switch config help

Unanswered Question
Sep 27th, 2007
User Badges:

i replaced a server1 but used the same ip. used a different name. now i can only connect to it in my building. from switches at the other campuses, they resolve the name to the correct ip but cannot ping the ip. the router resolves and pings it fine, but all the switches at the different campuses cant ping it.any advice ideas???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Thu, 09/27/2007 - 15:36
User Badges:
  • Green, 3000 points or more

Hi, does the server have any fw turned on?

can you ping any other host from the same segment this server is on?

gisdmis1968 Thu, 09/27/2007 - 15:41
User Badges:

it is a brand new server with basic config from dell. not for sure on the fw being turned on.

yes i can ping every server except this one from any switch.

JORGE RODRIGUEZ Thu, 09/27/2007 - 15:46
User Badges:
  • Green, 3000 points or more

well, make sure the server have correct defaul gateway and mask, also check the switchport settings such as speed duplex and vlan assigments the server should be under, have you checked all these ?

[edit] also check the server is not doing any kind of teaming, or if it is to be properly configured.

gisdmis1968 Thu, 09/27/2007 - 15:52
User Badges:

yes all the config on the server is good,subnet,gateway,ect. it is the mailfilter running mimesweeper. which is working perfectly, except the PMM sends emails to users at the campuses with a url to view their spam. it doesnt connect. but works perfect within the building. all the config is exactly the same as the old server but the name. was mailfilter, now mailfilter2. ip and all config the same.

JORGE RODRIGUEZ Thu, 09/27/2007 - 16:26
User Badges:
  • Green, 3000 points or more

something must be blocking icmp and port 80 withing the server or some other acl on a router in the building, you indicated server config is good and sends emails, but accept no http connections or pings, can other servers in the same segment mailfiler2 is under ping and http to it? can you check these .

gisdmis1968 Thu, 09/27/2007 - 16:35
User Badges:

yes from my pc in the same segment can ping it,remote to it, connect to the http. so can everyone else within the inside the building.

so nothing should be blocked on the server. could any firewall config effect anything?

JORGE RODRIGUEZ Thu, 09/27/2007 - 16:48
User Badges:
  • Green, 3000 points or more

sounds like firewall to me , are you certain there are not firewalls rule policy throughout the campus network , whats your network topology, is the building a branch connecting to a core network at another building where there may be firewalls?

[edit] any proxy servers outside building

gisdmis1968 Thu, 09/27/2007 - 16:55
User Badges:

i am in the main building with the core network where the firewall is. the other campuses dont have any firewall there.we just have the one firewall. i didnt think they went through the firewall to get back to the main building, ithink they come back in through the router. i am new to this network,thrown into the lions with no documentation. and i do appreciate your help with this

JORGE RODRIGUEZ Thu, 09/27/2007 - 17:09
User Badges:
  • Green, 3000 points or more

I've been in that detective situation, can you look fw logs to rule it out, incidently , are you using the same IP address from old server or new IP address.

Look in the router for any acls, I have seen acls put in even from within trustet networks.

and don't worry, forum is here to help whenever we can.. and still thinking till run out of ideas.

gisdmis1968 Thu, 09/27/2007 - 17:20
User Badges:

i am using the same ip but different server name. saw this in the firewall config:

name x.x.x.x mailfilter

static (inside,outside) tcp x.x.x.x smtp mailfilter smtp netmask 0 0

the new server has the same ip but named mailfilter2.

i couldnt put a no infront of the static line to delete it.

JORGE RODRIGUEZ Thu, 09/27/2007 - 17:42
User Badges:
  • Green, 3000 points or more

I do not think it would be the firewall because if you are using the same IP and there were any rules bound to it , it would go through, fw would not not check name but rather IP . Is this an ASA ? any logs you can see like denies, can you also look at the core router where VLANs are configired for ALL other building comming to yours.

gisdmis1968 Thu, 09/27/2007 - 17:50
User Badges:

yeah thats why i used the same ip address to try to avoid having to change any firewall and router configs. sounded good in theory

is it possible the switches are still associating the ip address with the mac address of the old server?

JORGE RODRIGUEZ Thu, 09/27/2007 - 18:04
User Badges:
  • Green, 3000 points or more

what comes in mind would be a transparent firewall using acl to control mac addresses ,

any chances there would be fwsm in your core switch?, I bet your problem is a simple one to resolved eating both, it just does not make any sence other buildings can access other servers withing the same segment but not this one.. hope someone jumps in with other suggestions..

gisdmis1968 Thu, 09/27/2007 - 18:14
User Badges:

how can i check to see if acl is controlling mac address?

JORGE RODRIGUEZ Thu, 09/27/2007 - 18:23
User Badges:
  • Green, 3000 points or more

login to your switches as well as your CORE switches, look at configs for any mac-base acls

issue " show access-list " or " show run " to see config.

[edit] If you have a CATOS core switch also issue' show module" and see if there is any fwsm.

gisdmis1968 Thu, 09/27/2007 - 18:35
User Badges:

i was looking at the configs earlier today i dont remember seeing anything with any mac addresses in them.

when i did a sh ip arp from the router it showed the right ip with the right mac address.

JORGE RODRIGUEZ Thu, 09/27/2007 - 18:43
User Badges:
  • Green, 3000 points or more

if you connect to a remote router from another building from that router can you ping the server , or do a trace route to see if trace goes throught.

gisdmis1968 Thu, 09/27/2007 - 18:53
User Badges:

yes from the routers i can tracroute straight to it, but a traceroute from the switch and it hops to the router then never finds anything just

1 router ip

2 * * *

3 * * *


JORGE RODRIGUEZ Fri, 09/28/2007 - 11:27
User Badges:
  • Green, 3000 points or more

Brad, any updates on this? or are you still searching solution.. I suspect there must be some kind access policy beween remote buildings and your building.. let us know what the outcome was.



This Discussion