Why won't Windows 2008 play with Java?
November 3, 2010 3:40 PM Subscribe
How do I get a browser to go to java.com on Windows 2008?
I have a week-old (legitimate) install of Windows 2008 R2 on my server at home. I want to install the JRE on it so I can use the browser-based VPN at work.
But when I try to go to http://www.java.com, or java.net, or sun.com, I get the "Unable to connect" error in the browser. Also, pinging these sites gives me "general failure", as does tracert.
However, DNS is working fine for both commands (an IP is being resolved), and every other machine on the network is able to see and ping all the sites. There are some other sites that show that behaviour (cnn.com is one) but there are also a lot that don't. For instance, I can go to oracle.com and follow links for the JRE there, but as soon as something tries to get to a sun domain the browser can't connect.
The firewall is open - no incoming connections are being blocked. Discovery is on. The internal network map is correct. No VLANs are configured. The network adapter is a D-Link gigabit with flow control enabled.
I am not unfamiliar with networking on Windows and Unix and I have taken the CCNA prep course but WTF causes a "general failure" in ping?
(I realize that I could just download the offline JRE install and use that. But now I want to figure out why some sites are inaccessible, even through ICMP, only to the server and not to any other machine on the network).
I have a week-old (legitimate) install of Windows 2008 R2 on my server at home. I want to install the JRE on it so I can use the browser-based VPN at work.
But when I try to go to http://www.java.com, or java.net, or sun.com, I get the "Unable to connect" error in the browser. Also, pinging these sites gives me "general failure", as does tracert.
However, DNS is working fine for both commands (an IP is being resolved), and every other machine on the network is able to see and ping all the sites. There are some other sites that show that behaviour (cnn.com is one) but there are also a lot that don't. For instance, I can go to oracle.com and follow links for the JRE there, but as soon as something tries to get to a sun domain the browser can't connect.
The firewall is open - no incoming connections are being blocked. Discovery is on. The internal network map is correct. No VLANs are configured. The network adapter is a D-Link gigabit with flow control enabled.
I am not unfamiliar with networking on Windows and Unix and I have taken the CCNA prep course but WTF causes a "general failure" in ping?
(I realize that I could just download the offline JRE install and use that. But now I want to figure out why some sites are inaccessible, even through ICMP, only to the server and not to any other machine on the network).
Is the server the DNS server for the network? Make sure it's own DNS server is set to the server's IP address, and then you're forwarding outbound requests to the next DNS server up the line (cable modem)
posted by deezil at 3:53 PM on November 3, 2010
posted by deezil at 3:53 PM on November 3, 2010
Are you running any security software on the machine such as Norton AV or a third-party firewall?
posted by Pruitt-Igoe at 4:01 PM on November 3, 2010
posted by Pruitt-Igoe at 4:01 PM on November 3, 2010
Response by poster: No, the server isn't doing DNS. I'm using Google's servers for that. I should have mentioned that the IP lookups on the server for the sites that can't be pinged are correct.
The hosts file is empty.
posted by Dipsomaniac at 4:07 PM on November 3, 2010
The hosts file is empty.
posted by Dipsomaniac at 4:07 PM on November 3, 2010
Response by poster: There's no third party security software; just the built-in firewall, which is open both ways.
posted by Dipsomaniac at 4:08 PM on November 3, 2010
posted by Dipsomaniac at 4:08 PM on November 3, 2010
Do you still get "General failure" when you run the command prompt as Administrator? (Right-click the shortcut and Run as administrator)
posted by Pruitt-Igoe at 4:16 PM on November 3, 2010
posted by Pruitt-Igoe at 4:16 PM on November 3, 2010
Response by poster: The command prompt is running in Administrator mode, yes.
posted by Dipsomaniac at 4:22 PM on November 3, 2010
posted by Dipsomaniac at 4:22 PM on November 3, 2010
As far as some sites being accessible and others not, I saw that happen a few years ago on a machine running XP, but only when using the onboard NIC. I tried a cheap USB NIC and everything worked fine. I was fixing the machine for a friend, so I was never able to figure out the exact reason the onboard NIC was failing.
posted by Pruitt-Igoe at 4:27 PM on November 3, 2010
posted by Pruitt-Igoe at 4:27 PM on November 3, 2010
Response by poster: I had thought about a failing NIC but the same machine had XP installed on it a week ago and everything was fine, plus the successful DNS lookups make it less likely to me.
The network adapter isn't onboard - it's an addon. I wanted a gigabit network for file transfer.
posted by Dipsomaniac at 4:42 PM on November 3, 2010
The network adapter isn't onboard - it's an addon. I wanted a gigabit network for file transfer.
posted by Dipsomaniac at 4:42 PM on November 3, 2010
DNS lookups worked on my friend's PC as well. It was connections to certain sites that failed. I know it doesn't make much intuitive sense.
It could be that the hardware is fine but the driver for your NIC has some bugs. How well does the onboard NIC work (assuming there is one)?
posted by Pruitt-Igoe at 4:55 PM on November 3, 2010
It could be that the hardware is fine but the driver for your NIC has some bugs. How well does the onboard NIC work (assuming there is one)?
posted by Pruitt-Igoe at 4:55 PM on November 3, 2010
MTU problem; specifically, Win 2008 likes to do Path MTU Discovery (PMTUD) all the time, and so sets the Don't Fragment (DF) bit in the ethernet packet header. PMTUD works by sending a max-sized packet to the destination; in theory anything along the line that can only handle smaller packets should drop the original packet and reply with a control message telling the sender to allow fragmentaion; the sender then tries consecutively smaller packets (with the DF bit still set) until they reach the destination.
In practice this mostly works well, apart from the occasional bit of hardware between source and destination that just drops too-large packets without sending the control message. Then the whole thing fails for no obvious reason.
Try setting the MTU on that interface to something ridiculously low (e.g. the minimum of 576) and see if it works. If it does, that's the problem. You can then try an MTU of 1492; if that fails, keep dropping the MTU by 8 until it starts working.
posted by Pinback at 5:58 PM on November 3, 2010
In practice this mostly works well, apart from the occasional bit of hardware between source and destination that just drops too-large packets without sending the control message. Then the whole thing fails for no obvious reason.
Try setting the MTU on that interface to something ridiculously low (e.g. the minimum of 576) and see if it works. If it does, that's the problem. You can then try an MTU of 1492; if that fails, keep dropping the MTU by 8 until it starts working.
posted by Pinback at 5:58 PM on November 3, 2010
Response by poster: The on-board NIC shows the same problems on the same sites as the D-Link, and neither one of them show any effect from changing the MTU.
posted by Dipsomaniac at 7:03 PM on November 3, 2010
posted by Dipsomaniac at 7:03 PM on November 3, 2010
OK, odd. You could try disabling PMTUD altogether.
Outside that and the other suggestions, I dunno. Incorrect netmask?
Also, what does a traceroute to those IPs show?
posted by Pinback at 7:20 PM on November 3, 2010
Outside that and the other suggestions, I dunno. Incorrect netmask?
Also, what does a traceroute to those IPs show?
posted by Pinback at 7:20 PM on November 3, 2010
Response by poster: Traceroute shows the same as ping: general failure (something I had never seen before today). Disabling PMTUD didn't have any effect either.
posted by Dipsomaniac at 7:39 PM on November 3, 2010
posted by Dipsomaniac at 7:39 PM on November 3, 2010
That's weird. Suggests something fairly fundamental going wrong before the Windows TCP/IP stack - since a routing (e.g. netmask) or connectivity problem would show up as a timeout or "no route to host" error - but it's only affecting certain sites?!
Double checking (I know you've answered most of this, but we're getting down to real oddities now…):
posted by Pinback at 8:33 PM on November 3, 2010
Double checking (I know you've answered most of this, but we're getting down to real oddities now…):
- You've turned the Windows firewall off completely?
- You've got no Windows VLANs / VPNs configured?
- You've got no other antivirus, firewall, security, or VPN software installed (not just not turned on, but not installed)?
- You mention gigbit ethernet, so I'm assuming a wired connection - correct?
- How does this machine obtain its IP address - fixed, or DHCP?
posted by Pinback at 8:33 PM on November 3, 2010
Can you run wireshark on another host on the LAN and see how far a connection to cnn.com or sun.com gets? Is the initial syn unanswered, or is there a syn/ack returned that is ignored by your win2008 box? Or is the connection established and then just hangs at some point?
posted by Pruitt-Igoe at 10:23 PM on November 3, 2010
posted by Pruitt-Igoe at 10:23 PM on November 3, 2010
Double check that no proxies exist on the machine (the usual spyware culprits)
or try issuing:
netsh ip reset
netsh winsock reset
at the command line to do a full refresh of the TCP/IP and WinSock stacks.
posted by deezil at 5:56 AM on November 4, 2010
or try issuing:
netsh ip reset
netsh winsock reset
at the command line to do a full refresh of the TCP/IP and WinSock stacks.
posted by deezil at 5:56 AM on November 4, 2010
Response by poster: Replying to Pinback and deezil:
I've tried both turning the firewall off completely and simply having no rules applied to traffic.
There's no VLANs or VPNs.
The only AV is Clamwin, but turning that off doesn't change anything. Windows Defender installed by default, but since it's pretty craptacular I've disabled the service.
It is a wired connection: Server -> 5-port switch -> gateway. The switch is entirely unmanaged.
It's set up as fixed IP now, but I've also tried static DHCP. It's using the gateway for DNS.
No proxies, and I did the ip and winsock reset yesterday afternoon.
I'll try running Wireshark tonight to see if that's illuminating.
posted by Dipsomaniac at 8:31 AM on November 4, 2010
I've tried both turning the firewall off completely and simply having no rules applied to traffic.
There's no VLANs or VPNs.
The only AV is Clamwin, but turning that off doesn't change anything. Windows Defender installed by default, but since it's pretty craptacular I've disabled the service.
It is a wired connection: Server -> 5-port switch -> gateway. The switch is entirely unmanaged.
It's set up as fixed IP now, but I've also tried static DHCP. It's using the gateway for DNS.
No proxies, and I did the ip and winsock reset yesterday afternoon.
I'll try running Wireshark tonight to see if that's illuminating.
posted by Dipsomaniac at 8:31 AM on November 4, 2010
« Older Temporarily leaving the elegance and convenience... | This is not the Dec One you are looking for. Newer »
This thread is closed to new comments.
posted by dolface at 3:45 PM on November 3, 2010