Cisco Router Causing Exchange problems
We have a ASA 5505 for our office firewall/router. We periodically get errors in Outlook that say your connection to exchange has been lost, and then restored a minute or two later. At first I couldn't figure out what was causing it but a few weeks ago the ASA failed and I had to get another one but ti took a few weeks to get ordered. In the meantime we were using a Netgear router. While we were using the Netgear the Outlook/Exchange problems stopped. We just got the replacement ASA last week and now we're having those problems again. Beyond being the default gateway for our network I don't see how it is causing these problems but it is. Can anyone think of why it would be causing this problem or how to fix it.
Are your outlook clients routing through the ASA or are they on the same subnet?
ASKER
No there is no current VPN and all the Outlook clients are on the local subnet internally to our building.
Hmm. If your exchange server and clients are on the same subnet they shouldn't be effected by the router/firewall. Are you sure there are no ther differences between your ASA config and the Netgear? Different cables, different switch, different switchport leading to the Exchange Server?
When you said the clients are on the local subnet, you meant your exchange server is as well right?
When you said the clients are on the local subnet, you meant your exchange server is as well right?
ASKER
I know they shouldn't be affected thats why I can't figure it out. The problem stopped while we were using the Netgear so that's the only way I know the ASA has to be involved in some way. All the Cables are the same and the only difference is the ASA. All our computers and servers are on the same subnet.
if you took out the asa and didnt replace it with anything - would your users still be able to check their email?
i understand they won't have internet access and won't get NEW emails from the outside world, but would they be able to send email between themselves locally?
i'm trying to see how the asa relates to your network
i understand they won't have internet access and won't get NEW emails from the outside world, but would they be able to send email between themselves locally?
i'm trying to see how the asa relates to your network
ASKER
Yes When I remove the ASA the users can get to their email.
i wonder if the asa is somehow broadcasting a packet storm at those times...
you're saying that without the asa, the users can still get their email, right? that means they're on the same switch as the server (no more router)... and when the asa is there too, it's in the same switch... so the only thing in common is the asa... and the only thing left is the asa going berserk and flooding the network with junk
is it easy for you to set up a packet sniffer and watch what happens when the network says it's disconnected?
wireshark is a great one
you're saying that without the asa, the users can still get their email, right? that means they're on the same switch as the server (no more router)... and when the asa is there too, it's in the same switch... so the only thing in common is the asa... and the only thing left is the asa going berserk and flooding the network with junk
is it easy for you to set up a packet sniffer and watch what happens when the network says it's disconnected?
wireshark is a great one
ASKER
I would but I've tried to use packet sniffers before and to be honest I don't know how to read thew results.
I agree, the results can be confusing, but wireshark is pretty good. It may at least let you list packets by IP (your routers ip) and the read the description of the packets. Wireshark often will tell you if it is a corrupted or malformed packet. That may lead you down the right path. Then you can open a case with Cisco and they can look at your packet capture for you.
Although this does not necessarily fix your issue, one thing to always watch out for with Cisco ASA firewalls is esmtp inspection. It breaks connectivity to Exchange through the firewall. I never found this to be a situation with the PIX but it has happened to me with the ASA every time.
From the command line, in global config, enter these commands:
policy-map global_policy
class inspection_default
no inspect esmtp
!
Then save the changes.
A link to read up on the functionality of "inspect esmtp"
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425
Though it is common to simply turn off esmtp inspection, I have read of some creating a custom esmtp policy map instead to handle the differences of opinion between Microsoft and Cisco in interpreting RFC compliance. For example...https://supportforums.cisco.com/thread/228851.pdf
From the command line, in global config, enter these commands:
policy-map global_policy
class inspection_default
no inspect esmtp
!
Then save the changes.
A link to read up on the functionality of "inspect esmtp"
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425
Though it is common to simply turn off esmtp inspection, I have read of some creating a custom esmtp policy map instead to handle the differences of opinion between Microsoft and Cisco in interpreting RFC compliance. For example...https://supportforums.cisco.com/thread/228851.pdf
Router_Monkey, I have been thinking it is some sort of inspection fiter the whole time too, but have you experienced this without traffic routing through the router?
No. I have personally experienced this only when traffic is passing through the firewall. But because that particular issue is a known issue with the ASA, I always tackle the esmtp inspection first, then troubleshoot from there. I recommend you do the same. Consider it "process of elimination". Just because something *shouldn't* be an issue doesn't mean it isn't.
ASKER
I tried inputting those commands and got this (below) am i typing it wrong?
Result of the command: "policy-map global_policy"
The command has been sent to the device
Result of the command: "class inspection_default"
The command has been sent to the device
Result of the command: "no inspect esmtp"
no inspect esmtp
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "policy-map global_policy"
The command has been sent to the device
Result of the command: "class inspection_default"
The command has been sent to the device
Result of the command: "no inspect esmtp"
no inspect esmtp
^
ERROR: % Invalid input detected at '^' marker.
ASKER
Never mind my last I just had a typo, I got the commands to run. Do you think this is causing my exchange problems. I seem to be able to send and receive emails fine its somehow interfering with my users connection from Outlook to exchange that seems to be the problem but it's worth a try.
In theory, no, esmtp inspection *shouldn't* be interfering with local LAN outlook-to-exchange connectivity. But since you stated that putting in a different device stopped the problem, and the esmtp inspection is a known issue with ASAs, that is where you should start, in my opinion.
ASKER
It didn't seem to effect the problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i have a cisco pix at a branch office that does this - whenever the keys are reconfigured automatically we lose connection for 10-20 seconds