Endpoint Protection

I hope Symantec doesn't mind........ SEP is installed on these servers, but I do not believe SEP is the issue..........
Maybe some of the wizards here can help please? It involves VMWare, virtual servers, domain controllers and ping (ICMP)
I have a script that I run through "Scheduled tasks" on one of our servers. It runs every 20 minutes through the day.
This script pings a list of IP addresses. These are the IPs of all of our servers and ASA/routers.
If any device does not respond to ALL 10 pings it sends me an email warning that the device has not responded for 10 pings.
It's like doing a ping -n10 xxx.xxx.xxx.xxx on everything, and emailing me if the loss= 100%
The issue is this - the script have been emailing me almost every day, sometimes several times a day, stating that our domain controllers are down because they have not responded.
Maybe this morning, I"ll get a message that DC2 is down, then this afternoon I'll get a message that DC1 is down, then an hour later, DC2 is down again.
However, these servers are NOT going down! In fact, they stay up, and if you are in them using remote desktop for example, you don't notice a thing! The remote connection stays up!
They are only failing the ICMP ping.This is geting to be more frequent lately.
We started to dig into it yesterday and launched ping -t on two of them, and we could see they'd ping for a couple minutes, then drop, then ping again, then drop maybe 10 times, then ping for 5 minutes, then drop 15 or 20, then ping for a few minutes, then drop 4 or 5, and so on.
You didn't have to be very patient watching the pings to see them drop pings every so often!
This is ONLY happening with the domain controllers, no other servers.................

Thoughts???????

 Hi Shadows,

You probably know more about why the Domain Controller is failing than me, but I did find one article that seems relevant: http://technet.microsoft.com/en-us/library/cc180917.aspx. I might also suggest using a program called VisualRoute to see where the ping is actually failing (http://download.cnet.com/VisualRoute-2010/3000-2648_4-10016565.html). It is shareware, but a free trial for 15 days so it doesn't hurt to try it. Sorry if this doesn't help much, but regardless I bumped your thread :)


Cheers
Grant

Thanks.
Yeah, that one and another I found discuss the side-effects of not being able to ping......... now to find the reason!
I'm running nearly 5% packet loss on a continual ping against one of our DCs, and over 3% on another, and when they fail, it's not one ping at a time, it's for like anything from 5 to 15 in a row fail, then it starts again.

Thanks.

Interesting - I've got a continious ping running against two DCs.
I have SEP open on them both, accessing them through the VMWare console.
I have network activity open in SEP (NTP, network activity)
I also opened the security logs on both.
When I see the pings drop on either, I quickly do a refresh on the server's SEP security log and see a DOS entry, at the same time the network activity attack history graph shows a blip up to 1.
This is REALATED to the DOS attacks that SEP states are coming from our computers in the remote offices behind the Cisco ASAs!
There's a direct corolation!

SEP does NOT say it's blocking anything at all. The NTP logs and all other logs don't show anything at all blocked.

Ping stops.
SEP Client management log, security log on the DC shows a DOS from one of our remove computers
Network activity graphs in SEP show a minor blip, the line on the upper right chart moves up to 1 and then right back down.
Pings return in a few seconds.
I've seen this on both DCs now.

Is SEP blocking these? It says it's not!
Is the phony DOS causing these?
There's a case open, but honestly, we have NO CLUE what the reports mean at all!
Our network experts have never heard of MTU mismatches, black and gray holes and are baffled as I am.
Symantec Technical Support Case 320-239-573

I may need to talk to a real person on this - someone who knows SEPs firewall and IPS inside and out - not a beginner (no offense, but I'm already at that level! Don't need another like me)  but need an expert who knows SEP's IPS and firewall inside and out.
SEP may be causing this, or simply reporting it and I need to know..................
If we have a network issue causing a workstation to appear to be doing a DOS against the DCs, we need to know - and why and what's causing it.
Does SEP then block all ICMP ping traffic??? It doesn't say it is?
I've got orders "figure this out"................   ;-)

Thanks to any and all who read/listen and have any ideas.