Local IP address no longer works???

[BrandonTech]

Background: I work at a small school district. We probably have a little over 2000 users.

I came across this issue on two separate occasions, and I am hoping someone here can help me shed some light on it.

Scenario: Workstation (WS) has static IP address (static IP's do not reside in the DHCP scope). WS can no longer connect to the internet. I can ping devices on the local network just fine. I cannot ping any WAN addresses. Set the WS to DHCP, Internet connectivity returns. Set the WS IP address to any other availabe static IP, Internet connectivity returns. Set WS back to original static IP, Internet breaks again.

I've updated drivers, updated BIOS, tried different NICs, ipconfig commands, winsock command...

I should also add that if I take the "faulty" IP address and give it to a different WS, that WS also loses connectivity to the Internet. This makes me definitely think it is tied to the IP address in some way.

Anyone have any ideas, please?

 

[coffee]

Background: I work at a small school district. We probably have a little over 2000 users.

I came across this issue on two separate occasions, and I am hoping someone here can help me shed some light on it.

Scenario: Workstation (WS) has static IP address (static IP's do not reside in the DHCP scope). WS can no longer connect to the internet. I can ping devices on the local network just fine. I cannot ping any WAN addresses. Set the WS to DHCP, Internet connectivity returns. Set the WS IP address to any other availabe static IP, Internet connectivity returns. Set WS back to original static IP, Internet breaks again.

I've updated drivers, updated BIOS, tried different NICs, ipconfig commands, winsock command...

I should also add that if I take the "faulty" IP address and give it to a different WS, that WS also loses connectivity to the Internet. This makes me definitely think it is tied to the IP address in some way.

Anyone have any ideas, please?

Can you ping an ip on the internet? or is it name resolution that is not working. Thats where I would start. If its IP address does not ping then I would look at the firewall. If its name resolution look at DNS settings on server?

Can you ping outside IP addresses?

 

[Mike McCall]

Perhaps the firewall is blocking the ip address, or the server has blocked the ip address for some reason.

 

[BrandonTech]

Perhaps the firewall is blocking the ip address, or the server has blocked the ip address for some reason.

Thank you for the response. I will look into that further. I recall us looking through our firewall logs the first time it happened, but never found an excuse for the behavior.

I think I will also look back and see if anything got installed which I doubt as only a few users have authority to install anything. However, if something did get installed I guess there is a chance that it could be sending some traffic that the firewall doesn't like.

On the other hand, I have yet to see our firewall totally kill the client's internet connectivity. Blocked pages, yes, but not total loss of WAN...unless something on our network has black listed that IP address or something...

 

[Mike McCall]

Run a tracert and see if it tells you anything. Capture some packets with something like Wireshark while you're pinging an outside address and see what that tells you.

 

[BrandonTech]

Can you ping an ip on the internet? or is it name resolution that is not working. Thats where I would start. If its IP address does not ping then I would look at the firewall. If its name resolution look at DNS settings on server?

Can you ping outside IP addresses?

No go on pinging the IP address. Firewall isn't showing anything blocked, but it doesn't show anything received either (all sent) when pinging and tracert.

 

[BrandonTech]

Run a tracert and see if it tells you anything. Capture some packets with something like Wireshark while you're pinging an outside address and see what that tells you.

Tracert succeeded when off the bad IP address...went to gateway, then firewall, then failed when on the bad IP.

 

[nlinecomputers]

So when set to the "bad" ip address can it ping inside the network? Can it see and be seen by other network resources?

 

[YeOldeStonecat]

Just to double...triple check...when you manually assign it an IP, you are typing in the correct gateway?

Else...likely a firewall rule/policy that applies to different internal IP addresses.

 

[Mike McCall]

Any luck?

 

[BrandonTech]

So when set to the "bad" ip address can it ping inside the network? Can it see and be seen by other network resources?

Yes. The correct DNS record is listed in our DC. Local devices can be pinged from the "bad" IP. Just nothing past our firewall. I can ping devices that are at physically different locations/campuses as they are all part of our local network.

 

[BrandonTech]

Just to double...triple check...when you manually assign it an IP, you are typing in the correct gateway?

Else...likely a firewall rule/policy that applies to different internal IP addresses.

For sure, it just perplexes me what is blocking it. Nothing should have changed. And I can see the ping and tracert activity taking place on our firewall from the "bad" IP, but I haven't found anything that is indicating that it is blocked yet. I do see no inbound traffics during these tests which doubly confirms nothing is coming back.

 

[BrandonTech]

Any luck?

Nothing yet. I plan to look at it some more tonight. I came across something referencing IP spoofing for Fortigate firewalls which is what we have. It describes something about if the firewall thinks the IP is being spoofed on the local network it will block traffic.

 

[Martyn]

Put Wireshark on the workstation and track what's happening.

 

[YeOldeStonecat]

What is the firewall?
Why is/was this workstation put on a static? Outside the normal DHCP distribution range.

For a school, I'd assume because it needed some special rule applied. I have that sort of setup at a few clients for special restrictions that Untangle puts on them.

 

[BrandonTech]

What is the firewall?
Why is/was this workstation put on a static? Outside the normal DHCP distribution range.

For a school, I'd assume because it needed some special rule applied. I have that sort of setup at a few clients for special restrictions that Untangle puts on them.

Fortigate 300D.

It hosts nutrition software that communicates to three point of sales. It also backs up to a central server at our main office.

 

[YeOldeStonecat]

Perhaps there's an ACL to prevent POS rigs from getting to the internet?

 

[BrandonTech]

Perhaps there's an ACL to prevent POS rigs from getting to the internet?

This machine isn't one of the actual POS's. We also do not have ACL that would prevent these machines from accessing the internet. The previous machine that had the same issue, was used in our maintenance department to communicate with HVAC equipment.

 

[BrandonTech]

Just wanted to update those that have been helping with ideas thus far. I have not been able to access the machine over the weekend as I intended. I do plan to go by there tomorrow and troubleshoot further. Thank you all for the suggestions so far...

 

[Mike McCall]

This machine isn't one of the actual POS's. We also do not have ACL that would prevent these machines from accessing the internet. The previous machine that had the same issue, was used in our maintenance department to communicate with HVAC equipment.

So, this is not the first machine to have this issue? What do the machines have in common? That may provide a clue. I still think something is tripping the firewall. Did the previous machine have the same function or share any functions? Same users (even intermittently)? Same network branch?