I have a new SLES11 server built at a branch 1.
I can ping anything inside the branch from the server and everything at other branches as well. Can also access internet
I go to another branch, lets say branch 2. I can’t ping this server at branch 1 but can ping everything else at branch 1.
Hi nix34,
[QUOTE=nix34;14882]I have a new SLES11 server built at a branch 1.
I can ping anything inside the branch from the server and everything at other branches as well. Can also access internet
I go to another branch, lets say branch 2. I can’t ping this server at branch 1 but can ping everything else at branch 1.[/QUOTE]
sounds like that new server does not have a proper default route set up.
Regards,
Jens
Hi nix34,
answered too quickly - I mis-read your second line (I somehow read the “others” at branch1 can reach anything else, too).
Can you verify that the new server at branch1 receives the icmp echo requests from branch2? If yes, how/where are the replies sent? You can use “tcpdump -nvv icmp” on server at branch1 to trace the ICMP (echo request/response, AKA “ping”) packets.
Regards,
Jens
nix34 wrote:
[color=blue]
I go to another branch, lets say branch 2. I can’t ping this server
at branch 1 but can ping everything else at branch 1.[/color]
Is your firewall running?
Check /etc/sysconfig/SuSEfirewall2. There you can specify what type of
access is allowed. For example:
[color=blue]
9.)
Which TCP services on the firewall should be accessible from
untrusted networks?
Enter all ports or known portnames below, seperated by a space.
TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
e.g. if a webserver on the firewall should be accessible from the
internet:
FW_SERVICES_EXT_TCP=“www”[/color]
and
[color=blue]
10.)
Which services should be accessible from ‘trusted’ hosts or nets?
Define trusted hosts or networks (doesn’t matter whether they are
internal or
external) and the services (tcp,udp,icmp) they are allowed to use.
This can
be used instead of FW_SERVICES_* for further access restriction.
Please note
that this is no replacement for authentication since IP addresses
can be
spoofed. Also note that trusted hosts/nets are not allowed to ping
the
firewall until you also permit icmp.
Format: space separated list of network[,protocol[,port]]
in case of icmp, port means the icmp type
Example: “172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22”[/color]
–
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
Basically trying to set up VNC so the helpdesk can access server. For example: http:\\server name or IP:5801 When trying this, it failed
When we tried to ping the server, that failed. However, when we were pinging pc’s, laptops, printers, switches, routers at that locaiton, we can ping those devices without any problems. What was missed when installing SLES11?
Now, when we visit the site, we CAN ping the server since we are there locally.
No firewall is on
[QUOTE=KBOYLE;14900]nix34 wrote:
[color=blue]
I go to another branch, lets say branch 2. I can’t ping this server
at branch 1 but can ping everything else at branch 1.[/color]
Is your firewall running?
Check /etc/sysconfig/SuSEfirewall2. There you can specify what type of
access is allowed. For example:
[color=blue]
9.)
Which TCP services on the firewall should be accessible from
untrusted networks?
Enter all ports or known portnames below, seperated by a space.
TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
e.g. if a webserver on the firewall should be accessible from the
internet:
FW_SERVICES_EXT_TCP=“www”[/color]
and
[color=blue]
10.)
Which services should be accessible from ‘trusted’ hosts or nets?
Define trusted hosts or networks (doesn’t matter whether they are
internal or
external) and the services (tcp,udp,icmp) they are allowed to use.
This can
be used instead of FW_SERVICES_* for further access restriction.
Please note
that this is no replacement for authentication since IP addresses
can be
spoofed. Also note that trusted hosts/nets are not allowed to ping
the
firewall until you also permit icmp.
Format: space separated list of network[,protocol[,port]]
in case of icmp, port means the icmp type
Example: “172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22”[/color]
–
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…[/QUOTE]
Hi nix34,
unfortunately, you did not provide information on the ICMP packets, as seen from the new server. Could you please run the tcpdump and report back the results?
If the new server receives the ICMP echo requests (“ping” requests), then please include the interface IP setup and routing table of the new server, per c&p of the according commands.
Regards,
Jens
nix34 wrote:
[color=blue]
No firewall is on
[/color]
How is your network at branch 1 configured?
or
As Jens already mentioned, the first step is to confirm that the ICMP
echo request (ping) actually reaches the server. The next step is to
determine whether a response is sent and what happens to it. If the
default route is incorrect, the response may never be returned to the
host that issues the ICMP echo request. If you’re using
nat/masquerading and it is misconfigured, the response may very well be
sent but it may appear to be from a different device and not recognised
as a valid reply to the ICMP echo request.
–
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
jmozdzen wrote:
[color=blue]
sounds like that new server does not have a proper default route set
up.[/color]
… or has an incorrect network mask set.
Simon
SUSE Knowledge Partner
Hi Simon,
[QUOTE=smflood;14915]jmozdzen wrote:
[color=blue]
sounds like that new server does not have a proper default route set
up.[/color]
… or has an incorrect network mask set.
Simon
SUSE Knowledge Partner[/QUOTE]
then it’d be astonishing that the new server can ping everything at other branches. OTOH, it may not have been fully tested, that’s why I’m after the c&p of the interface config.
Regards,
Jens