Can't ping by name outside of subnet

[Joe]

In a good jam here, could use some help. Have a couple of 2000
servers that I re-ip addressed from another office. Put them on my
subnet of 10.0.13.x . They can ping anything in the 10.0.13 using dns
and IP. I have other vlans in the network and they can ping 10.0.14.x
and 10.0.2.x by IP but not using DNS. If I do a nslookup it finds the
dns server and resolves from there but you cannot ping anything outside
of 10.0.13.x 255.255.255.0 using DNS. If you go by IP it works
wonderfully. Thanks.

 

[Joe]

Whittled it down to one server that is having the issue. Changed
cables, switches the whole 9. Machine can ping outside its own network
by IP but not name. Thanks.

 

[Kevin D. Goodknecht Sr. [MVP]]

In a good jam here, could use some help. Have a couple of 2000
servers that I re-ip addressed from another office. Put them on my
subnet of 10.0.13.x . They can ping anything in the 10.0.13 using
dns and IP. I have other vlans in the network and they can ping
10.0.14.x and 10.0.2.x by IP but not using DNS. If I do a nslookup
it finds the dns server and resolves from there but you cannot ping
anything outside of 10.0.13.x 255.255.255.0 using DNS. If you go by
IP it works wonderfully. Thanks.

Check the Advanced tab to see if recursion has been disabled or if there is
a "." forward lookup zone, delete it.
If neither of these fix it, make sure the DNS server has a valid Gateway on
its subnet. (Netdiag will test this)
Possible root hints corruption, replace the root hints with the cache.dns
file. http://support.microsoft.com/kb/249868/en-us

 

[Joe]

All other servers are not having this issue - just one Windows 2000
Server. The rest of the environment and DNS looks healthy. The ip
settings on that server have the correct gateway and subnet
assignments. The host file and lmhost.sam files are factory. This
machine just will not ping by name to anything on another subnet. All
machines on the same switch/segment are ok.

Joe

 

[Herb Martin]

All other servers are not having this issue - just one Windows 2000
Server. The rest of the environment and DNS looks healthy. The ip
settings on that server have the correct gateway and subnet
assignments. The host file and lmhost.sam files are factory. This
machine just will not ping by name to anything on another subnet. All
machines on the same switch/segment are ok.

We presume it WILL ping by address.

Will it fetch DNS using NSLookup from EVERY one of
the DNS servers listed in the NIC->IP properties or
shown when you do "IPConfig /all".

The symptoms of pinging on the local subnet and NOT
across routers TEND to suggest that you are resolving
local names through NetBIOS broadcasts (which is
a normal fail over mechanism for MS-NetBIOS machines.)

A common reason for client DNS failure (which this seems
to be) is configuring the WRONG DNS server or a MIXTURE
(of internal and external) DNS servers on the client NIC->
IP properties.

By testing explicitly using NSLookup you will prove that the
client can actually contact the DNS listed.

It is also MUCH BETTER to cut and paste the IPconfig /all
output to avoid any typos AND avoid overlooking any
mistakes in the settings (our eyes tend to see what we expect
to see, cut and paste is not fooled.)

nslookup NameAcrossRouter IP.DNS.Server.Preferred
nslookup NameAcrossRouter IP.DNS.Server.Alternate
nslookup NameAcrossRouter IP.DNS.Server.etc

You may only have a PREFERRED but try every one if you
have more than one listed on the client NIC settings (and
for ANY NIC showing in IPConfig /all).

 

[Joe]

It will ping by IP. Keep in mind that all servers are in the same
switch with different vlans. This one server is in vlan 13. The
servers that are in vlan 2 are the .2 address and the .14 address is
vlan 14. The server will ping by name and ip any server in the
10.0.13.x network. It will not ping anything by name in any other
network. It will ping the IP - not the name. this switch uplinks to
a L3 switch so routing is correct and trunking between vlans is working
fine. This is the only machine effected.

If I use NSLOOKUP it is like there aren't any problems at all. It will
communicate with the DNS server fine that way.


Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : wnspfap03
Primary DNS Suffix . . . . . . . : fake.domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82546EB Based Dual
Port Net
work Connection
Physical Address. . . . . . . . . : 00-09-6B-F1-8D-AA
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.13.120
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.13.1
DNS Servers . . . . . . . . . . . : 10.0.2.25
10.0.14.25

Default Server: cpspad11.fake.domain.com
Address: 10.0.2.25

rhspsql03

Server: cpspad11.fake.domain.com
Address: 10.0.2.25

Name: rhspsql03.fake.domain.com
Address: 10.0.2.41

server cpspad12

Default Server: cpspad12.fake.domain.com
Address: 10.0.14.25

rhspsql03

Server: cpspad12.corp.fake.domain.com
Address: 10.0.14.25

Name: rhspsql03.corp.aleagroup.com
Address: 10.0.2.41

 

[Herb Martin]

It will ping by IP. Keep in mind that all servers are in the same
switch with different vlans.

Then they are different SUBNETS (one hopes) and NOT
on the same "broadcast domain".

It really doesn't matter whether this is a Switch with separate
VLANs or Router(s) with separate physically subnet (except
we have HEARD a significant number of reports on 'buggy'
switches.)

This one server is in vlan 13. The
servers that are in vlan 2 are the .2 address and the .14 address is
vlan 14.

Separate subnets. Other than hardware bugs this is an
irrelevant distinction (i.e., the switch/VLAN).

The server will ping by name and ip any server in the
10.0.13.x network.

Then it will ping off its SUBNET as you have described
it (but your description was VERY VAGUE since you
didn't provide the actual subnet masks or even full IPs.)

It will not ping anything by name in any other
network. It will ping the IP - not the name. this switch uplinks to
a L3 switch so routing is correct and trunking between vlans is working
fine. This is the only machine effected.

So it is NOT a "subnet problem" but some sort of Local
versus WAN (or other remote) issue, perhaps the only thing
not working is Internet access.

As long as it can resolve names* on another VLAN/Subnet then
I would expect that you have SOME DNS working since
broadcasts (NetBIOS failover) won't work across subnets by
default (unless you have enabled such broadcasts which is
unlikely with today's hardware/practices.)

If I use NSLOOKUP it is like there aren't any problems at all. It will
communicate with the DNS server fine that way.

Did you try BOTH DNS servers?

DNS Servers . . . . . . . . . . . : 10.0.2.25
10.0.14.25

You seem to have used NSLookup "within the shell" instead
of performing it explicitly as I suggested -- I see no indication
that you switched servers (from the Preferred to the Alternate)
which was part of the SPECIFIC test I suggested.

They must BOTH work for ALL addresses (your clients need.)

And since you edited your IPConfig /all by hand we
cannot be certain you didn't remove critical information.

If both/ALL DNS servers work with NSLookup, then you
do NOT have a (permanent DNS issue).

Clear cache in case you have an (old) problem that is now
fixed (ipconfig /flushdns) but from here I would go to tracert.

When name resolution works but ping does not, you test by
determining how far you can ROUTE by using tracert (or
pathping, but I really don't like the latter.)

 

[Joe]

Herb -

I guess I wasn't making myself clear. Aside from the vlan config
picture this. You have a server with an ip address of 10.0.13.120
255.255.255.0. From this server you can basically ping anything via
IP or DNS in the 10.0.13.x network. You can also ping any server in
the company no matter what routable subnet it is on via IP. However
you cannot ping them through DNS. This is the only server on the
switch/network that is having this problem. It recently had the IP
address changed. NSLOOKUP works fine. Below is a tracert
C:\>tracert 10.0.2.25

Tracing route to CPSPAD11 [10.0.2.25]
over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.0.13.1
2 <10 ms <10 ms <10 ms CPSPAD11 [10.0.2.25]

Trace complete.

C:\>ping cpspad11
Unknown host cpspad11.

As you can see if does resolve the name there but will not ping it by
name. I have performed an ipconfig/flushdns several times. Not
getting cranky but I did manually edit my ipconifg/all above but took
great care in doing so. Although I did not do the nslookup
specifically as you suggested, the result was the same from all 6 DNS
servers in the domain. DNS is fine. The machine will ping another
machine on any subnet but will only ping them USING DNS if it is on its
own subnet.

Thanks.

 

[Herb Martin]

Herb -

I guess I wasn't making myself clear. Aside from the vlan config
picture this. You have a server with an ip address of 10.0.13.120
255.255.255.0. From this server you can basically ping anything via
IP or DNS in the 10.0.13.x network.

Ok, same subnet works. That is what you said to start.

You can also ping any server in
the company no matter what routable subnet it is on via IP.

If it worked by DNS this would mean that routing works AND
DNS resolution works.

If DNS ONLY fails when not on the same subnet then this
points towards broadcast name resolutions as the reason for
different results.

This is what you said to start, but is NOT what you said
in your most recent message. (It would have been quicker
for you to just post your IP and subnet masks to start.)

And say "ping by address" and "ping by DNS name" each
time you gave a result (works, fails.)

However you cannot ping them through DNS.

Pings NEVER work "through DNS" but first resolves
the DNS name to an IP so once you know that DNS
resolution is failing (you do from the information above)
then you focus SOLELY on that until (and unless) you
find you were wrong in that estimation.

This is the only server on the
switch/network that is having this problem. It recently had the IP
address changed. NSLOOKUP works fine. Below is a tracert

Give me the results for the NSLookup commands I suggested.
(Don't just tell me it works find -- and give me a way to tell
that you tried EVERY DNS server the client uses.)

C:\>tracert 10.0.2.25
Tracing route to CPSPAD11 [10.0.2.25]

DNS works. See that above? It says DNS resolves the
name CPSAD11 to 10.0.2.25

So you are back to a routing (or related issue.)

over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.0.13.1
2 <10 ms <10 ms <10 ms CPSPAD11 [10.0.2.25]
Trace complete.

And tracert works.

C:\>ping cpspad11
Unknown host cpspad11.

Wait a minute. This (almost) cannot happen. Clearly it
DID happen but it makes no sense.

As you can see if does resolve the name there but will not ping it by
name.

No, what you posted shows it FAILING to resolve the name.

Tracert and Ping use the same name resolution method
AND the same ICMP network protocal -- although one
of them might fail or have problems the other doesn't
see (timeouts, blocked by firewalls, etc) they both should
either succeed or fail on the name resolution.

First, I would try each of the above multiple times and
CLEAR the client cache between attempts. (Even negative
answers are cached.)

If this gives the same (weird) results you have proven a consistent
difference.

IF not then you are back to a likely case of using TWO DIFFERENT
sets of DNS names and when one of them fails it gets cached for
a few minutes giving intermittent failures while when the other
succeeds that caches the success for some time.

IF it does give the same problems then perhaps you are seeing
some weird switch problem or packet filtering on the switch.
Although most such filters would block or allow both Ping
and ICMP equally this is NOT a 100% case.

I have performed an ipconfig/flushdns several times. Not
getting cranky but I did manually edit my ipconifg/all above but took
great care in doing so. Although I did not do the nslookup
specifically as you suggested, the result was the same from all 6 DNS
servers in the domain. DNS is fine.

No, if the results above are accurately reported you have
SOME (although very weird) client-server DNS issue.

Do you really have SIX DNS servers configured for the
clients NIC->IP settings?

(I don't care how many EXIST, only how many the DNS client
knows about.)

If you do, the odds are VERY high that you are using DNS
servers from two (DIFFERENT) sets which give different
answers. (This is part of why I want to SEE the full IPConfig
and not some edited version, but there are many other things
that we can pick up from seeing the actual results and not
your interpretations of those.)


DNS clients PRESUME that EVERY DNS server will return
the SAME, and the CORRECT, results.

The machine will ping another
machine on any subnet but will only ping them USING DNS if it is on its
own subnet.

Then it's about RESOLVING DNS and not primarily about
the Ping.

Although in the weird category you could have a virus/trojan
(unlikely) in your Ping command or some weird filter (more
likely) on the Switch which blocks the request from the Ping
command but not from the Tracert.

However this latter is NOT VERY likely since both commands
use the "built-in DNS resolver". This is UNLIKE NSLookup
which uses its own resolver (i.e., IS its own resolver.)

 

[Joe]

Here it is from the nslookup that you have asked me to perform.
C:\WINDOWS>nslookup rhspsql03 10.0.2.25
Server: cpspad11.corp.aleagroup.com
Address: 10.0.2.25

Name: rhspsql03.corp.aleagroup.com
Address: 10.0.2.41


C:\WINDOWS>nslookup rhspsql03 10.0.14.25
Server: cpspad12.corp.aleagroup.com
Address: 10.0.14.25

Name: rhspsql03.corp.aleagroup.com
Address: 10.0.2.41


I have 3 networks. 10.0.2.0 255.255.255.0 , 10.0.13.0 255.255.255.0 ,
10.0.14.0 255.255.255.0. All three are using the same layer 3 switch
for a default gateway vlan 2 10.0.2.1, vlan 13 10.0.13.1, vlan 14
10.0.14.1 .

I do understand that pings don't work through DNS. What I should have
said is that if I do a ping to the machine name DNS will not resolve
the name.




Done. Same results.

Both of the ip addresses 10.0.2.25 and 10.0.14.25 are domain
controllers for the same domain.

Every other machine in the 10.0.13.0 255.255.255.0 network has no
problems when you ping a machine by name. All servers are plugged
into the same switch so there is no packet filtering on them from that
level. I have done as others recommended and looked under the
advanced tab on the IP settings and there was nothing there under IP
security.





I do not have the 6 DNS servers known to the client. Those are for
other domain controllers around the world.


The only edited version you got was me taking out my domain name. I
don't know why but I am not comfortable posting my domain name out
there with internal ip addresses and controller netbios names. I only
inserted fake.domain.com. That is it. Even with this machine
pointing to the dns servers properly (which are the DC's) I cannot ping
them by name. I cannot even ping fake.domain.com. This machine is a
member of that domain.

I do not have any trojans on this server that I can see. I still can
ping other servers like the above listed rhspsql03 by IP. If I do
"ping rhspsql03" it says unknown host. The odd error message on the
tracert is still there.
Any ideas?

 

[Joe]

Here it is from the nslookup that you have asked me to perform.
C:\WINDOWS>nslookup rhspsql03 10.0.2.25
Server: cpspad11.corp.aleagroup.com
Address: 10.0.2.25

Name: rhspsql03.corp.aleagroup.com
Address: 10.0.2.41


C:\WINDOWS>nslookup rhspsql03 10.0.14.25
Server: cpspad12.corp.aleagroup.com
Address: 10.0.14.25

Name: rhspsql03.corp.aleagroup.com
Address: 10.0.2.41


I have 3 networks. 10.0.2.0 255.255.255.0 , 10.0.13.0 255.255.255.0 ,
10.0.14.0 255.255.255.0. All three are using the same layer 3 switch
for a default gateway vlan 2 10.0.2.1, vlan 13 10.0.13.1, vlan 14
10.0.14.1 .

I do understand that pings don't work through DNS. What I should have
said is that if I do a ping to the machine name DNS will not resolve
the name.




Done. Same results.

Both of the ip addresses 10.0.2.25 and 10.0.14.25 are domain
controllers for the same domain.

Every other machine in the 10.0.13.0 255.255.255.0 network has no
problems when you ping a machine by name. All servers are plugged
into the same switch so there is no packet filtering on them from that
level. I have done as others recommended and looked under the
advanced tab on the IP settings and there was nothing there under IP
security.





I do not have the 6 DNS servers known to the client. Those are for
other domain controllers around the world.


The only edited version you got was me taking out my domain name. I
don't know why but I am not comfortable posting my domain name out
there with internal ip addresses and controller netbios names. I only
inserted fake.domain.com. That is it. Even with this machine
pointing to the dns servers properly (which are the DC's) I cannot ping
them by name. I cannot even ping fake.domain.com. This machine is a
member of that domain.

I do not have any trojans on this server that I can see. I still can
ping other servers like the above listed rhspsql03 by IP. If I do
"ping rhspsql03" it says unknown host. The odd error message on the
tracert is still there.
Any ideas?

 

[Herb Martin]

I do not have any trojans on this server that I can see. I still can

ping other servers like the above listed rhspsql03 by IP. If I do
"ping rhspsql03" it says unknown host. The odd error message on the
tracert is still there.
Any ideas?

It's a crummy idea but what the heck:

Try the FULL name on the ping:

rhspsql03.domain.com (or whatever)

I didn't suggest this earlier since the short name seemed
to work for tracert and just not for ping.

IF this works, then likely you never entered the DOMAIN
NAME in the SYSTEM Control Panel of the affected machine.

I would have no idea why that would affect Ping and NOT
ALSO affect tracert but if it is the problem it is easily fixed.

 

[Joe]

I did what you asked and tried to ping the machine by the FQDN.
Nothing. Just came back and said unknow host. I can honestly say I
am truly baffled. If you have any other ideas I would greatly
appreciate them.

 

[Herb Martin]

I did what you asked and tried to ping the machine by the FQDN.
Nothing. Just came back and said unknow host. I can honestly say I
am truly baffled. If you have any other ideas I would greatly
appreciate them.

It's so goofy-weird that I am going to ask you to
do the ping by both short and long name as well
as the tracert and the nslookup (not in the shell).

Copy all of the text from the screen, and your
ipconfig /all (complete); either post it here or
send it to me privately-directly.

Also, do a search of your machine for "ping.*"
(ping.exe ping.bat ping.cmd ping.com)

Searching the path would be sufficient but you don't
likely have a "path only" search tool. (These are
BTW worth having.)

Ping and Tracert should both resolve the same.
(Also try PathPing and see which one of the above
it mimics, i.e., works or fails. You don't need to
include this output.)

You might also STOP the "DNS Client" service
throughout all of this so there is no client side
caching (Net Stop "DNS CLIENT").

If you wish to search further you might also grep
through the "Ipconfig /displaydns" but there is
not reason to send me that. (Oh, and this only
works when the cache "DNS Client" is running.