Inconsistent connectivity

[Ryman]

I have a conectivity problem that has me stumped. Please advise if I should post in another more relevant forum as well. I have 3 users connecting to SBS 2003 with their client desktop machines. Those machines work just fine. Each office has only one Ethernet connection and the users frequently disconnect from their desktop PC's and plug the ethernet cable into the adapter on their laptops. Unfortunately, this no longer seems to work for internet connectivity. The SBS server is providing DNS and DHCP. The laptops pick up a new IP address no problem, but cannot resolve externally. I can ping the server from the laptops and when I run Ipconfig /all, the settings are all identical to what I see if I run the same command when the desktop machines are on the ethernet cable, with the exception of a new IP address for the client. Here's the kicker, if I plug in my personal laptop (brought in just for t-shooting), I can get out on the internet just fine. The 3 client laptops also are able to get on the internet if they are taken to an external location. They can VPN in from home. I tried running ipconfig /release, /renew/, /flushdns, and /registerdns on the laptops, still no way to get out. All client machines are running XP pro. Ethernet cables are running from a 3com switch to each office. The switch sits behind a hardware firewall. Taking any of the laptops to the switch and trying another port doesn't seem to provide any better results, still no internet. All machines are configured to pick up an IP from DHCP. Any ideas?

[cluberti]

Are the switches these things are connected to doing any kind of ARP caching, perhaps? What happens if you take a laptop that hasn't been on the network and plug it in to a port on the switch that isn't in use (rather than using the desktop's ethernet cable) - does it work then?

[nmX.Memnoch]

Can you access internal things normally?

[Ryman]

Yes, if I connect a laptop that is not normally part of the network (my own), it is able to ping external sites and has full internet connectivity. If I bring one of the laptops in question over to the switch and connect to an open port, it can see shares on the server, but cannot ping external addresses.

[nmX.Memnoch]

Sounds like it's something with your firewall then.

[cluberti]

If you do a tracert to a public IP address with one of the afflicted laptops, what is the last IP hop you're able to make before things start failing? If it's your firewall, you've found your culprit.

[Ryman]

Thank you for the feedback and suggestions. I won't be able to follow up again until Monday. I'll post my results sometime next week.

[Ryman]

The mystery has been solved at the firewall. I wasn't aware that the customer purchased a firewall model that only allows 12 simultaneous connections to the internet. Between a few AD users, a few other users, RAS connections listening for VPN, our monitoring laptop, and the server itself, we were exceeding the 12 connection limit. After we kicked everybody off in the DHCP console, the laptops were able to grab the first available IP addresses and got right out to the internet. We addressed the issue further by trimming back the listening RAS ports to only 3 and hunting down some "neighbors" down the hall that shouldn't be connected to our switch and getting addresses from our DHCP server in the first place. I think this will do it without requiring an upgrade of the firewall for more user licenses. Thank you to everyone who contributed feedback.