RPC Server issues w/ Cisco ASA5510 and PIX501 Site to Site.....

I am pulling my hair out on this one.  My company has merged with another company and their sites.  My company had recently upgraded all of its equipment hence we would migrate their sites to ours.  Here is my issue.

We moved all of mail services to Domain A.  We were trying to create a 2-Way trust between the DC on Domain A to the DC on Domain B.  The Exchange Server on Domain A would handle all the mail for both sites.  Using the "Associated with an External Account" to match Domain A Exchange Mailboxes to Domain B Accounts.  The trouble began when we tried to create the trusts.  It would just hang.  Everytime we tried to Associate Domain B account to a Domain A Mailbox it would hang.  I think I have a issue with the VPN not allowing all RPC traffic through.  Anyway my site and Cisco info below..

Anyones help will be much appreciated.
Thank you in advanced.
Etikigaq

Site Layouts:
Domain A - Windows 2003 R2 DC, Windows 2003 R2 w/ Exchange 2003 Sp2, Windows 2003 R2 (Running terminal services), behind Cisco ASA5510
Domain B - Windows 2003 R2, behind Cisco PIX501

WAN Layout:
Domain A - ASA5510 - 2mb/2mb - Internet - 1mb/1mb - PIX501 - Domain B

Domain A
ASA5510 Config:
ASA Version 7.0(4)
!
hostname Domain A
domain-name DomainA.LOCAL
enable password xxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.210 255.255.255.240
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address x.x.0.20 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
clock timezone PCST -8
clock summer-time PCDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Outside_cryptomap_20_1 extended permit ip x.x.0.0 255.255.255.0 x.x.4.0 255.255.255.0
access-list acl-out extended permit tcp any host x.x.x.211 eq 3389
access-list acl-out extended permit tcp any host x.x.x.220 eq www
access-list acl-out extended permit tcp any host x.x.x.215 eq smtp
access-list inside_outbound_nat0_acl extended permit ip x.x.0.0 255.255.255.0 x.x.4.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool RDP x.x.0.200-x.x.0.220 mask 255.255.255.0
no failover
asdm image disk0:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list inside_outbound_nat0_acl
nat (Inside) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp x.x.x.211 3389 x.x.0.10 3389 netmask 255.255.255.255
static (Inside,Outside) tcp x.x.x.215 smtp x.x.0.5 smtp netmask 255.255.255.255
static (Inside,Outside) tcp x.x.x.220 www x.x.0.5 www netmask 255.255.255.255
access-group acl-out in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password xxxxxxxxxxxxx encrypted privilege 15
http server enable
http x.x.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map Outside_map 20 match address Outside_cryptomap_20_1
crypto map Outside_map 20 set peer x.x.x.x
crypto map Outside_map 20 set transform-set ESP-DES-SHA
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
telnet timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tftp-server Outside x.x.x.x /
webvpn
 enable Outside
 nbns-server x.x.0.1 master timeout 2 retry 2
 authorization-server-group LOCAL
 authorization-required
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Domain B
PIX501 Config:
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname Domain B
domain-name domainb.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.0.0 domaina
access-list inside_outbound_nat0_acl permit ip x.x.4.0 255.255.255.0 domaina 255.255.255.0
access-list outside_cryptomap_20 permit ip x.x.4.0 255.255.255.0 domaina 255.255.255.0
access-list acl-out permit tcp any host x.x.x.1 eq 3389
pager lines 24
logging console debugging
mtu outside 1460
mtu inside 1460
ip address outside pppoe setroute
ip address inside x.x.4.20 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.1 3389 x.x.4.1 3389 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http Domain A 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside x.x.x.248 /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.210
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.210 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup tts_vpn idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group domainb request dialout pppoe
vpdn group domainb localname XXXXXXXXXXXXXXXXXXXX
vpdn group domainb ppp authentication pap
vpdn username XXXXXXXXXXXXXXXX password *********
dhcpd dns 198.51.13.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
etikigaqAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

etikigaqAuthor Commented:
More notes...

Validate trust results:
Domain A -> Domain B (both incoming and outgoing) Successful!
Domain B -> Domain A (both incoming and outgoing) Failed!  Error Below
Error:
Active Directory
The account does not have administrative privileges on the domain DomainA.local.  The error is The RPC server is unavailable.
The trust cannot be validated.

The account used is the administrator account for Domain A.
carl_legereCommented:
http://www.dslreports.com/drtcp

take all servers that need to talk using sites and services connectors, and lower thier MTU to 1300, reboot, test

Change all sites and services connections that will be WAN based to IP, make sure they are not RPC.

remove SMTP fixup on routers, it is on the inside interface and therefore interferes with VPN traffic.

I just did one like this
lrmooreCommented:
ASA5510 has all interfaces set MTU 1500
PIX 501 has all interfaces set MTU 1460

Is the 501 sitting behind a DSL connection?
It is this mismatch of MTU sizes that is the crux of the issue.
carl has the right answer and that is to set all the servers to use a max MTU of 1300

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

carl_legereCommented:
I guess MS uses an extened command set in SMTP (when we're talking SMTP TO SMTP both exchange servers) and it sometimes tries to make big packets and some get lost if there is a MTU mismatch.  Seems costly for performace to lower the MTU drasticly, but if it works it works.
etikigaqAuthor Commented:
All of the servers are set to a MTU of 1300.  Dynamic RPC has been set to use ports 5000-5100.
http://support.microsoft.com/kb/154596 .  Is there something I need to do on firewall?  

Change all sites and services connections that will be WAN based to IP, make sure they are not RPC. ?  Don't Know how to do this.

There is no Inspect for smtp on the ASA, I removed it from the PIX.

ASA5510 has all interfaces set MTU 1500
PIX 501 has all interfaces set MTU 1460 "Has been changed back to 1500.  Minor mistake."

Is the 501 sitting behind a DSL connection? "YES, both sides are"

Good news is that we can now Validate trust from both sides.
Bad news we still can't share files, Associate Accounts from Domain B to Domain A mailboxes.  It just freezes and hangs

thank you for the responses..


etikigaqAuthor Commented:
BTW only one Exchange Server in the mix.

Site Layouts:
Domain A - Windows 2003 R2 DC, Windows 2003 R2 w/ Exchange 2003 Sp2, Windows 2003 R2 (Running terminal services), behind Cisco ASA5510
Domain B - Windows 2003 R2, behind Cisco PIX501

WAN Layout:
Domain A - ASA5510 - 2mb/2mb - Internet - 1mb/1mb - PIX501 - Domain B
lrmooreCommented:
>Good news is that we can now Validate trust from both sides.
Good news, indeed!

>Bad news we still can't share files, Associate Accounts from Domain B to Domain A mailboxes.  It just freezes and hangs
Sounds like DNS issues now between the two domains. Where is your primary DNS ? Are *all* systems pointing to this primary dns?

etikigaqAuthor Commented:
Primary DNS are on each others Domain's.  Lookup Forwarders are in each DNS servers.  We do have DNS zones for each Domain in each Domains DNS servers.  We have successful Zones transfers from each server.  I just setup a WINS server on each domains and they are successful replication partners.

One thing to add to the WAN setup.  We have soho91 handling our PPPOE and our routed subnet (ASA Doesnt support it BAH!), but this shouldn't have any impact on a site to site VPN Correct?
etikigaqAuthor Commented:
For sh!ts and giggles we brought up the old Exchange server on the Domain B side and was able to Associate  Accounts from Domain A to Domain B mailboxes. (BAH!)

Correct me if I am wrong, doesn't the ASA5510 handle RPC traffic differently that PIX501?  The above tests tells me that traffic coming from Domain A isn't getting blocked. I just don't know...
carl_legereCommented:
how is your 'net view \\servername' from each direction?
lrmooreCommented:
>Is the 501 sitting behind a DSL connection? "YES, both sides are"
Since both sides are behind DSL connections, with PPPoE, you can still have a MTU issue.
Have you tried setting the servers to lower MaxMTU?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
etikigaqAuthor Commented:
>how is your 'net view \\servername' from each direction? Yes, this comes up smelling like roses...

>Have you tried setting the servers to lower MaxMTU? I have set the MAXMTU to as low as 1200.  Should I go lower?

Some more troubleshooting has shown, that I can copy files from Domain A to Domain B if it is requested by Domain B.  
For Example:
On Domain B DC, if I open a share \\dc01.DomainA.Local\IT, it opens, I am able to copy files from that share to Domain B's DC.  If I try to put a file in the same window (\\dc01.domainA.local) it hangs with an error title Error Coping File or Folder " Cannot copy radmin22: The specified network name is no longer available"

On Domain A DC, if I open a share \\dc02.DomainB.local\IT, it opens, but once I select a file in the share it freezes and I have to do End Task on the Window.

I have used IP's to connect the shares, the samething happens. Lol, I am so confused.
carl_legereCommented:
do you have this for DSL:

internet -> dslmodem -> PIX
or
internet -> PIX with dsl modem card

if the first one is the DSL modem acting as a bridge, is it handing a real IP ot a 192.168.x.x type IP address to the PIX
if second post PIX confuigs
etikigaqAuthor Commented:
Domain A = Internet > dslmodem > soho91 > ASA5510
Domain B = Internet > dslmodem > PIX501
etikigaqAuthor Commented:
Bah How do I spilt the points!!!  Please split the points between carl_legere and lrmoore...
etikigaqAuthor Commented:
I would like to thank both of you for your input, because it helped solve the issue.  It was a MTU issue.  Not with either ASA or the PIX501, but with the SOHO91.  The SOHO91 was supplied and controlled with the Managed BXBDSL circuit.  They said it was set to 1500, but surprise surprise it wasn't, we changed it to 1500 and WOW everything works now.  Thank you again for your help.  I will post some Captures that really pointed to the culprit.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.