Cannot sync a Blackberry with BES 4.1.4

Questions:

1) Did you generate a GroupWise Trusted Application and does it appear in ConsoleOne under Tools | GroupWise System Operations | Trusted Applications?

2) Are you using NAT between your public IP address and the IP address of the BES server?  NAT may be the problem.  It was for the GroupWise Mobile Server (GMS) at one of my clients last week.  Their Cisco guy issued some magical commands and all started working...I don't what they were however.

3) Can you temporarily open all ports between your external IP and your internal BES server IP to test to see if the problem is firewall related?  If the problem still occurs, immediately close the ports.

4) Can the BES server get to the GroupWise server?  You mentioned it could find GW users so it is seeing the domain database to get user accounts, but is it able to get to the post office to find stuff to sync?

BES works very well with GroupWise but it can be a bit of a pain to get everything configured and syncing.

Scott Kunau

Thanks ZENandEmailGuy
1) Yes I generated a trusted application and yes it appears in ConsoleOne. When I go to the properties, the IP address and port number are blank. I entered the IP address of the BES server but I'm not sure what port to use.

2) Yes I am using NAT but I am also running a Groupwise Mobile server on the network and it works without issue. I am using the same firewall commands for the BES as I am for the GMS except each is mapping a diffrent port to a different inside IP.

3) I used an IP scanning utility and scanned the outside IP for all open ports. All of the other open ports show up as they should but port 3101 does not. I'm not sure why this port will not open. I guess this is a firewall issue: Here is the PIX 501 code:

4) I'm not sure how to test if the BES can see the domain without performing a sync.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.11.20 10:08:48 =~=~=~=~=~=~=~=~=~=~=~=


User Access Verification


ASA Version 7.2(3)

hostname gate
domain-name gate.com
enable password rzycxxBfj78quXmu encrypted
names
name 192.168.0.7 citrix
name 192.168.0.6 win-dns
name 192.168.0.5 nov-dns
name 192.168.0.4 blackberry

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address 24.71.X.X 255.255.252.0

interface Ethernet0/0
 switchport access vlan 2

             

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd rzycxxBfj78quXmu encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name quailsgate.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network frontbridge_SRV
 network-object 12.129.X.0 255.255.255.0
 network-object 63.241.X.0 255.255.255.0
 network-object 24.67.X.87 255.255.255.255
 network-object 207.46.X.64 255.255.255.192
 network-object 207.46.X.0 255.255.255.0
 network-object 213.199.X.0 255.255.255.0
 network-object 213.244.X.0 255.255.255.0
 network-object 216.32.X.0 255.255.255.0
 network-object 216.32.X.0 255.255.255.0
 network-object 65.55.X.0 255.255.255.192
 network-object 65.55.X.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list out-in extended permit tcp any interface outside eq citrix-ica
access-list out-in extended permit tcp any interface outside eq 1677
access-list out-in extended permit tcp any interface outside eq 6504
access-list out-in extended permit tcp any interface outside eq 6505
access-list out-in extended permit tcp any interface outside eq 4500
access-list out-in extended permit tcp any interface outside eq 500
access-list out-in extended permit tcp any interface outside eq 52080
access-list out-in extended permit tcp any interface outside eq 47493
access-list out-in extended permit tcp any interface outside eq 47513
access-list out-in extended permit tcp any interface outside eq 52443
access-list out-in extended permit tcp any interface outside eq 51443
access-list out-in extended permit tcp any interface outside eq 51080
access-list out-in extended permit tcp any interface outside eq https
access-list out-in extended permit tcp any interface outside eq ldaps
access-list out-in extended permit tcp any interface outside eq 7205
access-list out-in extended permit tcp any interface outside eq 631
access-list out-in extended permit tcp any interface outside eq 2620
access-list out-in extended permit tcp any interface outside eq pop3
access-list out-in extended permit tcp any interface outside eq 47808
access-list out-in extended permit udp any interface outside eq 47808
access-list out-in extended permit tcp any interface outside eq 3389
access-list out-in extended permit tcp any interface outside eq ldap
access-list out-in extended permit tcp any interface outside eq www
access-list out-in extended permit tcp any interface outside eq 2368
access-list out-in extended permit tcp any interface outside eq 6320
access-list out-in extended permit tcp any interface outside eq 6323
access-list out-in extended permit tcp any interface outside eq 61031
access-list out-in extended permit tcp host 12.129.20.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.199.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.X interface outside eq smtp
access-list out-in extended permit tcp host 62.209.45.X interface outside eq smtp
access-list out-in extended permit tcp host 63.241.222.X interface outside eq smtp
access-list out-in extended permit tcp host 65.55.251.X interface outside eq smtp
access-list out-in extended permit tcp host 206.16.57.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.51.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.163.X interface outside eq smtp
access-list out-in extended permit tcp host 213.199.154.X interface outside eq smtp
access-list out-in extended permit tcp host 213.244.175.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.180.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.181.X interface outside eq smtp
access-list out-in extended permit tcp host 216.200.206.X interface outside eq smtp
access-list out-in extended permit tcp host 216.117.146.X interface outside eq smtp
access-list out-in extended permit tcp any interface outside eq 41794
access-list out-in extended permit tcp any interface outside eq 41795
access-list out-in extended permit tcp any interface outside eq 41792
access-list out-in extended permit tcp any interface outside eq 41793
access-list out-in extended permit udp any interface outside eq 41792
access-list out-in extended permit udp any interface outside eq 41793
access-list out-in extended permit udp any interface outside eq 41794
access-list out-in extended permit udp any interface outside eq 41795
access-list out-in extended permit tcp any interface outside eq 3102
access-list out-in extended permit tcp any interface outside eq 2626
access-list out-in extended permit tcp host 12.129.20.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.20.X interface outside eq smtp
access-list out-in extended permit tcp host 63.241.222.X interface outside eq smtp
access-list out-in extended permit tcp host 63.241.222.X interface outside eq smtp
access-list out-in extended permit tcp host 65.55.251.X interface outside eq smtp
access-list out-in extended permit tcp host 65.55.251.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.51.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.51.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.163.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.163.X interface outside eq smtp
access-list out-in extended permit tcp host 213.199.154.X interface outside eq smtp
access-list out-in extended permit tcp host 213.199.154.X interface outside eq smtp
access-list out-in extended permit tcp host 213.244.175.X interface outside eq smtp
access-list out-in extended permit tcp host 213.244.175.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.180.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.180.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.181.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.181.X interface outside eq smtp
access-list out-in extended permit tcp object-group frontbridge_SRV interface outside eq smtp
access-list out-in extended permit tcp any interface outside eq pcanywhere-data
access-list out-in extended permit tcp any interface outside eq 5632
access-list out-in extended permit udp any interface outside eq pcanywhere-status
access-list out-in extended permit udp any interface outside eq 5631
access-list out-in extended permit tcp any interface outside eq 5900
access-list out-in extended permit tcp any interface outside eq 5800
access-list out-in extended permit tcp any interface outside eq 3101
access-list qvyvpn_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip any any inactive
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool qvypool 192.168.20.2-192.168.20.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface citrix-ica citrix citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 3389 citrix 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp nov-dns smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 nov-dns pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 nov-dns 1677 netmask 255.255.255.255
static (inside,outside) tcp interface ldaps nov-dns ldaps netmask 255.255.255.255
static (inside,outside) tcp interface www nov-dns www netmask 255.255.255.255
static (inside,outside) tcp interface ldap nov-dns ldap netmask 255.255.255.255
static (inside,outside) tcp interface 631 nov-dns 631 netmask 255.255.255.255
static (inside,outside) tcp interface 6320 192.168.0.80 6320 netmask 255.255.255.255
static (inside,outside) tcp interface 2368 192.168.0.80 2368 netmask 255.255.255.255
static (inside,outside) tcp interface 6323 192.168.0.80 6323 netmask 255.255.255.255
static (inside,outside) tcp interface 61031 192.168.0.80 61031 netmask 255.255.255.255
static (inside,outside) tcp interface 41794 192.168.0.70 41794 netmask 255.255.255.255
static (inside,outside) tcp interface 41795 192.168.0.70 41795 netmask 255.255.255.255
static (inside,outside) tcp interface 41793 192.168.0.71 41793 netmask 255.255.255.255
static (inside,outside) tcp interface 41792 192.168.0.71 41792 netmask 255.255.255.255
static (inside,outside) udp interface 41792 192.168.0.71 41792 netmask 255.255.255.255
static (inside,outside) udp interface 41793 192.168.0.71 41793 netmask 255.255.255.255
static (inside,outside) udp interface 41794 192.168.0.70 41794 netmask 255.255.255.255
static (inside,outside) udp interface 41795 192.168.0.70 41795 netmask 255.255.255.255
static (inside,outside) tcp interface 3102 citrix 3102 netmask 255.255.255.255
static (inside,outside) tcp interface https citrix https netmask 255.255.255.255
static (inside,outside) tcp interface 47808 192.168.0.31 47808 netmask 255.255.255.255
static (inside,outside) udp interface 47808 192.168.0.31 47808 netmask 255.255.255.255
static (inside,outside) tcp interface pcanywhere-data 192.168.0.32 pcanywhere-data netmask 255.255.255.255
static (inside,outside) tcp interface 5632 192.168.0.32 5632 netmask 255.255.255.255
static (inside,outside) udp interface pcanywhere-status 192.168.0.32 pcanywhere-status netmask 255.255.255.255
static (inside,outside) udp interface 5631 192.168.0.32 5631 netmask 255.255.255.255
static (inside,outside) tcp interface 2626 win-dns 2626 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 192.168.0.11 5900 netmask 255.255.255.255
static (inside,outside) tcp interface 5800 192.168.0.11 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 3101 blackberry 3101 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 24.71.224.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 207.81.100.138
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet 24.70.3.146 255.255.255.255 outside
telnet 171.68.225.212 255.255.255.255 outside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 24.70.3.146 255.255.255.255 outside
ssh 171.68.225.212 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 64.59.168.13 64.59.168.15
dhcpd update dns

dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd update dns interface inside



class-map inspection_default
 match default-inspection-traffic


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp

service-policy global_policy global
group-policy qvyvpn internal
group-policy qvyvpn attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value qvyvpn_splitTunnelAcl
username scott password NAiWlHPXAGC.pFRq encrypted privilege 15
username scott attributes
 vpn-group-policy qvyvpn
username kimco password w8CBFP7sYPe6XNUG encrypted privilege 15
username kimco attributes
 vpn-group-policy qvyvpn
username admin password TCcG.3xgCkgvUxY7 encrypted privilege 15
username ksbrett password dVc8gF9zGhM84iDc encrypted privilege 15
username ksbrett attributes
 vpn-group-policy qvyvpn
tunnel-group qvyvpn type ipsec-ra
tunnel-group qvyvpn general-attributes
 address-pool qvypool
 default-group-policy qvyvpn
tunnel-group qvyvpn ipsec-attributes
 pre-shared-key *
tunnel-group 207.81.x.x type ipsec-l2l
tunnel-group 207.81.x.x ipsec-attributes
 pre-shared-key *
prompt context hostname
Cryptochecksum:322957e78a8d9d4e14f9bc00db5cdbf4
: end
 

Sorry, I forgot that I recenly upgraded the firewall and I am now using an Cisco ASA-5505 for the firewall

The fact that you generated the Trusted App and that you can see users tells me that you're good to go as far as BES install into GW.  I'm not a firewall guy but appreciate you sending the log/config because a friend of mine is a CCIE and I've taken the liberty to send your last post over to him to a look.  I'll post back as soon as he gets back to me...probably over the weekend.

Scott

Scott
I have the firewall config working. I placed a port listner on the server running BES and then pinged it from an outside IP with success using port 3101.

Is there somthing that I may be missing that I have to setup with Blackberry service.

Thanks

Thanks Scott,
I resolved the issue. I found out that it was a misconfiguration from my phone carrier. They did not have the phone switched over to a BES plan even thought we were being billed for one. I will award you the points for all your help. Thanks again.