Win 2k3 AS External Interface sort of drops

I'm driving myself nuts on this problem, as well as everyone else in the office.

Brandy new Windows 2003 AS Install running AD, DNS, DHCP, IAS/RADIUS, IIS, RAS. 2 NICs, one (External) get's a dynamic IP from cable modem, one (Internal) is assigned staic IP NATed. I know...overloading server, but we don't have too many client connections.

This is a bit strange...

The External NIC stops forwarding requests both in and out ranging from 10 mins to about 1 hour. The connection is only restored when perform a repair on the external connection but I get the message " Flushing arp cache failed ". I did an arp -a and the cache is successfully flushed by the repair though. I tried a different NIC with the same results. I also disabled the Basic Firewall for the NAT on the External interface. Also, when the External drops, the internal NIC still functions properly as I am able to connect to the server.

Any ideas would be greatly appreciated.

 

What may be happening is your routing is being interupted when the DHCP lease expires on your external interface. I personally wouldn't recommend this configuration. Instead I would setup a router on the external interface. This does several things for you. One, your DHCP could be handled by the router. Two, your router will handle the firewall / NAT function. In addition if you want to have your clients go through your server, you can reconfigure server to be directly attached the router, and NAT your clients through the server, and then through the router. This will establish a sort of DMZ between your router and external interface. Thus adding one more layer of security.
If you really want to configure your external interface with your cable modem, see if you can setup a static IP address.

 

Glad to see ya back Eric. You have been pretty quiet.

 

Is it possible that my lease expires a) on a random basis and b) in as little as 10 minutes? This isn't something that just happens, you do the repair and it's good for a few days.

We're talking everything's fine for 10 minutes to an hour, drops, repair, and good for another 10 minutes to an hour.

This doesn't happen when we use a router before the server, so something strange is going on in the server configuration.

We're using the server as a router/dhcp server and then routing the traffic to the appropriate systems inside the network. Why is this a bad configuration? This is the exact same thing that a "hardware router" would do, but with significaly more controllability and configuration options available.

The server is only temporariliy overloaded until we get our two other servers running, loaded and configured and then we can offload things like IIS and RADIUS off our public facing server.

Adelphia really doesn't have a 10 minute DHCP lease time, so I doubt this could be the problem. Are there any other possibilities as to what might be causing this?

 

I think you answered your own question.


I would never ever trust MS as my firewall.

 

Well, first off, nobody said I was going to use Microsoft's built in simple fire wall. It's a lame duck. I was planning on putting on a tad bit more secure firewall. But I still would like to use it as I mentioned above.

All I'm trying to do is resolve the issue with the connection appearing to drop. The way I set up my servers really should be of no relavence. I'm trying to do things without spending a stupid amount of money on layer 3 routers, as it's extremely difficult to justify for most businesses in the area I'm in. The businesses around here don't even have real servers yet.

 

A DLink DFL-80 is a very good entry level Business Class Router / Firewall / VPN.
184 bucks @ Comp USA http://www.tigerdirect.com/applications/SearchTools/item-details.asp?EdpNo=612724&CatId=864

Dont forget that NAT is a function of a Firewall so you Don't want your server doing Routing (NAT).

 

I'd recommend the router route. It is more robust and secure than connecting the server directly to the cable modem. It's also a lot simpler to set up and support. A DSL/cable router should cost more than 100 bucks (if you firewall at the server as you suggest).

 

Hmm, you guys aren't giving ISA a fair shake. If i may soapbox for a moment and wax passionatly for our fine proxy/firewall server.

ssmith10pn, Its what we use at work, and Ill bet that our intellectual property has a slightly higher value than yours
http://www.microsoft.com/isaserver/evaluation/casestudies/casestudy.asp?CaseStudyID=15408

You naysayers should check out the ISA demo server, as advantechcny points out, its got a lot of knobs for configurability.
http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx

Or sign up for the
TechNet SECURITY Webcast: How Microsoft IT Deploys ISA Server 2004 Within Microsoft IT
Thursday, January 20, 2004 1:00 PM "“ 2:00 PM Pacific Time
Presenter: John Wohlfert, Microsoft IT Systems Engineer, Microsoft Corporation
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032266233&Culture=en-US


Ok.. off the soap box. I havent seen any mention of taking a network trace using network monitor from a drone laptop and a hub on the external connection to see whats doin with the traffic during one of the pause events. Ifs its DHCP, it will be right there in the trace, if the uplink is dying, we'll be able to see the server talking, but no responses.

Reading a trace for DHCP you can do yourself, but you will probably need professional help to crack the trace if its not that. Microsoft support can help you with that if it comes to that point.

 

I have no problem putting ISA on with a router. I think a router will give a more reliable connection to the cable network. Using ISA to provide the firewalling would be fine. However, you might need to use NAT on the router unless the ISP is supplying multiple IPs.

 

I guess I asked for that.

I think these people would disagree with you.

 

hehe scott

Ok, advantechcny, whatcha gonna do now? I think we have a couple of things to do to see what the machine is up to during this time. Network trace from a hub, maybe a PerfWiz to see what the server software is doing.

 

M$ weenies!

Well, well...where to begin...first, our resident M$ weenie is partially right. However, don't create bs traffic when trying to troubleshoot. Get a sniffer and place it on your external network and see what's going on. You'll see your IP traffic moving right along and you'll see when it stops. If your server isn't handling the DHCP renewal properly, you should see it, too. But I'm gonna have to place my bet on the service (ISA) not the server. If this were a unix box, which would be the ONLY server solution that I would recommend doubling as a router, then you would be able to do something along the lines of a tcpdump on the trusted and untrusted interfaces in seperate windows and you could actually watch the traffic move within the box. Now I've heard rumor of a tcpdump port for windows...windump or something like that...has a nice ring to it! LOL! But I don't personally have any experience with it.

Now let's start on ISA. Nice attempt, but just not practical even in a small environment. The proxy idea was nice when bandwidth was expensive (I still have a Proxy Server 2.0 upgrade CD on the shelf), and the content filtering / logging was pretty nifty for its time. Times have changed in the past 7 years and I would really think that M$ would have dumped the whole ISA project and let the appliances do their job. Let's just say that poor ol' advantechcny spent all his time locking down his ISA server. Why burden a server with that overhead? Better than that, WHEN the server goes down, not if, but when, all his IP is down? Is it just me or does that sound crazy. Oh yeah, if you really get in a tight, you could just call M$ and, after talking with folks in 4 other countries, none of which can claim English as their first, second or third language, you might find someone that can walk you through a repair install. OR you could have sat down with the mgmt of your company and sold them on a PIX, Juniper, Fortinet or possibly even a SCC Sidewinder firewall, all of which will outperform and outlast ISA in every category...even if it was the only suite running on the server! Not to mention that IMHO a $50 BestBuy router is going to be more secure 7 days a week than anything M$ pushes out the door...

Scott and Eric were dead on when they recommended you get a router and let your server perform server functions. Even a low-end $50 DLink is gonna be a better bet in the long run as far as performance/stability. Not to mention that @ $50, you can keep another one on a shelf ready to go in case of a failure! Personally, I like to push folks toward enterprise class stuff like a PIX or Juniper..even if it's a low end one. With DLink coming in with their newer "enterprise" stuff, you now have a middle of the road option. I've had pretty good luck with the DFL80 that Scott mentioned. At that price point, you can't go wrong. 3DES in a sub $200 box is great. Shell out another bill and you've got a DFL200 that supports AES and is hardware based. I better stop or someone may think I'm a DLink rep! I'm actually not a big fan at all, but you can beat the price/features. I'm more of a Cisco weenie that realizes that a PIX is overpriced! The Fortinet box is awesome...a little young in their interface but it's one rock solid appliance.

O.K....time to go to bed...nuff soapboxing...for now....