Cisco Router Causing Exchange problems

We have a ASA 5505 for our office firewall/router. We periodically get errors in Outlook that say your connection to exchange has been lost, and then restored a minute or two later. At first I couldn't figure out what was causing it but a few weeks ago the ASA failed and I had to get another one but ti took a few weeks to get ordered. In the meantime we were using a Netgear router. While we were using the Netgear the Outlook/Exchange problems stopped. We just got the replacement ASA last week and now we're having those problems again. Beyond being the default gateway for our network I don't see how it is causing these problems but it is. Can anyone think of why it would be causing this problem or how to fix it.
LVL 2
Axis52401Security AnalystAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

B HCommented:
is your asa having a vpn that has to rekey every X hours?

i have a cisco pix at a branch office that does this - whenever the keys are reconfigured automatically we lose connection for 10-20 seconds
0
Encrypted1024Commented:
Are your outlook clients routing through the ASA or are they on the same subnet?
0
Axis52401Security AnalystAuthor Commented:
No there is no current VPN and all the Outlook clients are on the local subnet internally to our building.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Encrypted1024Commented:
Hmm. If your exchange server and clients are on the same subnet they shouldn't be effected by the router/firewall. Are you sure there are no ther differences between your ASA config and the Netgear? Different cables, different switch, different switchport leading to the Exchange Server?
When you said the clients are on the local subnet, you meant your exchange server is as well right?
0
Axis52401Security AnalystAuthor Commented:
I know they shouldn't be affected thats why I can't figure it out. The problem stopped while we were using the Netgear so that's the only way I know the ASA has to be involved in some way. All the Cables are the same and the only difference is the ASA. All our computers and servers are on the same subnet.
0
B HCommented:
if you took out the asa and didnt replace it with anything - would your users still be able to check their email?

i understand they won't have internet access and won't get NEW emails from the outside world, but would they be able to send email between themselves locally?

i'm trying to see how the asa relates to your network
0
Axis52401Security AnalystAuthor Commented:
Yes When I remove the ASA the users can get to their email.
0
B HCommented:
i wonder if the asa is somehow broadcasting a packet storm at those times...  

you're saying that without the asa, the users can still get their email, right?  that means they're on the same switch as the server (no more router)... and when the asa is there too, it's in the same switch... so the only thing in common is the asa... and the only thing left is the asa going berserk and flooding the network with junk

is it easy for you to set up a packet sniffer and watch what happens when the network says it's disconnected?
wireshark is a great one
0
Axis52401Security AnalystAuthor Commented:
I would but I've tried to use packet sniffers before and to be honest I don't know how to read thew results.
0
Encrypted1024Commented:
I agree, the results can be confusing, but wireshark is pretty good. It may at least let you list packets by IP (your routers ip) and the read the description of the packets. Wireshark often will tell you if it is a corrupted or malformed packet. That may lead you down the right path. Then you can open a case with Cisco and they can look at your packet capture for you.
0
Router_MonkeyCommented:
Although this does not necessarily fix your issue, one thing to always watch out for with Cisco ASA firewalls is esmtp inspection. It breaks connectivity to Exchange through the firewall. I never found this to be a situation with the PIX but it has happened to me with the ASA every time.

From the command line, in global config, enter these commands:
policy-map global_policy
class inspection_default
no inspect esmtp
!
Then save the changes.

A link to read up on the functionality of "inspect esmtp"
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425

Though it is common to simply turn off esmtp inspection, I have read of some creating a custom esmtp policy map instead to handle the differences of opinion between Microsoft and Cisco in interpreting RFC compliance. For example...https://supportforums.cisco.com/thread/228851.pdf
0
Encrypted1024Commented:
Router_Monkey, I have been thinking it is some sort of inspection fiter the whole time too, but have you experienced this without traffic routing through the router?
0
Router_MonkeyCommented:
No. I have personally experienced this only when traffic is passing through the firewall. But because that particular issue is a known issue with the ASA, I always tackle the esmtp inspection first, then troubleshoot from there. I recommend you do the same. Consider it "process of elimination". Just because something *shouldn't* be an issue doesn't mean it isn't.
0
Axis52401Security AnalystAuthor Commented:
I tried inputting those commands and got this (below) am i typing it wrong?

Result of the command: "policy-map global_policy"

The command has been sent to the device



Result of the command: "class inspection_default"

The command has been sent to the device



Result of the command: "no inspect esmtp"

no inspect esmtp
     ^
ERROR: % Invalid input detected at '^' marker.
0
Axis52401Security AnalystAuthor Commented:
Never mind my last I just had a typo, I got the commands to run. Do you think this is causing my exchange problems. I seem to be able to send and receive emails fine its somehow interfering with my users connection from Outlook to exchange that seems to be the problem but it's worth a try.
0
Router_MonkeyCommented:
In theory, no, esmtp inspection *shouldn't* be interfering with local LAN outlook-to-exchange connectivity. But since you stated that putting in a different device stopped the problem, and the esmtp inspection is a known issue with ASAs, that is where you should start, in my opinion.
0
Axis52401Security AnalystAuthor Commented:
It didn't seem to effect the problem.
0
Router_MonkeyCommented:
post a copy of your config and we can take a look for any possible issues.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.