* * * Windows XP Professional Networking Problem * * *

[ToaDz]

I am experiencing a network problem with a machine on my network. The machine in question is running Windows XP Professional SP2. I am unable to connect to the machine remotely or 'Ping' it.

Here are the details of the machine:

- It receives its IP address from a DHCP Server (2003)
- It can ping other machines on the network and gain Internet access and other network resources
- When I conduct an IPCONFIG, all the networking details are correct (IP Address, DNS, WINS and Default Gateway)
- I have examined the built-in Windows firewall and the settings are EXACTLY the same as other client machines on my network
- There are no third party firewall applications installed on this machine

This is what I have done:

- Released and renewed the IP Address
- Confirmed the network card drivers are up-to-date
- Replaced the network cable
- Examined the network port
- Uninstalled and reinstalled TCP/IP, Client for Microsoft Networks, and File and Printer Sharing for Microsoft Networks
- Conducted an IPCONIG /flushdns
- Ran some Winsock repair tool, which indicated it was successful

But I still cannot ping the machines Hostname or IP Address. All I get is 'Request Timed Out'.

Anyone know what other troubleshooting I have missed or can do. It's very strange, as it has only occurred in the last week.

All other machines on the network are fine and have identical TCP/IP and network settings.

I'm going mad here

 

[bcastner]

Ping failures are not Winsock related. Pings occur at the Transport Layer.

Ping failures are hardware or fireall related.

In this case there is a firewall somewhere.

. Check the ICMP exceptions on the SP2 firewall. Incoming echo requests have to be permitted.

. "Hidden firewalls" are a problem. Many Antivirus programs contain a firewall component. PC-Illan is notorious for this. VPN Client software can contain a firewall component. CISCO VPN client is notorious for this.

 

[bobej]

You could maually add thei unit to DNS and see if you can ping it then

 

[mpnut]

Turn off the firewall and see if you can ping the PC. If you can, then you know the issue is somewhere in the firewall. And, like bcastner says, there are a lot of hidden firewall. Every new laptop I configure has a firewall already installed that I have to get rid of.

 

[ktechit]

You might also check Tcp/ip properties - Advanced - Options -
Tcp/Ip filtering - Properties -
especially after doing a Winsock fix, the three boxes are defaulted to 'Permit Only' (need to be changed to 'Permit All' ) and can cause the same problem.

 

[ToaDz]

Thanks for all your responses guys.

As it turns out this problem is associated with our Cisco VPN client, which is part of our standard workstation image.

The problem still persists however. That is, I am unable to ping or communicate with this one particular client machine. After uninstalling the VPN client, I was able to ping the machine without any problems. But after reinstalling it, the problem has returned.

I am at a complete loss as to where the problem lies. My machine is exactly configured the same way - Same hardware, same make and model notebook, same Cisco VPN client version, same network and VPN client settings.

Please note that I have followed all the suggestions listed above:

. ICMP exceptions on the firewall - Incoming Echo Requests Permitted
. TCP/IP Filtering Properties - Set to Permit All

As per our company Group Policy, the built-in Windows XP SP2 Firewall is enabled by default, and cannot be disabled. All network settings are standard across our company and all software, including the Cisco VPN Client are part of our standard image.

Any other ideas guys? Hope I don't have to conduct a rebuild of this client machine!

Thanks again

 

[bcastner]

From bcastner above:
"Hidden firewalls" are a problem. Many Antivirus programs contain a firewall component. PC-Illan is notorious for this. VPN Client software can contain a firewall component. CISCO VPN client is notorious for this.

1. Disable the CISCO VPN client Firewall:

The Cisco VPN client contains a firewall. This is a very simple firewall that allows outbound network traffic and does not allow inbound network traffic. It is turned on and off from the Options pull-down menu on the main panel of the application. By default it is turned off.

2. Configure the XP native Firewall for File and Printer Sharing. This is found under the Exceptions tab.

3. Configure the XP native firewall for the CISCO VPN client:

------------------------

Option 1 - Open UDP Port 62515

Click Start, and then click Control Panel.
Double-click Windows Firewall (or click Security Center and then Windows Firewall).
In the Windows Firewall control panel, click the Exceptions tab.
Click Add Port.
In the Name field, type VPN_UDP_62515.
In the Port number field, type 62515.

Click the UDP radio button.
Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
Click OK to close the Windows Firewall control panel.
Attempt to connect with the Cisco VPN Client. If successful, you are finished.

---------------------------------------------

Option 2 - Open TCP Port 10000 and UDP 4500

NOTE: These steps 'open' two more ports for the VPN client to pass through.

Click Start, and then click Control Panel.
Double-click Windows Firewall (or click Security Center and then Windows Firewall).
In the Windows Firewall control panel, click the Exceptions tab.
Click Add Port.
In the Name field, type VPN_TCP_10000.
In the Port number field, type 10000.

The TCP radio button should already be selected.
Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
Click Add Port.
In the Name field, type VPN_UDP_4500.
In the Port number field, type 4500.
Click the UDP radio button.
Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
Click OK to close the Windows Firewall control panel.
Attempt to connect with the Cisco VPN Client. If successful, you are finished.
NOTE: If still unsuccessful, you may leave the three ports that you've 'opened' in the Windows Firewall control panel. To turn them off, reopen the Windows Firewall. Either uncheck the port or highlight the port name and click Delete.

--------------------------------------------------

Option 3 - Switch to IPSec over UDP (NAT/PAT)

NOTE: If you are unable to connect with the IPSec over TCP option, these steps will change your VPN Client software to the IPSec over UDP (NAT/PAT) choice.

Open the VPN dialer by double-clicking on the desktop shortcut (if you have one); or, click the Start menu, then All Programs, Cisco Systems VPN Client, and VPN Dialer.
When the Cisco Systems VPN Client window opens, click the Options drop-down list button and select Properties.
Click the IPSec over UDP (NAT/PAT) radio button.

Click OK.
Attempt to connect with the Cisco VPN Client. If successful, you are finished.

----------------------------------

Option 4 - Turn off the Windows XP SP 2 Firewall

NOTE: If you are unable to connect with any of the above options, these steps will turn off the Windows Firewall. You will then be missing out on an important new addition to Windows XP. But, you should be able to then use the VPN Client software as you did prior to the installation of SP 2.

Click Start, and then click Control Panel.
Double-click Windows Firewall (or click Security Center and then Windows Firewall).
Click the Off (not recommended) radio button.
Click OK to close the Windows Firewall control panel.
Attempt to connect with the Cisco VPN Client.

Remember to turn the Firewall back on when done with the VPN session if you disabled it.



Users Helping Users