Archive for category Exchange

Fixing Static Addresses on Verizon FIOS

Verizon has a bug in their business offering for multiple static IP addresses.

When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.

The first problem was solved by going to DSLReports.com, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.

After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:

arp who-has 98.109.50.34 (00:1e:4a:87:32:59) tell 0.0.0.0
arp who-has 98.109.50.35 (00:1d:70:26:3c:53) tell 0.0.0.0

The address 0.0.0.0 is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.

I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from 0.0.0.0 They projected it would be fixed Q1 of the next year… that was 15 months ago.

I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.

arp reply 98.109.50.36 is-at 00:1d:70:26:2c:53

Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.

At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.

Bil Herd

#!/usr/bin/perl
use Net::ARP;
use strict;
use warnings;
for (;;){
Net::ARP::send_packet(

‘eth0’, # Device
‘98.109.50.1’, # Verizon gateway, not really 0.0.0.0 of course

‘98.109.50.36’, # address that we want Verizon to respond

’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address

’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
)
;
print “packet sent\n”;
sleep(30);
}

To install the Net::ARP module using CPAN:

perl -MCPAN -e ‘install Net::ARP’

Share

, , , , , , , , , ,

10 Comments

How to Install Cisco VPN Client on Windows 7

This appears to be typical of what is needed to get Windows 7 to live with Cisco VPN client:
http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx

Share

, , , ,

No Comments

x64 Sagas: Trashed DNS and Active Directory

Just recovered an Active Directory domain that was hurting (busy weekend) . DNS was not pushing correctly between servers, AD replications stopped and Exchange went offline except for OWA access.

Problem was traced to a probably corrupted DNS cache file on the Exchange server, demoting and re-promoting the server did not help. Users were getting immediate rejections from the Exchange server as offline and attempts to create new email accounts would fail as being not reachable. When substituting a domain controller’s name for the exchange server entry in Create Account, the process would get further: the server would be replaced with the underlined (real) name of the Exchange server and the username would verify as underlined, and then fail for lack of connectivity, pretty clear proof that it was a DNS issue.

On top of that DNSMGR was acting funny and stopping netlogon and running netdiag /fix was not backfilling the zone correctly.

Bottom line was we changed the DNS instance to Slave and changed the other DC to allow transfers and forced a transfer of zones (deleted all cache files we could find first). We then reintegrated DNS with AD and tested. Email started flowing and the Exchange server once again knew his own name.

Why is this an x64 Saga? The Exchange server was 2007 which only runs on x64 and the <skepticism> only </skepticism> event that we can find is that the x32 AD utilities may have been run against the x64 install which is supposed to be bad. I am not going to put the customer through proving it by testing that theory in detail, one remaining issue is the dnsmgr app remains broken, we have to use the DNS snapin for MMC to see the zones.

Share

, , , , , , , , ,

No Comments

Blackberry and a leap of faith: Synchronizing with Exchange 2007… or not.

I just got a Blackberry Bold as a friend of mine who owned a business similar to mine, said it was the best experience… after spending several weeks of hating it.  I am in the unsure-hate phase at the moment as I KNEW BB where fascists about email access, shy of running a spy-like program on your desktop which as a business owner I frowned upon. I knew it though, so I have nobody to blame for re-experiencing what I knew 5 years ago which is BB doesn’t let you get to your own information without them getting their hand in the middle (and in your pocket, at least in the old days)

I had chatted with BB and asked specifically, will this work with my Exchange 2007 server.  “Oh yes sir, as long as you have the enterprise datapack from AT&T”.  She forgot to mention that I would probably also need Blackberry Enterprise Server.

Now I have yet to find out the true native capabilities of the standard email software, it asked for my email address and password and at this moment my swiss bank account is being raided.  Or my email server, whatever.  They said I should start receiving email in 20 minutes. I am not sure if this means they are going to POP or IMAP  to my server (which will be interesting since I don’t have those ports open in the ASA firewall) but one thing I know is they WONT be using ACTIVESYNCE because they ahem… didn’t license it from Microsoft.

In a panic that I was going to have to to go back to my Treo 750 which has been nothing but a pain since they (intentionally) broke Versamail which doesn’t really work with self-signed certs as far as I can tell (Yes I DL’d all of the workarounds), then they don’t work with GoDaddy certs this year, (they did last year) and on top of that Sprint refused to replace my plan when I upgraded (replace a broken 650 really), the closest they could get was $15 more a month and they didn’t act the least bit sorry, this was after 10 calls for getting bills for SMS messages, etc. (I don’t SMS yet)

So here is what so found so far for an ActiveSync like replacement for the BB:

You can get a single license version of the Blackberry Server, Professional Software Express at http://na.blackberry.com/eng/services/server/offers/professional_express.jsp

You can try a $49/year service from AstraSync.
http://www.astrasync.com/

Meanwhile I will see how the integration of the desktop works and what email forwarding options I really have.

So week one of hating by BB…

(Okay now I am pissed, they just locked my account for 24 hours because they wanted a PIN not a PIN, you know, the PIN on the box is not the PIN for my telephone when they mean the website.  They also said I need to upgrade my unlimited data account to an unlimited data account if I want to actually get unlimited data, you know, video and stuff.  No sign of a real support number and when I click support they ask me to log in to my locked account.)

Share

, , , , , , ,

No Comments

Blocking ICMP

This is old news, real old, but I still run across it from time to time.  Customers block ICMP in their firewall or other places.

Internet Control Messaging Protocol is more than just ping (I remember the early Mac’s didn’t implement ICMP or at least echo/ping in their IP stack).

ICMP among other things tells equipment up and down the line a few interesting things, not least is when they need to fragment a packet into smaller packets.  Symptoms range from telnet or web works and email or ftp don’t, some of the time.  In short to the casual observer (known as a user), it is one more thing that works randomly.

Nowadays it’s more important then ever with the proliferation of VPN’s,  to get your fragging done as thoroughly as possible, before the packet gets sucked into the VPN terminus.  Why?  You cant fragment an encrypted packet, in fact it’s not even TCP (IP Protocol type 9) anymore it is type 50/ESP or type 47/GRE, and because it’s encrypted you really cant bust it into smaller parts and calculate checksums, etc.

Exchange clients don’t work on all workstations across VPN’s?  There were various versions of MS patches hat appeared to break the MTU discovery mechanism that says use smaller packets.

Share

, , , , , , , , , ,

No Comments

GoDaddy SSL Certs and PalmOS

Just re-upped my cert for my exchange server to talk to my Treo 750.  I bought a 750 because the 650 broke,  Sprint said that the 750 would just replace my 650 and nothing else would change.

Well many bills later and many calls to their billing department we got the bill down to within $14 a month of what it used to be, they claimed that they didn’t offer a month to month unlimited data plan in spite of the fact that that’s what had been on my 650.  They also kept putting some form of picture sharing charge or some such thing.

But the most noticeable thing was that Veramail no longer worked with self signed SSL certs on my Exchange server.  I did everything suggested which was loading an executable to modify some registry type setting on the palm to no avail, including opening the non-SSL port which was the whole point of a cert (required for the first part of the handshake when using self-signed certs).

So I bought a GoDaddy Cert.  Problem solved for a year

This year however I found out that the new GoDaddy Class 2 certs don’t work with PalmOS.  They don’t.  Google for the reason why, I am just trying to save time.

GoDaddy SSL Certs dont work with Palm OS

Share

, , , , , , ,

No Comments