1 Chapter 12 TROUBLESHOOTING Chapter 12: TROUBLESHOOTING 2 OVERVIEW Determine whether a network communications problem is related to TCP/IP. Understand how TCP/IP client configuration problems can affect computer performance. List the reasons why a DHCP client might fail to obtain an IP address from a DHCP server. List the reasons a DNS client might experience name resolution failures, might supply incorrect information, and might be unable to resolve names for which it is not the authority. Chapter 12: TROUBLESHOOTING OVERVIEW (continued) Use TCP/IP tools to isolate a router problem. Check an RRAS installation for configuration problems. Troubleshoot static and dynamic routing problems. Determine the location of an Internet access problem. 3 Chapter 12: TROUBLESHOOTING OVERVIEW (continued) Understand client configuration problems and router, NAT, and proxy server problems that can interrupt Internet access. List possible causes of IPSec policy mismatches. Describe the functions of the IP Security Monitor and the Resultant Set of Policy (RSoP) snap-ins. 4 Chapter 12: TROUBLESHOOTING TROUBLESHOOTING TCP/IP ADDRESSING Isolating TCP/IP problems Troubleshooting client configuration problems 5 Chapter 12: TROUBLESHOOTING 6 ISOLATING TCP/IP PROBLEMS Many problems can cause what appears to be a TCP/IP error when in fact the underlying hardware or network infrastructure is at fault. Determine if there is a problem with the physical configuration of the system by attempting to access the network using a different protocol. Check physical elements, such as networking cabling, and hardware devices, such as hubs, switches, and routers. Chapter 12: TROUBLESHOOTING 7 TROUBLESHOOTING CLIENT CONFIGURATION PROBLEMS Duplicate IP addresses are a cause of many problems on networks that use static IP address configuration. Attempting to connect a system to the network with a duplicate IP address will prevent the system from communicating on the network. Implementing DHCP all but eliminates issues with IP address conflicts. Chapter 12: TROUBLESHOOTING INCORRECT SUBNET MASKS Two systems on the same physical network segment with two different subnet masks will be unable to communicate. Use ipconfig /all to determine that the correct subnet mask values have been configured. Configuring IP addressing via DHCP should eliminate subnet mask addressing conflicts. 8 Chapter 12: TROUBLESHOOTING INCORRECT DEFAULT GATEWAY ADDRESSES An incorrect default gateway address will prevent communication with systems on other subnets or networks. Use ipconfig /all to view the configured default gateway address. 9 Chapter 12: TROUBLESHOOTING 10 NAME RESOLUTION FAILURES Ensure that a name resolution failure is not due to a connectivity problem. Attempt to connect to the target system using an IP address instead of a host name. Examine name resolution methods such as the HOSTS file, DNS server configurations, LMHOSTS file, or WINS for possible problems. Chapter 12: TROUBLESHOOTING TROUBLESHOOTING DHCP PROBLEMS Failure to contact a DHCP server Failure to obtain an IP address Failure to obtain correct DHCP options 11 Chapter 12: TROUBLESHOOTING 12 FAILURE TO CONTACT A DHCP SERVER On non-APIPA-capable systems, an IP address of 0.0.0.0 will be assigned by the system. On systems that support APIPA, an address in the 169.254 range will be assigned by the system, provided connectivity to the network can be established. For DHCP servers on different subnets, relay agents will be required to forward DHCP broadcasts across routers. Chapter 12: TROUBLESHOOTING 13 FAILURE TO OBTAIN AN IP ADDRESS Check the configuration of the DHCP scopes on the server. Ensure that the DHCP server has a scope for each of the subnets it is designed to service. Ensure that sufficient IP addresses are available within the scope to service requests. Chapter 12: TROUBLESHOOTING FAILURE TO OBTAIN CORRECT DHCP OPTIONS If a system is able to obtain an IP address but cannot connect to a remote system, the default gateway specified in the scope may be incorrect. Server scope options apply to all scopes on the DHCP server. Scope options are specific to each scope. 14 Chapter 12: TROUBLESHOOTING TROUBLESHOOTING NAME RESOLUTION Troubleshooting client configuration problems Troubleshooting DNS server problems 15 Chapter 12: TROUBLESHOOTING 16 TROUBLESHOOTING CLIENT CONFIGURATION PROBLEMS Commence name resolution troubleshooting only after verifying the correct operation of TCP/IP. Use ipconfig /all to determine that at least one valid DNS server is configured. Verify connectivity to that server using Ping. Chapter 12: TROUBLESHOOTING TROUBLESHOOTING DNS SERVER PROBLEMS Non-functioning DNS servers Incorrect name resolutions Outside name resolution failures 17 Chapter 12: TROUBLESHOOTING NON-FUNCTIONING DNS SERVERS 18 Chapter 12: TROUBLESHOOTING TROUBLESHOOTING INCORRECT NAME RESOLUTIONS An incorrect name resolution occurs when a host address is resolved to the wrong IP address. Incorrect name resolutions can be caused by Incorrect resource records Failure of dynamic updates Zone transfer failures 19 Chapter 12: TROUBLESHOOTING TROUBLESHOOTING OUTSIDE NAME RESOLUTION FAILURES 20 Chapter 12: TROUBLESHOOTING TROUBLESHOOTING TCP/IP ROUTING Isolating router problems Troubleshooting the Routing and Remote Access configuration Troubleshooting the routing table 21 Chapter 12: TROUBLESHOOTING ISOLATING ROUTER PROBLEMS Three primary tools are used for isolating router problems: Ping.exe Tracert.exe Pathping.exe 22 Chapter 12: TROUBLESHOOTING 23 USING PING.EXE Ping the computer’s loopback address (127.0.0.1). Ping the computer’s own IP address. Ping the IP address of another computer on the same LAN. Ping the DNS name of another computer on the same LAN. Ping the computer’s designated default gateway address. Ping computers on another network that are accessible through the default gateway. Chapter 12: TROUBLESHOOTING 24 USING TRACERT.EXE Like Ping, allows you to verify that a remote system is available on the network Reports on every hop between source and destination and reports the time taken to complete the round trip Allows you to identify the point on the journey at which the problem exists Chapter 12: TROUBLESHOOTING 25 USING PATHPING.EXE Traces a path to a particular destination and displays the names and addresses of the routers along the path Reports packet loss rates at each of the routers on the path Useful for diagnosing issues where data loss or transmission delays are being experienced Chapter 12: TROUBLESHOOTING 26 TROUBLESHOOTING THE ROUTING AND REMOTE ACCESS SERVICE CONFIGURATION (RRAS) Verify that the Routing and Remote Access Service is running. Verify that routing is enabled. Check the TCP/IP configuration settings. Check the IP addresses of the router interfaces. Chapter 12: TROUBLESHOOTING TROUBLESHOOTING THE ROUTING TABLE Troubleshooting static routing Troubleshooting dynamic routing 27 Chapter 12: TROUBLESHOOTING TROUBLESHOOTING STATIC ROUTING 28 Chapter 12: TROUBLESHOOTING TROUBLESHOOTING ROUTING PROTOCOLS 29 Chapter 12: TROUBLESHOOTING TROUBLESHOOTING INTERNET CONNECTIVITY Determining the scope of the problem Diagnosing client configuration problems Diagnosing NAT and proxy server problems Diagnosing Internet connection problems 30 Chapter 12: TROUBLESHOOTING 31 DETERMINING THE SCOPE OF THE PROBLEM Try to reproduce the Internet connectivity error and note the results. Determine if the problem is a general connectivity issue or is confined only to Internet access. Determine the source of the issue and troubleshoot as appropriate. Chapter 12: TROUBLESHOOTING 32 DIAGNOSING CLIENT CONFIGURATION PROBLEMS Check the basic TCP/IP configuration parameters. Check that the default gateway configuration is correct. Check that the router acting as the default gateway is configured to forward Internet traffic properly. Chapter 12: TROUBLESHOOTING 33 DIAGNOSING NAT AND PROXY SERVER PROBLEMS Check the TCP/IP configuration on all interfaces of the system acting as a NAT or proxy server. Ensure that the NAT implementation is configured to work with the unregistered IP addresses you have assigned to the client computers. Verify that the proxy server is not blocking access because of an authentication failure or a policy restriction. Chapter 12: TROUBLESHOOTING 34 DIAGNOSING INTERNET CONNECTION PROBLEMS If the Internet access router is a system other than that acting as the NAT or proxy server, check the configuration and physical connectivity. If you have WAN hardware such as CSU/DSU, cable modem, or external ISDN adapters, cycle the power on those devices. Contact your ISP to determine if they are aware of a problem or can assist in diagnosing and correcting your problem. Chapter 12: TROUBLESHOOTING TROUBLESHOOTING DATA TRANSMISSION SECURITY Troubleshooting policy mismatches Using the IP Security Monitor snap-in Using the Resultant Set of Policy snap-in Examining IPSec traffic 35 Chapter 12: TROUBLESHOOTING 36 TROUBLESHOOTING POLICY MISMATCHES Incompatible IPSec policies or policy settings can be a common source of problems. Policy mismatches are recorded in the Security log of Event Viewer. Current policy settings can be viewed via the Security Monitor snap-in or the Resultant Set of Policy snap-in. Chapter 12: TROUBLESHOOTING USING THE IP SECURITY MONITOR SNAP-IN 37 Chapter 12: TROUBLESHOOTING USING THE RESULTANT SET OF POLICY SNAP-IN 38 Chapter 12: TROUBLESHOOTING EXAMINING IPSEC TRAFFIC 39 Chapter 12: TROUBLESHOOTING 40 CHAPTER SUMMARY Duplicate IP addresses can cause both of the computers involved to malfunction. An incorrect subnet mask makes the computer appear to be on a different network, preventing LAN communications. When a Windows Server 2003 DHCP client fails to make contact with a DHCP server, the client computer uses APIPA to assign itself an IP address. Chapter 12: TROUBLESHOOTING 41 CHAPTER SUMMARY (continued) Ping.exe, the most basic TCP/IP connectivity testing tool, uses ICMP Echo messages to determine if another system on the network is functioning properly. Tracert.exe is a command line tool that can help you locate a nonfunctioning router on the network. Pathping.exe is a tool that sends large numbers of test messages to each router on the path to a destination and compiles statistics regarding dropped packets. Chapter 12: TROUBLESHOOTING 42 CHAPTER SUMMARY (continued) For an RRAS router to use either Routing Information Protocol (RIP) or OSPF, you must install the routing protocol and select the interfaces over which it will transmit messages. If a Windows Server 2003 DNS server computer is accessible from the network but is not resolving names, the DNS Server service might not be running. An incorrect default gateway address or a malfunctioning default gateway router can hinder Internet connectivity while leaving local communications intact. Chapter 12: TROUBLESHOOTING 43 CHAPTER SUMMARY (continued) NAT routers and proxy servers have network interfaces just like client computers, and they must have correct TCP/IP client configuration parameters. If no other components are at fault, the Internet access router or the WAN connection to the ISP might be the cause of an Internet connection problem. The IP Security Monitor snap-in displays information about the IPSec policy currently in effect on a particular computer, as well as IPSec statistics.