Outlook 2003 RPC over HTTP extremely slow on Cisco PIX 501 VPN

Posted on 2004-11-13
Last Modified: 2008-01-09
Hello all
I've been reading several message threads on this subject but couldn't get to a solution that helped me.  So, here it goes:

laptop at home:
 Windows XP service pack 2, firewall turned off, Cisco VPN client 4.0.5(C), cable modem - client connects to PIX, logon is successful. Local router is configured as a separate subnet from the PIX as well as the office domain

 PIX is managed by an outside network service co, full T1 going into the office

 Exchange 2003 server, all a GC server/DC, single server option for RPC over HTTP, Verisign certificate loaded
   - internal name mail01.panda.local
   - external name

 Windows 2003 Domain Controller

Outlook /rpcdiag option indicates that we are successfully connecting to Exchange Server via HTTPS after ~10 mins.  
Outlook slows down laptop or freezes it completely whenever it attempts a Send/Receive.

can successfully ping mail01 server with excellent ping times
can access OWA with excellent response

Recently upgraded laptop to XP service pack 2

When I am on vpn, pinging mail01.panda.local is going to the external IP address of the server.  Not sure why it isn't going to the server's internal address.

I used to be able to access server mail01 via remote desktop connection by simply typing in the name at the connect prompt.  Now I have to enter the IP address.

Any thoughts on how to further diagnose the slow performance problem or correct this issue?

Thanks, in advance, for any assitance.

Question by:jboggs326
    LVL 2

    Expert Comment

    Try creating a hosts entry for mail01 with the internal IP of the server, which will force traffic for it to run through the VPN tunnel. This is a quick and easy solution to try.
    To do it, browse to c:\windows\system32\drivers\etc, open the "hosts" file in notepad, and add a line at the bottom that reads

    mail01.panda.local (or whatever it's LAN IP is)

    Save the file, then try pinging mail01 and mail01.panda.local and it should resolve to the internal IP.

    That should work.
    LVL 79

    Expert Comment

    Sound like a name resolution issue. Your DNS is getting the public IP instead of the private IP.
    A very simple fix would be to put your own entries into your local hosts file:

    # hosts file in %SYSTEMROOT%/system32/drivers/etc    mail01    mail01.panda.local


    Author Comment

    Thanks for the feedback. Yes, the addition to the hosts file allows Outlook to quickly connect to the Exchange Server (over TCP/IP).  Unfortunately, this precludes me from using RPC over HTTP when I'm not connected via VPN.  

    I seems this is now narrowed this down to a firewall issue.  btw, we have a Cisco PIX501 firewall.

    My T1 provider (and firewall manager) is telling me that they don't think there is a way for the firewall to make the laptop use the internal ip address of the mail server when connected via VPN.  Is this really the case?

    I have a call into their technical assistance center.  I will get a printout of the configuration and post it up to here.


    Thanks - jb

    LVL 79

    Expert Comment

    > they don't think there is a way for the firewall to make the laptop use the internal ip address of the mail server when connected via VPN.  Is this really the case?
      No - if you are using the Cisco client to VPN to the PIX, there is a configuration to give your client the appropriate IP address of the local (inside) DNS server. As long as that DNS server resolves to the private IP address, then when connected via VPN you should resolve to private IP, when not connected via VPN, you should resolve to the Public IP..
    LVL 104

    Accepted Solution

    The whole point of RPC/HTTPS is to connect to Exchange without the VPN. If you are going to always use VPN then you may as well just use Outlook offline folders - you aren't getting any of the benefits of RPC/HTTP.
    You should also be using the same address both internally and externally - this makes moving between on network and off network very easy.

    You shouldn't need hosts files. I have a large installation of users with the Cisco VPN and there isn't a host file to be seen on any of their machines. The usual reason with PIX VPN for the traffic going out instead of over the VPN is the split DNS hasn't been set correctly in the VPN configuration on the firewall. Therefore as long as the DNS settings in the VPN config have been set correctly then all DNS requests should go over the VPN, with your servers responding to the external requests as well.
    Have you got split tunnelling enable as well?

    LVL 8

    Expert Comment

    What sembee said is correct... to whole purpose of rpc over https is to allow internal exchange functionality from a remote location without a VPN having to be established (preventing possible security holes)... split dns does sound like the problem as well.. you should be able to configure firewall client to assign the internal dns servers to the laptop when using the firewall...

    Author Comment


    I've had trouble getting a VPN connection in the past when we have been traveling.  That's why we had RPC/https on board, as well.

    The configuration of the PIX is below.  

    Is it really possible to have all of my sites on the same subnet?  If I have two sites with 192.168.0.x, don't overlap the ip addresses and I ping, for example, that's on the site I'm tunneling to, will it be able to handle that?  I read on other posts that this shouldn't be done.  (sorry, over my head on this topic!)

    Are changes required to the PIX or the client?

    pallc# sh run
    : Saved
    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pallc
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list MS permit ip host
    access-list NONAT permit ip
    access-list CVPN permit ip
    pager lines 24
    logging on
    logging trap informational
    logging history informational
    logging facility 23
    logging host outside
    logging host outside
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip audit name attacking attack action alarm drop reset
    ip audit interface outside attacking
    ip audit info action alarm
    ip audit attack action alarm
    ip audit signature 2001 disable
    ip audit signature 2004 disable
    ip local pool remotes
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0 0
    alias (inside)
    static (inside,outside) netmask 0 0
    static (inside,outside) netmask 0 0
    static (inside,outside) netmask 0 0
    static (inside,outside) netmask 0 0
    conduit permit icmp any any
    conduit permit tcp host eq smtp any
    conduit permit tcp host eq www any
    conduit permit tcp host eq imap4 any
    conduit permit tcp host eq pop3 any
    conduit permit tcp host eq nntp any
    conduit permit tcp host eq https any
    conduit permit tcp host eq 993 any
    conduit permit tcp host eq 995 any
    conduit permit tcp host eq 563 any
    conduit permit tcp host eq ftp any
    conduit permit tcp host eq www any
    conduit permit tcp host eq 475 any
    conduit permit tcp host eq www any
    route outside 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http outside
    http outside
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community ATXNet
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt noproxyarp inside
    crypto ipsec transform-set NORMAL esp-des esp-md5-hmac
    crypto dynamic-map 20 11 set transform-set NORMAL
    crypto map MANAGED 10 ipsec-isakmp
    crypto map MANAGED 10 match address MS
    crypto map MANAGED 10 set peer
    crypto map MANAGED 10 set transform-set NORMAL
    crypto map MANAGED 20 ipsec-isakmp dynamic 20
    crypto map MANAGED interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    isakmp identity address
    isakmp keepalive 10 5
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup jboggs address-pool remotes
    vpngroup jboggs dns-server
    vpngroup jboggs default-domain panda.local
    vpngroup jboggs split-tunnel CVPN
    vpngroup jboggs idle-time 1800
    vpngroup jboggs password ********
    vpngroup jboogs idle-time 1800
    vpngroup panda address-pool remotes
    vpngroup panda dns-server
    vpngroup panda default-domain panda.local
    vpngroup panda split-tunnel CVPN
    vpngroup panda idle-time 1800
    vpngroup panda password ********
    telnet outside
    telnet outside
    telnet inside
    telnet inside
    telnet timeout 30
    ssh outside
    ssh outside
    ssh outside
    ssh timeout 30
    console timeout 0
    terminal width 80
    : end

    Author Comment


    I've had the firewall provider remove the alias.  This has eliminated the need for the host entry and seems to have solved the performance issue in Outlook.

    Thanks for your help!!!

    Author Comment

    How do I close the ticket?
    LVL 8

    Expert Comment

    vpn's are designed to provide connectivity between two different subnets... they don't support connecting the same subnet together as the local computer wouldn't know when to route through the vpn or just simply go across the LAN....
    LVL 8

    Expert Comment

    click accept next to the answer that helped you the most

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now