 2006 server as default gateway on my DC/DNS servers DNS still seems to work, but I can't browse from any client computer. I still have to keep my old ISA 2000 server online just for my DCs to use as their gateway, even though all clients are using the ISA 2006 server as their firewall/proxy server.
< Message edited by manning -- 14.May2008 4:00:46 PM >
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 15.May2008 9:03:35 AM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
quote:
ORIGINAL: tshinder
What client types are you using? I was assuming that clients were at least configured as SecureNAT clients.
Tom
All of my servers are SecureNAT as are some of my clients. Some are legacy Firewall clients and the computer at my desk is using the newer Firewall client. I use a wpad entry to autoconfigure IE.
All servers are either 2003 or 2000 and are fully patched. All DCs are 2003 as is the Exchange Server. There are no instances of SBS. All desktops and notebooks are XP SP2.
I generally avoid web browsing on the servers except to access the MSKB or sites like this one in a pinch if I don't have a laptop in the systems room at the time.
EDIT Hmmm, OK let's try that again. apparently your web server stopped for a while. I couldn't get to it from behind or in front of the ISA, using 2 seperate ISPs
Anyway, like I mentioned before, with the default gateway defined on any computer, whether a server or workstation, as the ISA 2006 server's private network IP I get the default gateway failure. Even so I can still access the internet using that ISA server as the proxy.
I assume that means SecureNAT is failing at that point and web proxy is stepping in?
If I set the default gateway on my DC/DNS servers to use the ISA's network IP, web browsing breaks for everybody.
So based on everything provided, does it seem like maybe DNS issue? Routing maybe? Policy on ISA missing?
< Message edited by manning -- 15.May2008 11:28:01 AM >
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 16.May2008 3:17:03 PM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
Forgive me if you consider this double posting or whatever.
I think I found a fix, but I don't understand why it 'fixed' the gateway failure.
Here is the deal; as a secondary issue I wanted to be able to ping external addresses and couldn't do so because it is not allowed by default in ISA 2006. So I searched to find out how to best allow ping (safely) and found Tarek's article about modifying the system policy to allow specific computers to ping
http://www.elmajdal.net/ISAServer/How_to_Allow_Ping_From_Selected_Computers_To_ISA_Server_Machine.aspx
So, perhaps unwisely, I added a range of IPs on my private net (instead of 1 or 2) and now I do NOT get the default gateway failure. Why? Is this just a coincidence?
Frankly I could find nothing else in DNS, etc that could have been causing the default gateway failure. Why would allowing ping from my internal clients have corrected this issue?
< Message edited by manning -- 16.May2008 3:58:25 PM >
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 18.May2008 12:04:01 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Manning,
I suspect it's a coincidence, but if things are working, and since I have no idea what's wrong, I can't complain about it :)
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 19.May2008 9:49:28 AM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Manning,
I suspect it's a coincidence, but if things are working, and since I have no idea what's wrong, I can't complain about it :)
Tom
Hi Tom,
Coincidence or not, I'm just glad the error finally went away. I've been chasing this issue on and off for over a year now and had tried everything I could think of. I really appreciate you're input.
I think just for curiosity's sake I'm going to set the systems setting back to default and see what happens.
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 20.May2008 4:11:39 PM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Manning,
Sounds good. Let us know what happens.
Thanks!
Tom
I set the system policy back to default (ping not allowed) and the gateway failure issue started again. Then I again set it back to allow ping from all of my private IPs the gateway failure went away.
I'm really puzzled. I honestly (obviously) am not well versed in ISA, but am really baffled that not allowing ping would cause a default gateway problem on all of my clients. Any wild guesses why not allowing ping to the ISA could be impacting my network this way? Am I mis-reading something? My understanding is that it is a good idea to not allow ping, is this wrong?
Edited for clarity
EDIT
Hmm, interesting.
quote:
For Active Directory to function correctly through a firewall, the Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the clients to the domain controllers so that the clients can receive Group Policy information.
ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a legitimate protocol that Active Directory uses for Group Policy detection and for Maximum Transfer Unit (MTU) detection. The Windows Redirector also uses ICMP to verify that a server IP is resolved by the DNS service before a connection is made.
http://support.microsoft.com/kb/179442
< Message edited by manning -- 22.May2008 2:03:05 PM >
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 27.May2008 11:41:16 AM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
quote:
ORIGINAL: tshinder
Is there a domain member and a DC separated by the ISA firewall?
Thanks!
Tom
No, that is why this is so frustrating. Simple network, ISA is a domain member. Only thing seperated by ISA is public from private. But for some reason the ICMP settings are causing problems.
Long story is the first time I set this ISA server up it was version 2004, and it worked without too much fuss, even with the screwed up multiple gateway IPs. Then I started over from scratch for some reason I don't recall and the gateway issue started up. I think I am on the 4th reinstall at this point and am on version 2006 now. The server joins the domain just fine on setup, and ISA seems to install just fine without errors to speak of. The only other weird thing I noticed is that with each reinstall the routing tables get blown out of RRAS and I wind up having to set them up again.
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 28.May2008 11:48:00 AM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
I was afraid you would say that. I'm afraid though that something is stuck somewhere in AD and that is part of the problem. Remember I have clean installed a couple times already without resolution. It is worth a shot though.
I'll have to get the timing figured out for that so it doesn't impact anything I have published through the 2006 ISA form too great a time.
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Client issue - no gateway reachable??? - 29.May2008 3:48:54 PM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
Thanks Tom, I really truly appreciate your attention to this issue. ISA of all flavors has me frustated right now. I rebooted the old ISA 2000 box last night and all of the sudden all web browsing going through that box is restricted. All of the destination sets and rules are still the same, but for some reason everything is locked down, except for the few folks that have admin level rights. That's weird, but I'm OK with it since not too much goes through that old ISA anyway and the 2006 instance seems to be working OK right now. The ICMP thing is bugging me. I'll take a look at the link you posted. The more I scrutenize this problem the more I am thinking the problem is with AD, or some GP config issue, and not with the particular ISA box. I just can't pinpoint anything on the ISA server itself that screams trouble. On the other hand, I know the network had some config issues from our old systems administrator. I thought I had everything sorted, but who knows what I may have missed.
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
