[SAGE] jsdy networking puzzlement

[Joseph S D Yao <jsdy@tux.org>]

Apologies to anyone for multiple postings.

I know enough about networking to route myself out of a paper bag, given
network routers and switches of various varieties.  But this one puzzles
me quite a bit.  I figured I'd ask the area's premiere group of puzzle
solvers.

I have a local network connected to a private internet as shown below.
I wanted to put a monitoring workstation in as shown.  Please don't yell
at me about the Cisco configuration, I am powerless to do anything about
it.

	internet
	   |
	Cisco 36xx router
	   |
	   | X.X.15.1
	Cisco 295x network switch 1 (.5)
	   | X.X.15.7		|
	(3DNS?)			|
	name server		|
				|
				|
	Cisco 295x network switch 2 (.6)
	 |	|		|
	 | .3	| .4		| X.X.15.14
	Pix525 Pix525	    workstation
	 |	|
	 |      |
	local network - several /24's, including X.X.15.0/24
	     |
	DNS servers etc.

Workstation IP = X.X.15.14, netmask = 255.255.255.240,
default gateway = X.X.15.1

I loaded Linux (RHEL4) onto the workstation, figuring that would give me
the best variety of tools with which to keep an eye on the network and
debug any problems.  BUT I found my network connectivity using multiple
services to be very limited:
	(a) I can only 'ping' .3 or .14 on X.X.15.0/28
	(b) I can 'traceroute -I' and connect into the local network.
	    The 'traceroute -I' shows the host being contacted, twice
	    (PIX signature).  No other hops, e.g. ".1"!
	(c) Despite not getting any responses from .1, as far as I can
	    tell, it IS in my arp table per 'arp -a'.
	(d) I can't get out into the private internet, using 'ping',
	    'traceroute -I', or other network services.

I should mention that all 'traceroute's are 'traceroute -I' to use ICMP,
since UDP-based 'traceroute's are blocked to begin with.

Iptables is off.  First thing I turned off.  No IP rule-based routing.
No routes other than self and to X.X.15.1.  I are stumped.

I found a block in the 36xx [printed-out configuration file] and had it
removed.  I can't find any other IP rules blocking me in the switches or
router.

Here is the kicker, because this is just what the networking guy told me
would happen.  I put an MS Windows machine on the network, configured
with the same IP/netmask/gateway.  AND IT WORKED.  A 'tracert' in
shows me X.X.15.1 before the PIX signature.  A 'tracert' out works.
I can 'ping' X.X.15.1 [but didn't want to write a CMD script to test the
rest].  I can get to both internal and external networks.

Obviously, the Cisco configuration is working better with the MS Windows
box than with the Linux box.  [Did I mention I loaded RH8 just to check
for any gotchas in newer code?]

Has anybody run into anything like this, and be able to tell me why?

Thanks!

Note: I ran the MS Windows test at the end of last work week, pointing
me back at the Linux machine and whatever differences Linux IP has from
MSW IP, and I haven't gotten back to looking more intensively at the
Linux machine yet this week.

Note: I have now also tried the Linux machine with the directly-
connected name server and the directly-connected PIXen disconnected, and
have the same problems.

-- 
/*********************************************************************\
**
** Joe Yao				jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/