So how can we identify that a blocked firewall port is the issue.
Network captures
Back in the day, whenever you wanted to analyse network traffic coming in or out of a network interface, you would have used software like "Ethereal" as it was known then or "Wireshark" as its known today or Microsoft's Network Monitor which has recently been replaced by "Message Analyzer".
Since Windows 2008 Server and the client version Windows 7 have been released, these network traffic capturing tools are no longer required which greatly simplifies things, especially when you work in a very restricted and controlled environment as I often do. What I mean is, I cannot install a piece of software on a production server to prove that the network guys I need their help.
Using the built in NETSH command we can do a traffic capture session which can then analyse with Wireshark or Microsoft Message Analyzer on your workstation.
Scenario
For our little example we have 2 servers as displayed on the image below.
Server#1 is the SCCM server and Server#2 requires the DP role installed.
I will block a few of the required ports to Server#2 and show how to use NETSH to do a network capture.
We will attempt to install the DP role and analyse the network capture highlighting the dropped packets.
NOTE: This methodology can be applied anywhere where you suspect a miss-configured firewall is the issue.
Telnet & Netstat command
I will mention that if you want to test network connectivity between 2 points when you already have a service running on the "destination" point than things get a lot easier.
First, on the destination point which in this case its Server#2, run the command netstat to validate that you do have a service listening on the intended port and then use telnet on Server#1 to connect to the service on Server#2. If that fails than chances are you have a packet filter or firewall blocking your path.
DonĀ“t forget, telnet cannot be used to test UDP connections!!
Setting up the Network Capture with NETSH
For this scenario, because its Server#1 that is trying to communicate with Server#2 so that it can push the DP role installation, this is where I need to run the traffic capture.
We only need to grab traffic to Server#2 on 192.168.200.111 so this is the command we need:
netsh trace start capture=yes ipv4.Address=192.168.200.111
Note: The filter applied here (ipv4.Address=192.168.200.111) will cover source & destination.
Now that the traffic capture is active I configure Server#1 which is a SCCM server to push out the Distribution Point Role onto Server#2.
Obviously, due to the network restrictions I placed to simulate a firewall miss-configuration, the installation of the DP role failed, so lets look at the traffic capture.
First we need to stop the traffic capture by issuing the following command:
netsh trace stop
Once you stop the network capture open the *.etl file produced with Microsoft Message Analyzer.
Microsoft Message Analyzer
Once you open the *.etl file you will get a diagnostic window showing you encountered issues with the capture file as shown below.
Any "Retransmitted..." will most likely be due to dropped packets by a firewall or packet filter.
As with the next image we can identify the troublesome port.
Wireshark
If like me you prefer to do your analysis with wireshark, you will still need to open the *.etl file with Microsoft Message Analyzer and then do a "Save As" to a *.cap format.
Once that little hurdle has been overcome and you have opened the *.cap file with wireshark apply the following filter:
tcp.analysis.retransmission
This should give you a similar output to the image below showing you that port TCP 49154 seems to be unreachable which in this case it's due to the ports that I had previously blocked for the purpose of this demonstration.
Hope that was helpful!!
