When a network infrastructure includes router-based firewalls, the function of the firewall, which is to silently discard traffic that the firewall has not been configured to forward, can impair specific networking functions. For example, if a firewall between two Microsoft Windows Active Directory directory service domain controllers has not been configured to allow all of the different types of traffic that domain controllers use to synchronize the Active Directory database, replication can fail.
When troubleshooting networking functions and reachability, a common step is to use the Ping tool (Ping.exe) and ping one computer from another. However, the Ping tool uses Internet Control Message Protocol (ICMP) Echo and Echo Reply messages, which is typically not the same traffic being used for the network function that is impaired. The firewalls between the two computers might be allowing ICMP traffic or might be dropping it. In either case, because the network function that is impaired is not using ICMP Echo traffic, the connectivity test with the Ping tool does not provide conclusive diagnostic information about the traffic that is being discarded (dropped) by the intermediate firewalls.
For definitive diagnostic information, you must be able to duplicate the exact type of traffic of the impaired network function using a tool that can report connectivity success or failure. Once you have determined the types of traffic that are being dropped by intermediate firewalls, you can configure the firewalls to forward the dropped traffic to restore connectivity for the impaired network function.
This article describes a set of tools that you can use to test network paths for specific types of traffic and how to use the tools to determine the most common types of traffic that are dropped by firewalls installed in a Windows networking infrastructure.
Tools for Testing Network Paths for Specific Types of Traffic
Microsoft provides the following tools to test network paths for specific types of traffic:
- Port Query
- PPTP Ping
- Test TCP
Port Query (Portqry.exe and Portqueryui.exe)
Port Query is a free tool from Microsoft that you can use to help troubleshoot TCP/IP connectivity issues for specific types of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic. Port Query has a command-line version (Portqry.exe) (available at PortQry Command Line Port Scanner Version 2.0) and a graphical user interface version (Portqueryui.exe) (available at PortQryUI - User Interface for the PortQry Command Line Port Scanner. Both versions run on Windows 2000, Windows XP, and Windows Server 2003-based computers.
Portqry.exe has the following features:
- A command-line mode that you can use to query TCP, UDP, or both for a single port, an ordered list of ports, or a sequential range of ports.
- An interactive mode from which you can issue sequential commands more easily and use a series of shortcuts, or predefined queries for common traffic such as Domain Name System (DNS) or Lightweight Directory Access Protocol (LDAP).
- A local host mode that you can use to obtain detailed information about the TCP and UDP ports being used on the local computer on which Portqry.exe runs.
For details of the three different modes and command syntax, see New features and functionality in PortQry version 2.0. This Microsoft Knowledge Base article contains example commands and sample output.
Portqueryui.exe allows you to more easily query ports with a Windows-based graphical user interface. The following figure shows an example of the Port Querywindow.
From this window, you can specify the name or IP address of the computer to query, select a pre-defined service, manually specify the port, ports, or port ranges to query in a specified order, and the protocol to query (TCP, UDP, or both). When you click Query, the results are displayed in the Query Result portion of the window.
To determine the set of ports queried for the predefined services, click Help, and then click Predefined Services. You can modify the set of ports queried for each predefined service or create your own predefined services by modifying the contents of the Config.xml file. For information about the syntax for specifying ports in the Config.xml file, see the Portqueryui.doc file. Both the Config.xml and Portqueryui.doc file are stored in the Portqueryui.exe installation folder.
When either version of the Port Query tool queries a port, it reports the status of a port as being in one of the following states:
Port Query received a positive response and a process is listening on the TCP or UDP port that was queried.
- NOT LISTENING
Port Query received a negative response and a process is not listening on the TCP or UDP port that was queried. For a TCP port, Port Query received a TCP connection reset segment. For a UDP port, Port Query received an ICMP Destination Unreachable-Port Unreachable message.
Port Query received no response to the query. A process may or may not be listening on the port. The FILTERED status indicates that the query traffic could have been dropped by an intermediate firewall. By default, Port Query tries TCP ports three times and UDP ports once.
PPTP Ping (Pptpsrv.exe and Pptpclnt.exe)
PPTP Ping is a set of two tools (Pptpsrv.exe and Pptpclnt.exe) that are provided with the Windows 2000 or Windows Server 2003 Support Tools, located in the Support\Tools folder of the Windows 2000 or Windows Server 2003 product CD-ROMs. After installing the Support Tools, Pptpsrv.exe and Pptpclnt.exe are stored in the Program Files\Support Tools folder on the Windows system drive.
PPTP Ping allows you to test whether Point-to-Point Tunneling Protocol (PPTP) traffic, consisting of TCP port 1723 traffic for PPTP tunnel maintenance and IP protocol 47 for Generic Routing Encapsulation (GRE) traffic for PPTP tunneled data, can be successfully sent and received between a client and server computer. PPTP Ping does not verify that a successful PTPP connection can be made (which requires a user authentication process), only that PPTP traffic can be exchanged with a specified destination.
For PPTP traffic, the problem is typically a firewall that filters GRE traffic. To correct this problem, configure your firewalls to forward GRE traffic (IP protocol 47) to the VPN server computer.
Test TCP (Ttcp.exe)
Test TCP (Ttcp.exe) is a tool that you can use to listen for and send TCP segment data or UDP messages between two nodes. Ttcp.exe is provided with Windows Server 2003 in the Valueadd\Msft\Net\Tools folder of the Windows Server 2003 product CD-ROM.
Test TCP differs from Port Query in the following ways:
- With Test TCP, you can configure a computer to listen on a specific TCP or UDP port without having to install the application or service on the computer. This allows you to test network connectivity for specific traffic before the services are in place. For example, you could use Test TCP to test for domain replication traffic to a computer before you make the computer a domain controller.
- Test TCP also supports Internet Protocol version 6 (IPv6) traffic.
The basic syntax for Ttcp.exe on the listening node (the receiver) is the following:
ttcp -r pPort (to listen on a TCP port)
ttcp r pPort u (to listen on a UDP port)
The basic syntax for Ttcp.exe on the sending node (the transmitter) is the following:
ttcp -t pPort (to send to a TCP port)
ttcp -t pPort -u (to send to a UDP port)
For additional command line options, type ttcp at the command prompt.
Ttcp.exe can only listen on or send to a single port. To configure a computer to listen on multiple ports, run Ttcp.exe in separate command prompt windows.
Common Types of Traffic Problems
The most common types of traffic that are blocked by firewalls and can impair Windows networking functionality are the following:
- Active Directory domain traffic
- DNS traffic
- VPN traffic
- ICMP traffic
- Other traffic
Active Directory Domain Traffic
Active Directory domain traffic includes the following domain operations:
- Active Directory replication between domain controllers
- Promotion of a new domain controller with the Dcpromo.exe tool
- Domain logon
- Domain authentication
- Establishing domain trusts
The traffic used for these types of domain operations is described in detail in the How to Configure a Firewall for Domains and Trusts Microsoft Knowledge Base article and includes the following:
- TCP port 135 for Remote Procedure Call (RPC) traffic
- TCP port 389 and UDP port 389 for LDAP traffic
- TCP port 636 for LDAP over Secure Sockets Layer (SSL) traffic
- TCP port 3268 for LDAP Global Catalog (GC) traffic
- TCP port 3269 for LDAP GC SSL traffic
- TCP port 53 and UDP port 53 for DNS traffic
- TCP port 88 and UDP port 88 for Kerberos traffic
- TCP port 445 for Server Message Block (SMB) (also known as Common Internet File System [CIFS]) traffic
You can test your network paths for domain traffic on an individual port basis with the Portqry.exe tool if the domain controller is already in place or with the Ttcp.exe tool to listen and send domain traffic if the computer that is being promoted to a domain controller has not yet been promoted.
The easiest way to test for all of these ports at one time is to use Portqueryui.exe and the "Domains and Trusts" predefined service, which by default queries the following sets of ports:
- TCP port 135 (RPC traffic)
- TCP port 389 and UDP port 389 (LDAP traffic)
- TCP port 636 (LDAP over SSL traffic)
- TCP port 3268 (LDAP GC traffic)
- TCP port 3269 (LDAP GC SSL traffic)
- TCP port 53 and UDP port 53 (DNS traffic)
- TCP port 88 and UDP port 88 (Kerberos traffic)
- TCP port 445 (SMB traffic)
- UDP port 137 (Network Basic Input/Output System [NetBIOS] name service traffic)
- UDP port 138 (NetBIOS NetLogon and browsing traffic)
- TCP port 139 (NetBIOS session traffic)
- TCP port 42 (Windows Internet Name Service [WINS] replication traffic)
The set of ports queried with the "Domains and Trusts" predefined service includes all of the ports listed in the How to Configure a Firewall for Domains and Trusts Microsoft Knowledge Base article.
To test for DNS traffic, you can use the following methods:
- Use Portqry.exe with the following syntax:
portqry -n DNS_server_name_or_IP_address p BOTH e 53
Alternately, you can use the q dns shortcut command at the Portqry.exe interactive command prompt.
- Use Portqueryui.exe and the "Networking" predefined service, which queries DNS along with other networking protocols
To use PPTP Ping to test for PPTP-based VPN traffic, do the following:
- On the VPN server computer:
If needed, stop the Routing and Remote Access service using the Routing and Remote Access or Services snap-ins. This step ensures that Pptpsrv.exe can use TCP port 1723 and IP protocol 47.
- On the VPN client computer:
Run Pptpclnt.exe with the following syntax:
When prompted, type some text to send to the VPN server computer and then press ENTER.
If PPTP traffic can be successfully exchanged between the VPN server and VPN client computers, Pptpsrv.exe on the VPN server computer will display the text that was sent by the VPN client computer and an exchange of five GRE messages. If not, Pptpsrv.exe will indicate what types of PPTP traffic were unsuccessful.
If you are using a site-to-site VPN connection (also known as a router-to-router VPN connection) to connect two sites of your organization and both Routing and Remote Access server computers can initiate the VPN connection, use the above procedure again, reversing the roles of the two computers. Because either server computer can initiate the connection, you must ensure that both servers can act as both VPN clients and VPN servers.