Hi all,

I'm out in the dark on this one !

Config: NW5.1sp6 with BM3.5sp3, One 3com 3c996 NIC installed running in
trunk mode servicing 5 tagged VLAN's (internet, internal, dmz, and two
"corporate" VLAN's). Static and dynamic nat on the internet vlan. Running
http proxy, packet filtering rules defined.

This has been running happily for years, then suddenly some workstations
(but not all) on the internal net is unable to communicate with some hosts
on certain protocols (but not all protocols). For example, telnet'ing to
port 80 on an external web server times out. At the same time however, ping
from these very same machines to the web server works every time. When
configuring the web browser to use the proxy in BM, general surfing is OK.
No, this is not a filtering issue - tried unloading IPFLT just to make sure.
But lots of neccesary protocols can't be proxied and hence doesn't work.
Tried replacing the NIC, replacing the drop cable, connecting to another
switchport, connecting to another switch altogether, patching tcp/ip to
5.86a, also upgraded to the latest NIC drivers (B57.LAN / BASP.LAN).

Unloading/reloading the NIC drivers may solve the problem on some
workstations but only to move it to others.

Now, some debugging: In TCPCON/statistics/ip, "outgoing discarded datagrams"
due to "local errors" keeps incrementing alarmingly fast (approx 90% of
#received datagrams). "Incoming discarded datagrams" is also high due to
local errors. Doing "set tcp ip debug=1" reveals two interesting things

(1) Lots of "Discard Outgoing: cause(FORWARD FAILURE), reason(2)" on
packets that should have been forwarded. Tried increasing service processes,
packet receive buffers, checked available cache memory and ecb allocations
in monitor, everything seems OK.

(2) Lots of packets from non-existent internal addresses (these addresses
doesn't exist in the ARP on the BM server and cannot be ping'ed or ARP'ed
from other machines on the network). All of these packets has PKTID=1,
TTL=128, and all of them tries to reach port 80 on one particular machine on
the internet - Can this be some sort of denial-of service attack from the
inside?? Or just corrupt packets for some reason?

Any and all ideas are very welcome, please...