Advanced Subnet Calculator from SolarWind is a simple but powerful easy to use Subnet Calculator for Windows.

Advanced Subnet Calculator can perform

whois lookups for hostnames and Domain Names

IPWhois Lookup for the provided IP Address

Classful Subnet Calculator

Claseless Inter-Domain Routing (CIDR) Calculator

Address Generator for a given IP Address and Subnet Mask

The tool can calculate both claseful Subnets and CIDRs and generate subnets. Also, can generate a list of IP Addresses for a given IP address and Subnet mask.

A quick and efficient tool for Network Administrators and designers and is completely free.

Advanced Subnet Calculator runs on Windows. To download advanced Subnet Calculator, click here

Recently we had this problem with this problem with an Exchange 2003 server in the HQ and Outlook Clients in a particular branch office. The Branch office connects into the HQ through a site to site IPSec VPN using Juniper Netscreen SSG20 firewalls on either end of tunnels.

The Problem
The Outlook clients would connect OK but suddenly loose connection to the Exchange server and never connect back. The Outlook Client status will say "Disconnected". The client PCs will however be able to ping the server and network connections look OK. This happened in random times and sometimes when sending large emails.

Investigation

A deeper investigation revealed that every time the client(s) failed to make a connection there is an error event on the Exchange server with the error "MaxObjExceeded". This started pointing us in the right direction. Yes, a google did show a lot similar issues all pointing to connections over VPN.

Cause

The exchange server sends large packets with the DF bit set (Don't Fragment). This when added with the IPSec headers goes beyond the MTU of the Firewalls. The Juniper firewalls by default ignore the DF bits and fragments the packets and forwards it onto the VPN tunnel. Although, these are re-assembled at the client side, this caused problems with the Outlook Clients and they keep re-initiating connections until they run out of connection objects on the Exchange server. That's when they can no longer connect to the Exchange server and the server reports Error events with "MaxObjExceeded" message. Also, from Junipers Knowledge Base, most of the Microsoft applications which heavily rely on "NetBIOS over TCP/IP" are bound to have this problem as these send large packets with DF bit set.

Resolution

So where do we go from here?? Yes, the only possible resolution was to tune and tweak the Maximum Segment Size (MSS) of all the packets that traverses through the VPN Tunnel. We were to set the MSS on all the TCP packets to 1350. This is sufficiently low enough (as well good enough not to degrade too much of performance) to ensure that the packets never exceeds the MTU of the firewall which is 1500 bytes even after the Encryption overheads.

NOTE: All the following changes should be done on VPN firewalls on both ends

To do this on Juniper Firewalls

vpn-firewall> set flow tcp-mss 1350

This simply replaces the MSS value on all TCP packets for the VPN with the value 1350

To set for all TCP packets

vpn-firewall> set flow all-tcp-mss 1350

However, the previous command for VPN overrides this (for TCP packets destined to the VPN).

Also, added the Path MTU Discovery support on the Juniper Firewalls. This when set makes the firewall to drop any packet set which is more than its MTU (1500 bytes) with DF bit and send an ICMP error messages "Destination not recheable. Packet too big" (ICMP Type3 Code 4) message back to the source along with its MTU value. The source then adjusts its assumed Path MTU so the packet size is less than the MTU and hence there is no fragmentation necessary.

To do this on a Juniper

vpn-firewall> set flow path-mtu

Another option setting that you can try would be to set the Maximum Fragment Size on the firewalls for the generated Fragment size if it is more than the MTU.

To do this on a Juniper

Screen OS 5.4

vpn-firewall> set flow max-frag-pkt-size

Previous versions of Screen OS

vpn-firewall> set flow max

Also, you can disable the TCP SYN check before the session is created for the tunneled packets.

To do this on a Juniper

vpn-firewall> unset flow tcp-syn-check-in-tunnel

To check TCP syn before creating any TCP session

vpn-firewall> unset flow tcp-syn-check

Save the configuration

vpn-firewall> save

This resolved the problem for us and should resolve the Outlook & Exchange connectivity issues over VPN even if it is a different VPN device like Cisco ASAs but ofcourse use appropriate commands for those device.

If you have any more thoughts on this or any comments and more pointers, please take a moment to add a comment so should help other users who face similar issue.

Dr.TCP is a simple but powerful utility that can let you fine tune the TCP/IP parameters for your Network Interface Card (NIC). It works on Windows XP, 2003,2000.

Dr.TCP takes the hassle out of editing the Windows Registry and modifying keys to fine tune the TCP/IP Parameters at

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<AdapterID>] 

Although, this is easy to use, it takes a bit of understanding of TCP/IP protocol stack to know what each of the parameters do.

The utility can set or modify the following on a per interface basis

Set MTU (Maximum Transmission Unit)
TCP Receive window

Enable/Disable Path MTU Discovery

Enable/Disable Blackhole router detection

Enable/Disable Window Scaling

Enable/Disable Time Stamp

Enable/Disable SACK (Select ACK)

Set Maximum Duplicate ACKs

Set TTL (Time To Live)

To download the tool, click here 

One of the most important thing that is ignored most of the time while troubleshooting a network problem to a host or a network is checking the MTU related issue. This makes more sense in situations like troubleshooting VPN related issues.

MTUROUTE is a small but smart utility that uses ICMP pings of various sizes in order to determine the MTU values (Maximum Transmission Unit) on the path between itself and the target system. MTUROUTE can operate in normal mode where it sends multiple ICMP packets to each hop on the path to identify the smallest MTU between the host and hop or in a Traceroute mode where it will attempt to determine the lowest MTU between the local host and each hop in the communication.

It is important to note that care has to be taken as it generates muti fold ICMP traffic as it tries to determine the MTU Values.

Mturoute sends a non-fragmentable icmp probe to the target IP address with a given payload size. Since the DF (Don't Fragment) bit is set, any network equipment that has an MTU setting which is smaller than the packet size will drop the packet. Based on the presence or absence of a response, mturoute adjusts the payload size of its next probe. Subsequent probes are sent with a packet size midway between the highest value for which a response was received and the lowest value for which a response was not received. (For the initial conditions, the low value is 0 and the high value is whatever you set with -m, defaulting to 10000 bytes).

This process is repeated, narrowing the search space by approx 50% with each cycle, terminating once the highest possible probe size has been converged upon. It then adds the 28 bits of ICMP protocol overhead before reporting results.

For example,

C:\mturoute\Release>mturoute.exe 192.168.0.1
* ICMP Fragmentation is not permitted. *
* Maximum payload is 10000 bytes. *
– ICMP payload of 5046 bytes failed..
– ICMP payload of 2569 bytes failed..
+ ICMP payload of 1330 bytes succeeded.
– ICMP payload of 1949 bytes failed..
– ICMP payload of 1639 bytes failed..
– ICMP payload of 1484 bytes failed..
+ ICMP payload of 1407 bytes succeeded.
+ ICMP payload of 1445 bytes succeeded.
+ ICMP payload of 1464 bytes succeeded.
– ICMP payload of 1474 bytes failed..
+ ICMP payload of 1469 bytes succeeded.
+ ICMP payload of 1471 bytes succeeded.
+ ICMP payload of 1472 bytes succeeded.
– ICMP payload of 1473 bytes failed..
+ ICMP payload of 1472 bytes succeeded.
+ ICMP payload of 1472 bytes succeeded.
Path MTU: 1500 bytes.

In TraceRoute mode

C:\mturoute\Release>mturoute.exe -t 192.168.0.1
mturoute to 192.168.0.1, 30 hops max, variable sized packets
* ICMP Fragmentation is not permitted. *
* Maximum payload is 10000 bytes. *
 1  –+—+++-+++-++  host: 192.168.0.1  max: 1500 bytes

For help, simply type the command with no arguements

C:\mturoute\Release>mturoute.exe
********************************************************
* mturoute.exe – written by Eli Fulkerson, June 2005   *
*                fixes by Ivan Pepelnjak, October 2007 *
* Please visit http://www.elifulkerson.com for updates.*
*       http://ioshints.blogspot.com/search?q=mturoute *
********************************************************

Usage: mturoute [-t] [-f] [-m MAX_PAYLOAD_SIZE] host
Flags:
   -t : Toggles 'traceroute' mode.  (Default is off)
   -f : Allow fragmentation.  This will return the max ping size that the
        target host will respond to, but not necessarily the MTU.
   -w : Sets the time to wait for a response to an Echo Request.
   -r : Sets the maximum number of probe retries on timeout (default = 3).
   -i : Sets the interval between two echo requests.
   -d : Increases the debugging level. Reports ICMP status/failures.
   -m : Sets a maximum payload size to test. (Default is 10000)
   -v : Prints version info and exits

Warning:  This utility generates a lot of ICMP traffic.

For more information and download, click here

Secure destruction of data like personal details, banking information, confidential company information or critical customer data when they are no longer required is very important to information security for the simple reason that they can always be recovered in many ways from the hard disk. This is even more important when you sell or throw away your old PCs. Simply deleting the files from the PC doesn't really remove the files for good. They can always be recovered. FileShredder just protects you from that. File Shredder is an opensource free file secure destruction software for permanent removal of critical confidential files from the hard disk. With File Shredder you can remove files from your hard drive without fear they could be recovered. File Shredder has been developed as fast, safe and reliable tool to shred company files.

Read more… »

Phishers send well crafted emails as if coming from a valid source like your bank tricking you to enter your bank account or any portal (like eBay or Paypal) details including login and password or PIN numbers . Once, you enter the details, they are sent to remote servers. Now, that’s more than anything for the hackers to loot money out of your account.

Taking security seriously, we will discuss the community aided Netcraft tool bar for Internet Explorer & Firefox. First of all, I have to applaud NetCraft toolbar as by far the best toolbar that you can get for free. When I tested a new eBay scam email URL, no other toolbar other than NetCraft can catch the Phishing URL.

Read More…>>

Haute Secure is a free Internet Explorer plugin that secures you from loading bad content or malicious content or download and install malware onto your PC. When the Haute Secure add-on on your internet explorer comes across bad content it will block access to the website and prompt you for further option. It will also warn of malicious content try to load from known website. With Phishing scams, malicious malware spreading minute and the identity theft scams, it is important that we secure the browsers thereby no malicious content is downloaded onto the PC. Haute Secure supports only Internet Explorer at the moment but Firefox is expected to be onboard soon. There is also a Windows Vista 64 bit supported version available download.

Download Haute Secure from here

Windows Vista 64 bit version is here

Installation is fairly straight forward, just follow the onscreen wizard to complete the installation and reboot the system for the changes to take effect. After the reboot when you open the browser the first time, it adds an icon for the Haute Secure protection. You can create a login and register the system with Haute Secure. The alerts look as follows

There are more sample RED & ORANGE warnings here. You can also test how Haute Secure works here.

Secunia Personal Security Inspector (PSI) is a great tool for Windows Operating Systems (Windows 2003,Windows XP SP2, Windows Vista, Windows SP4 )to assess the installed applications on your system for patch status of installed applications and audits the applications for insecured versions and End Of life status.

While Secunia PSI is not a replacement to a Antivirus, Firewall or a malware protection software, it does lend a great deal of help in auditing the applications installed on the system and to report Insecure, End Of Life applications.

Secunia PSI is very easy to use and the user does not have to be an IT expert and anyone (even a novice user) canuse the application without any trouble. Secunia PSI checks the files on the system and looks into the Meta-data of the applications found in EXE, DLL and OCX files. This is then sent to the Secunia PSI server where it is compared against the signatures on the server and reported back to the user in a nice friendly way.

When reporting an Insecure / End Of life applications, it also provides a direct download link to the latest patch/fix or newer version of the application. Secunia PSI has an option to hide applications that are not easy to patch but personally I wouldn't recommend to enable the option.

The overview is a dashboard with a nice pie chart and short summary of the system status and history on a graph.

Secunia also a network edition for corporates and can request for an evaluation.

Secunia PSI can be downloaded from Secunia website

Sometimes, there is a need to have more than one IP Addresses assigned to a PC or a Server. If you have multiple services running on a server like a webserver and a mail server and want to assign each of these services seperate IP Addresses the Multiple IP addresses will help. While this need not necessarily require to have more than one Network Interface Card (NIC) on the server.

You can add multiple IP Addresses to a single interface card. However, these IP Addresses should be in the same logical network although in different subnets.

The following procedure will just guide you how to add Multiple IP Addresses:

1. Open Control Panel and Network Connections.

2. Right-click the LAN connection and select properties.

3. Select Internet Protocol (TCP/IP) and click properties.

4. Select "Use the following IP Address" and enter the primary IP Address, Subnet mask and Gateway and the primary and secondary DNS Servers.

5. Click Advanced then Add under IP Addresses.

6. Add the IP Address and Subnet mask. Repeat the procedure if there are additional IP Addresses to be added.

7. Click Add under "Default Gateways" and add the gateway addresses.
NOTE: The system will always use the 1st available Gateway and will use the additional gateways unless the primary gateway is not reacheable.

8.Click OK then OK and then OK to save the changes.

9. To confirm the multiple IP Addresses are set, from the command prompt (Start-Run and type CMD) run the ipconfig command. You can see multiple IP addresses on one Network Interface Card.

ICMP redirect is a type 5 ICMP error message sent by a gateway router to a sending host informing of an optimal alternate route to the destination host and to update its routing table with the new host route to the target destination host.

ICMP Redirects being an inefficient way to update a hosts routing table of an optimal route to a target destination can cause security issues. A malicious hacker with little knowledge about the network can launch a Denail of Service (DoS) attack on a host on the network.

ICMP Redirect is by default enabled in Windows. If ICMP redirects are not required for the host it should be disabled. To disable ICMP Redirects in Windows (windows 2000, Windows XP and higher) you need to edit the Windows Registry and modify the default value for ICMP Redirects.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Use Registry Editor at your own risk.

Click Start – Run, type "regedit" and press enter.

Once into Windows Registry, navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

In the right pane, double-click "EnableICMPRedirect" DWORD and change the value to "0"

This should disable ICMP Redirects in Windows.