Cisco ASA-5500 and POP3 issue

Posted on 2007-07-31
Last Modified: 2012-08-13
Cisco ASA-5505 and POP3 issue.

Just the facts:
-At certain times of the day, people cannot receive email from the ISP's POP3 server.
-The connection in Outlook is made, then it hangs as it starts to download email. One can see the number of emails that should be downloading, but it hangs (for example) at 903 B of 101 KB. Not everyone hangs at the same amount of bytes.
-They can send okay any time of the day.
-I can send/receive anytime to other POP3 servers on a different domain.
-I cannot receive from the ISP's POP3 server between ~7:45 AM to ~5:00 PM. The times vary by about 30 min for both the morning and afternoon.
-I can successfully receive email from the ISP's domain outside of those times, and it seems to "magically" begin to work.
-I believe that I have ruled out both the amount of people trying to connect (as people arrive or leave for the day) and any individual computer that gets turned on or off.
-Swapping the dns name of the ISP's mail server with the ip of the ISP's mail server does not resolve
the issue.

It gets worse:
-This issue appeared to start after installation of a new domain controller and ASA-5505 (Both happened on the same day)
-I can receive email from the ISP's mail server from outside the ASA anytime
-If I swap the ASA with a Linksys, the issue goes away
-If I connect to a mailbox from outside the ASA (using the only static IP assigned to us), then move the computer to inside the ASA (changing back to NAT'd IP), the computer successfully opens and closes a POP3 connection to the ISP's mail server --- as long as there is no mail.
-As soon as the person receives one email, the issue returns.
-It does not matter which mailbox or which computer I do this test with.

Capture from inside when successfully receiving:
6 5.503770 208.x.x.x TCP 1099 > pop3 [SYN] Seq=0 Len=0 MSS=1460
7 5.529176 208.x.x.x TCP pop3 > 1099 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380
8 5.529247 208.x.x.x TCP 1099 > pop3 [ACK] Seq=1 Ack=1 Win=65535 Len=0
9 5.550051 208.x.x.x POP Response: +OK Hello there.
10 5.550265 208.x.x.x POP Request: USER testuser
11 5.x0787 208.x.x.x TCP pop3 > 1099 [ACK] Seq=19 Ack=15 Win=5840 Len=0
12 5.x1052 208.x.x.x POP Response: +OK Password required.
13 5.x1241 208.x.x.x POP Request: PASS ***
14 5.631394 208.x.x.x POP Response: +OK logged in.
15 5.631592 208.x.x.x POP Request: STAT
16 5.658310 208.x.x.x POP Response: +OK 1 2494
17 5.658500 208.x.x.x POP Request: UIDL
18 5.678269 208.x.x.x POP Response: +OK
19 5.678453 208.x.x.x POP Request: LIST
20 5.700992 208.x.x.x POP Response: +OK POP3 clients that break here, they violate STD53.
21 5.703876 208.x.x.x POP Request: RETR 1
22 5.739949 208.x.x.x POP Response: +OK 2494 octets follow.
23 5.747896 208.x.x.x POP Continuation
24 5.748145 208.x.x.x TCP 1099 > pop3 [ACK] Seq=54 Ack=2x0 Win=65535 Len=0
25 5.768541 208.x.x.x POP Continuation
26 5.792568 208.x.x.x POP Request: DELE 1
27 5.818550 208.x.x.x POP Response: +OK Deleted.
28 5.818805 208.x.x.x POP Request: QUIT
29 5.838874 208.x.x.x POP Response: +OK Bye-bye.
30 5.839069 208.x.x.x TCP 1099 > pop3 [FIN, ACK] Seq=68 Ack=2716 Win=65389 Len=0
31 5.840697 208.x.x.x TCP pop3 > 1099 [FIN, ACK] Seq=2716 Ack=68 Win=5840 Len=0
32 5.840823 208.x.x.x TCP 1099 > pop3 [ACK] Seq=69 Ack=2717 Win=65389 Len=0
33 5.859062 208.x.x.x TCP pop3 > 1099 [ACK] Seq=2717 Ack=69 Win=5840 Len=0

Capture from inside when unsuccessful at receiving email:
5 0.045816 208.x.x.x POP Response: +OK Hello there.
6 0.046094 208.x.x.x POP Request: USER testuser
7 0.074890 208.x.x.x TCP pop3 > 1235 [ACK] Seq=19 Ack=15 Win=5840 Len=0
8 0.075333 208.x.x.x POP Response: +OK Password required.
9 0.075666 208.x.x.x POP Request: PASS ***
10 0.126187 208.x.x.x POP Response: +OK logged in.
11 0.126533 208.x.x.x POP Request: STAT
12 0.154110 208.x.x.x POP Response: +OK 1 20431
13 0.154344 208.x.x.x POP Request: UIDL
14 0.176011 208.x.x.x POP Response: +OK
15 0.176222 208.x.x.x POP Request: LIST
16 0.204656 208.x.x.x POP Response: +OK POP3 clients that break here, they violate STD53.
17 0.207363 208.x.x.x POP Request: RETR 1
18 0.243090 208.x.x.x POP Response: +OK 20431 octets follow.
19 0.366507 208.x.x.x TCP 1235 > pop3 [ACK] Seq=54 Ack=1192 Win=65535 Len=0
20 2.194602 NBNS Name query NB NETINEL0<20>
21 135.667751 208.x.x.x TCP 1241 > pop3 [SYN] Seq=0 Len=0 MSS=1460
22 135.693173 208.x.x.x TCP pop3 > 1241 [SYN, ACK] Seq=0 Ack=1 Win=0 Len=0
23 135.693321 208.x.x.x TCP 1241 > pop3 [ACK] Seq=1 Ack=1 Win=65535 Len=0
24 135.712765 208.x.x.x TCP [TCP Window Update] pop3 > 1241 [ACK] Seq=1 Ack=1 Win=8192 Len=0

ASA config:

hostname host
domain-name domain.dns
passwd *
enable password *
name Anetwork
name Aserver
name Bserver
name 208.x.x.x WAN_IP
name LAN_IP
name VPNnetwork
interface Vlan1
 nameif inside
 security-level 100
 ip address LAN_IP
interface Vlan2
 nameif outside
 security-level 0
 ip address WAN_IP
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec This system is for authorized users only.  Sessions may be monitored.
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name domain.dns
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list no_nat extended permit ip Anetwork VPNnetwork
access-list split_tunnel standard permit Anetwork
pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging trap notifications
logging asdm informational
logging mail critical
mtu inside 1500
mtu outside 1500
ip local pool vpnpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 Anetwork
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 208.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
aaa-server Radius host Aserver
 timeout 5
 key *
group-policy GroupVPN internal
group-policy GroupVPN attributes
 dns-server value
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value domain.dns
aaa authentication ssh console Radius LOCAL
aaa authentication telnet console Radius LOCAL
aaa authentication enable console Radius LOCAL
aaa authentication http console Radius LOCAL
http server enable
http inside
http Anetwork inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set nonAAAset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set nonAAAset
crypto dynamic-map dyn1 1 set reverse-route
crypto map nonAAAmap 1 ipsec-isakmp dynamic dyn1
crypto map nonAAAmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
tunnel-group nonAAAgroup type ipsec-ra
tunnel-group nonAAAgroup general-attributes
 address-pool vpnpool
 authentication-server-group Radius
 default-group-policy GroupVPN
tunnel-group nonAAAgroup ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh inside
ssh Anetwork inside
ssh outside
ssh timeout 30
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
service-policy global_policy global
prompt hostname context
Question by:rockjockb
    LVL 8

    Expert Comment

    Try this:

    pixfirewall#config t
    pixfirewall(config)#policy-map global_policy
    pixfirewall(config-pmap)#class inspection_default
    pixfirewall(config-pmap-c)#no inspect esmtp
    pixfirewall(config-pmap)# exit
    pixfirewall#write mem

    Author Comment

    Sorry it took me awhile to get back. Just came back to the client that is having this issue.

    Thanks Jim, for the response, but it didn't work.

    Another twist. If I choose to download only the headers, it will get the headers for all of the waiting emails. As soon as I mark one for download, then attempt to download it, it hangs.

    Author Comment

    Upped the version to latest and changed the MTU (not at the same time).

    Neither fixed the issue.

    Author Comment

    Upping points to 500.

    I'm starting to guess that there is no solution. If there is no response within a week. I will have to withdraw the question.

    Accepted Solution

    In case anyone runs across this and has the same issue, I have pasted the fix that I finally got from Cisco below. I couldn't believe that it worked, but it did.

    lab-pix(config t)# access-list http-list permit tcp any any
    lab-pix(config t)# class-map http-map
    lab-pix(config-cmap)# match access-list http-list
    lab-pix(config-cmap)# exit
    lab-pix(config t)# tcp-map mss-map
    lab-pix(config-tcp-map)# exceed-mss allow
    lab-pix(config-tcp-map)# exit
    lab-pix(config t)# policy-map global_policy
    lab-pix(config-pmap)#class http-map
    lab-pix(config-pmap-c)#set connection advanced-options mss-map

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
    Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now