GWbjones
asked on
PIX 501 - SYN Timeout problem
Hello - BT have fixed my adsl line, However I am not getting any emails that are sent to our exchange server. The log's give the following line:
Teardown TCP connection 146 for outside 217.199.168.113/3797 to inside:192.196.61.1/25 duration 0:02:01 bytes 0 SYN Timeout
Here is the current config the pix is running
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password blahblah.blah encrypted
passwd blahblah.blah encrypted
hostname GWpix
domain-name GRAINGER
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp host 217.199.168.113 interface outside eq smtp
access-list acl_out permit tcp host 217.206.220.212 interface outside eq smtp
access-list acl_out permit tcp host 87.126.173.206 interface outside eq smtp
access-list acl_out permit tcp any interface outside eq smtp
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 87.126.173.201 255.255.255.248
ip address inside 192.196.61.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.196.61.1 255.255.255.255 inside
pdm location 87.126.173.206 255.255.255.255 outside
pdm location 217.199.168.113 255.255.255.255 outside
pdm location 217.206.220.212 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
established tcp 25 0 permitto tcp 1024-65535 permitfrom tcp 0
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 87.126.173.206 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.196.61.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.196.61.16-192.196.61.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:6d18fe26612
: end
[OK]
Thank you for any assistance.
Teardown TCP connection 146 for outside 217.199.168.113/3797 to inside:192.196.61.1/25 duration 0:02:01 bytes 0 SYN Timeout
Here is the current config the pix is running
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password blahblah.blah encrypted
passwd blahblah.blah encrypted
hostname GWpix
domain-name GRAINGER
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp host 217.199.168.113 interface outside eq smtp
access-list acl_out permit tcp host 217.206.220.212 interface outside eq smtp
access-list acl_out permit tcp host 87.126.173.206 interface outside eq smtp
access-list acl_out permit tcp any interface outside eq smtp
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 87.126.173.201 255.255.255.248
ip address inside 192.196.61.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.196.61.1 255.255.255.255 inside
pdm location 87.126.173.206 255.255.255.255 outside
pdm location 217.199.168.113 255.255.255.255 outside
pdm location 217.206.220.212 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.196.61.1 smtp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
established tcp 25 0 permitto tcp 1024-65535 permitfrom tcp 0
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 87.126.173.206 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.196.61.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.196.61.16-192.196.61.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:6d18fe26612
: end
[OK]
Thank you for any assistance.
aaaaa. When I say the Mail server....I mean on the ISPs side....Sorry....
ASKER
I have tried telneting into the PIX and after a little while it time outs. After looking at the log it had the same message as the email. So i need to understand what this SYN is and why its needed. Also could this to do with my exchange server not been able to communicate back to the source of the request?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I really dont think this is the mail servers fault.
I got the mail switched back to our old connection and it works without a problem.
Is there a setting on the pix that could be messing the SYN up?
I got the mail switched back to our old connection and it works without a problem.
Is there a setting on the pix that could be messing the SYN up?
ASKER
What i just said was basically utter rubbish - just as i hit "submit" i was thinking how does my mail server know where to send the SYN-ACK!!!!
It didnt and as soon as i sorted that it all worked fine.
Thanks Hawgpig for the help - your answers gave me the info i needed to fix it and test it. Thanks again and here are the points.
It didnt and as soon as i sorted that it all worked fine.
Thanks Hawgpig for the help - your answers gave me the info i needed to fix it and test it. Thanks again and here are the points.
You're welcome GWb
Glad I could help
Glad I could help
Hi
I am having the same sort of problem with clients on a network accessing a remote site through a PIX 525 UR Bun. The error message "duration 0:02:01 bytes 0 SYN Timeout" I have read this post and understand the solution, however, how do I configure my client to send the SYN-ACK back to the remote site ??? Are we talking about DNS entires here ?
I am having the same sort of problem with clients on a network accessing a remote site through a PIX 525 UR Bun. The error message "duration 0:02:01 bytes 0 SYN Timeout" I have read this post and understand the solution, however, how do I configure my client to send the SYN-ACK back to the remote site ??? Are we talking about DNS entires here ?
ASKER
Yes - Basically.
We use a DHCP server for which I had put the details in for connecting thro the gateway - My problem was because i had not put the DNS details into the DHCP servers network settings. Therefore all the clients new were the gateway was but the DHCP/Mail server didnt!
Hope that helps
We use a DHCP server for which I had put the details in for connecting thro the gateway - My problem was because i had not put the DNS details into the DHCP servers network settings. Therefore all the clients new were the gateway was but the DHCP/Mail server didnt!
Hope that helps
This means that the mail server sent a SYN....and it timed out on the pix after waiting for a SYN-ACK for 2 minutes....
Something is wrong with your e-mail server.....
Check the configuration or reboot the server and try again....
To confirm that this is the issue you can test that the pix is passing traffic on port 25 by using an outside connection and telneting to the outside IP address on port 25.
use this command
telnet 1.1.1.1 25 (where 1.1.1.1 is your mail servers EXTERNAL address.)
If you get a black screen then the pix passed the traffic to the SMTP server and connected...
If you get a connection timed out...then the server is usually down or the pix is not passing the traffic.....see what the syslog says also....
Good Luck