11

TROUBLESHOOTING

Chapter 12

Chapter 12: TROUBLESHOOTING 2

OVERVIEW

Determine whether a network communications problem is related to TCP/IP.

Understand how TCP/IP client configuration problems can affect computer performance.

List the reasons why a DHCP client might fail to obtain an IP address from a DHCP server.

List the reasons a DNS client might experience name resolution failures, might supply incorrect information, and might be unable to resolve names for which it is not the authority.

Chapter 12: TROUBLESHOOTING 3

OVERVIEW (continued)

Use TCP/IP tools to isolate a router problem.

Check an RRAS installation for configuration problems.

Troubleshoot static and dynamic routing problems.

Determine the location of an Internet access problem.

Chapter 12: TROUBLESHOOTING 4

OVERVIEW (continued)

Understand client configuration problems and router, NAT, and proxy server problems that can interrupt Internet access.

List possible causes of IPSec policy mismatches.

Describe the functions of the IP Security Monitor and the Resultant Set of Policy (RSoP) snap-ins.

Chapter 12: TROUBLESHOOTING 5

TROUBLESHOOTING TCP/IP ADDRESSING

Isolating TCP/IP problems

Troubleshooting client configuration problems

Chapter 12: TROUBLESHOOTING 6

ISOLATING TCP/IP PROBLEMS

Many problems can cause what appears to be a TCP/IP error when in fact the underlying hardware or network infrastructure is at fault.

Determine if there is a problem with the physical configuration of the system by attempting to access the network using a different protocol.

Check physical elements, such as networking cabling, and hardware devices, such as hubs, switches, and routers.

Chapter 12: TROUBLESHOOTING 7

TROUBLESHOOTING CLIENT CONFIGURATION PROBLEMS

Duplicate IP addresses are a cause of many problems on networks that use static IP address configuration.

Attempting to connect a system to the network with a duplicate IP address will prevent the system from communicating on the network.

Implementing DHCP all but eliminates issues with IP address conflicts.

Chapter 12: TROUBLESHOOTING 8

INCORRECT SUBNET MASKS

Two systems on the same physical network segment with two different subnet masks will be unable to communicate.

Use ipconfig /all to determine that the correct subnet mask values have been configured.

Configuring IP addressing via DHCP should eliminate subnet mask addressing conflicts.

Chapter 12: TROUBLESHOOTING 9

INCORRECT DEFAULT GATEWAY ADDRESSES

An incorrect default gateway address will prevent communication with systems on other subnets or networks.

Use ipconfig /all to view the configured default gateway address.

Chapter 12: TROUBLESHOOTING 10

NAME RESOLUTION FAILURES

Ensure that a name resolution failure is not due to a connectivity problem.

Attempt to connect to the target system using an IP address instead of a host name.

Examine name resolution methods such as the HOSTS file, DNS server configurations, LMHOSTS file, or WINS for possible problems.

Chapter 12: TROUBLESHOOTING 11

TROUBLESHOOTING DHCP PROBLEMS

Failure to contact a DHCP server

Failure to obtain an IP address

Failure to obtain correct DHCP options

Chapter 12: TROUBLESHOOTING 12

FAILURE TO CONTACT A DHCP SERVER

On non-APIPA-capable systems, an IP address of 0.0.0.0 will be assigned by the system.

On systems that support APIPA, an address in the 169.254 range will be assigned by the system, provided connectivity to the network can be established.

For DHCP servers on different subnets, relay agents will be required to forward DHCP broadcasts across routers.

Chapter 12: TROUBLESHOOTING 13

FAILURE TO OBTAIN AN IP ADDRESS

Check the configuration of the DHCP scopes on the server.

Ensure that the DHCP server has a scope for each of the subnets it is designed to service.

Ensure that sufficient IP addresses are available within the scope to service requests.

Chapter 12: TROUBLESHOOTING 14

FAILURE TO OBTAIN CORRECT DHCP OPTIONS

If a system is able to obtain an IP address but cannot connect to a remote system, the default gateway specified in the scope may be incorrect.

Server scope options apply to all scopes on the DHCP server. Scope options are specific to each scope.

Chapter 12: TROUBLESHOOTING 15

TROUBLESHOOTING NAME RESOLUTION

Troubleshooting client configuration problems

Troubleshooting DNS server problems

Chapter 12: TROUBLESHOOTING 16

TROUBLESHOOTING CLIENT CONFIGURATION PROBLEMS

Commence name resolution troubleshooting only after verifying the correct operation of TCP/IP.

Use ipconfig /all to determine that at least one valid DNS server is configured.

Verify connectivity to that server using Ping.

Chapter 12: TROUBLESHOOTING 17

TROUBLESHOOTING DNS SERVER PROBLEMS

Non-functioning DNS servers

Incorrect name resolutions

Outside name resolution failures

Chapter 12: TROUBLESHOOTING 18

NON-FUNCTIONING DNS SERVERS

Chapter 12: TROUBLESHOOTING 19

TROUBLESHOOTING INCORRECT NAME RESOLUTIONS

An incorrect name resolution occurs when a host address is resolved to the wrong IP address.

Incorrect name resolutions can be caused by Incorrect resource records

Failure of dynamic updates

Zone transfer failures

Chapter 12: TROUBLESHOOTING 20

TROUBLESHOOTING OUTSIDE NAME RESOLUTION FAILURES

Chapter 12: TROUBLESHOOTING 21

TROUBLESHOOTING TCP/IP ROUTING

Isolating router problems

Troubleshooting the Routing and Remote Access configuration

Troubleshooting the routing table

Chapter 12: TROUBLESHOOTING 22

ISOLATING ROUTER PROBLEMS

Three primary tools are used for isolating router problems: Ping.exe

Tracert.exe

Pathping.exe

Chapter 12: TROUBLESHOOTING 23

USING PING.EXE

Ping the computer’s loopback address (127.0.0.1).

Ping the computer’s own IP address. Ping the IP address of another computer on

the same LAN. Ping the DNS name of another computer on

the same LAN. Ping the computer’s designated default

gateway address. Ping computers on another network that are

accessible through the default gateway.

Chapter 12: TROUBLESHOOTING 24

USING TRACERT.EXE

Like Ping, allows you to verify that a remote system is available on the network

Reports on every hop between source and destination and reports the time taken to complete the round trip

Allows you to identify the point on the journey at which the problem exists

Chapter 12: TROUBLESHOOTING 25

USING PATHPING.EXE

Traces a path to a particular destination and displays the names and addresses of the routers along the path

Reports packet loss rates at each of the routers on the path

Useful for diagnosing issues where data loss or transmission delays are being experienced

Chapter 12: TROUBLESHOOTING 26

TROUBLESHOOTING THE ROUTING AND REMOTE ACCESS SERVICE CONFIGURATION (RRAS) Verify that the Routing and Remote Access

Service is running.

Verify that routing is enabled.

Check the TCP/IP configuration settings.

Check the IP addresses of the router interfaces.

Chapter 12: TROUBLESHOOTING 27

TROUBLESHOOTING THE ROUTING TABLE

Troubleshooting static routing

Troubleshooting dynamic routing

Chapter 12: TROUBLESHOOTING 28

TROUBLESHOOTING STATIC ROUTING

Chapter 12: TROUBLESHOOTING 29

TROUBLESHOOTING ROUTING PROTOCOLS

Chapter 12: TROUBLESHOOTING 30

TROUBLESHOOTING INTERNET CONNECTIVITY

Determining the scope of the problem

Diagnosing client configuration problems

Diagnosing NAT and proxy server problems

Diagnosing Internet connection problems

Chapter 12: TROUBLESHOOTING 31

DETERMINING THE SCOPE OF THE PROBLEM

Try to reproduce the Internet connectivity error and note the results.

Determine if the problem is a general connectivity issue or is confined only to Internet access.

Determine the source of the issue and troubleshoot as appropriate.

Chapter 12: TROUBLESHOOTING 32

DIAGNOSING CLIENT CONFIGURATION PROBLEMS

Check the basic TCP/IP configuration parameters.

Check that the default gateway configuration is correct.

Check that the router acting as the default gateway is configured to forward Internet traffic properly.

Chapter 12: TROUBLESHOOTING 33

DIAGNOSING NAT AND PROXY SERVER PROBLEMS

Check the TCP/IP configuration on all interfaces of the system acting as a NAT or proxy server.

Ensure that the NAT implementation is configured to work with the unregistered IP addresses you have assigned to the client computers.

Verify that the proxy server is not blocking access because of an authentication failure or a policy restriction.

Chapter 12: TROUBLESHOOTING 34

DIAGNOSING INTERNET CONNECTION PROBLEMS

If the Internet access router is a system other than that acting as the NAT or proxy server, check the configuration and physical connectivity.

If you have WAN hardware such as CSU/DSU, cable modem, or external ISDN adapters, cycle the power on those devices.

Contact your ISP to determine if they are aware of a problem or can assist in diagnosing and correcting your problem.

Chapter 12: TROUBLESHOOTING 35

TROUBLESHOOTING DATA TRANSMISSION SECURITY

Troubleshooting policy mismatches

Using the IP Security Monitor snap-in

Using the Resultant Set of Policy snap-in

Examining IPSec traffic

Chapter 12: TROUBLESHOOTING 36

TROUBLESHOOTING POLICY MISMATCHES

Incompatible IPSec policies or policy settings can be a common source of problems.

Policy mismatches are recorded in the Security log of Event Viewer.

Current policy settings can be viewed via the Security Monitor snap-in or the Resultant Set of Policy snap-in.

Chapter 12: TROUBLESHOOTING 37

USING THE IP SECURITY MONITOR SNAP-IN

Chapter 12: TROUBLESHOOTING 38

USING THE RESULTANT SET OF POLICY SNAP-IN

Chapter 12: TROUBLESHOOTING 39

EXAMINING IPSEC TRAFFIC

Chapter 12: TROUBLESHOOTING 40

CHAPTER SUMMARY

Duplicate IP addresses can cause both of the computers involved to malfunction.

An incorrect subnet mask makes the computer appear to be on a different network, preventing LAN communications.

When a Windows Server 2003 DHCP client fails to make contact with a DHCP server, the client computer uses APIPA to assign itself an IP address.

Chapter 12: TROUBLESHOOTING 41

CHAPTER SUMMARY (continued)

Ping.exe, the most basic TCP/IP connectivity testing tool, uses ICMP Echo messages to determine if another system on the network is functioning properly.

Tracert.exe is a command line tool that can help

you locate a nonfunctioning router on the network.

Pathping.exe is a tool that sends large numbers of test messages to each router on the path to a destination and compiles statistics regarding dropped packets.

Chapter 12: TROUBLESHOOTING 42

CHAPTER SUMMARY (continued)

For an RRAS router to use either Routing Information Protocol (RIP) or OSPF, you must install the routing protocol and select the interfaces over which it will transmit messages.

If a Windows Server 2003 DNS server computer is accessible from the network but is not resolving names, the DNS Server service might not be running.

An incorrect default gateway address or a malfunctioning default gateway router can hinder Internet connectivity while leaving local communications intact.

Chapter 12: TROUBLESHOOTING 43

CHAPTER SUMMARY (continued)

NAT routers and proxy servers have network interfaces just like client computers, and they must have correct TCP/IP client configuration parameters.

If no other components are at fault, the Internet access router or the WAN connection to the ISP might be the cause of an Internet connection problem.

The IP Security Monitor snap-in displays information about the IPSec policy currently in effect on a particular computer, as well as IPSec statistics.