PDA

View Full Version : Can ping SLES11 Server



nix34
01-Aug-2013, 22:44
I have a new SLES11 server built at a branch 1.

I can ping anything inside the branch from the server and everything at other branches as well. Can also access internet

I go to another branch, lets say branch 2. I can't ping this server at branch 1 but can ping everything else at branch 1.

jmozdzen
02-Aug-2013, 11:06
Hi nix34,


I have a new SLES11 server built at a branch 1.

I can ping anything inside the branch from the server and everything at other branches as well. Can also access internet

I go to another branch, lets say branch 2. I can't ping this server at branch 1 but can ping everything else at branch 1.

sounds like that new server does not have a proper default route set up.

Regards,
Jens

jmozdzen
02-Aug-2013, 11:10
Hi nix34,

answered too quickly - I mis-read your second line (I somehow read the "others" at branch1 can reach anything else, too).

Can you verify that the new server at branch1 receives the icmp echo requests from branch2? If yes, how/where are the replies sent? You can use "tcpdump -nvv icmp" on server at branch1 to trace the ICMP (echo request/response, AKA "ping") packets.

Regards,
Jens

KBOYLE
02-Aug-2013, 17:49
nix34 wrote:

> I go to another branch, lets say branch 2. I can't ping this server
> at branch 1 but can ping everything else at branch 1.

Is your firewall running?

Check /etc/sysconfig/SuSEfirewall2. There you can specify what type of
access is allowed. For example:


> # 9.)
> # Which TCP services _on the firewall_ should be accessible from
> # untrusted networks?
> #
> # Enter all ports or known portnames below, seperated by a space.
> # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
> # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
> # e.g. if a webserver on the firewall should be accessible from the
> internet:
> # FW_SERVICES_EXT_TCP="www"

and

> # 10.)
> # Which services should be accessible from 'trusted' hosts or nets?
> #
> # Define trusted hosts or networks (doesn't matter whether they are
> internal or
> # external) and the services (tcp,udp,icmp) they are allowed to use.
> This can
> # be used instead of FW_SERVICES_* for further access restriction.
> Please note
> # that this is no replacement for authentication since IP addresses
> can be
> # spoofed. Also note that trusted hosts/nets are not allowed to ping
> the
> # firewall until you also permit icmp.
> #
> # Format: space separated list of network[,protocol[,port]]
> # in case of icmp, port means the icmp type
> #
> # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"



--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

nix34
02-Aug-2013, 23:27
Basically trying to set up VNC so the helpdesk can access server. For example: http:\\server name or IP:5801 When trying this, it failed

When we tried to ping the server, that failed. However, when we were pinging pc's, laptops, printers, switches, routers at that locaiton, we can ping those devices without any problems. What was missed when installing SLES11?

Now, when we visit the site, we CAN ping the server since we are there locally.

nix34
02-Aug-2013, 23:27
No firewall is on



nix34 wrote:

> I go to another branch, lets say branch 2. I can't ping this server
> at branch 1 but can ping everything else at branch 1.

Is your firewall running?

Check /etc/sysconfig/SuSEfirewall2. There you can specify what type of
access is allowed. For example:


> # 9.)
> # Which TCP services _on the firewall_ should be accessible from
> # untrusted networks?
> #
> # Enter all ports or known portnames below, seperated by a space.
> # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
> # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
> # e.g. if a webserver on the firewall should be accessible from the
> internet:
> # FW_SERVICES_EXT_TCP="www"

and

> # 10.)
> # Which services should be accessible from 'trusted' hosts or nets?
> #
> # Define trusted hosts or networks (doesn't matter whether they are
> internal or
> # external) and the services (tcp,udp,icmp) they are allowed to use.
> This can
> # be used instead of FW_SERVICES_* for further access restriction.
> Please note
> # that this is no replacement for authentication since IP addresses
> can be
> # spoofed. Also note that trusted hosts/nets are not allowed to ping
> the
> # firewall until you also permit icmp.
> #
> # Format: space separated list of network[,protocol[,port]]
> # in case of icmp, port means the icmp type
> #
> # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"



--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

jmozdzen
03-Aug-2013, 18:54
Hi nix34,

unfortunately, you did not provide information on the ICMP packets, as seen from the new server. Could you please run the tcpdump and report back the results?

*If* the new server receives the ICMP echo requests ("ping" requests), then please include the interface IP setup and routing table of the new server, per c&p of the according commands.

Regards,
Jens

KBOYLE
03-Aug-2013, 21:33
nix34 wrote:

>
> No firewall is on
>

How is your network at branch 1 configured?

1. This new server connects to the Internet via a separate router...

or

2. This new server is your gateway to the Internet. It has one
interface connected to the external network (Internet) and another
interface connected to the internal network.

As Jens already mentioned, the first step is to confirm that the ICMP
echo request (ping) actually reaches the server. The next step is to
determine whether a response is sent and what happens to it. If the
default route is incorrect, the response may never be returned to the
host that issues the ICMP echo request. If you're using
nat/masquerading and it is misconfigured, the response may very well be
sent but it may appear to be from a different device and not recognised
as a valid reply to the ICMP echo request.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

smflood
04-Aug-2013, 12:32
jmozdzen wrote:

> sounds like that new server does not have a proper default route set
> up.

.... or has an incorrect network mask set.

HTH.
--
Simon
SUSE Knowledge Partner

jmozdzen
04-Aug-2013, 13:01
Hi Simon,


jmozdzen wrote:

> sounds like that new server does not have a proper default route set
> up.

.... or has an incorrect network mask set.

HTH.
--
Simon
SUSE Knowledge Partner

then it'd be astonishing that the new server can ping everything at other branches. OTOH, it may not have been fully tested, that's why I'm after the c&p of the interface config.

Regards,
Jens