Solved

Cisco ACL interfering with SMTP

Posted on 2013-11-07
6
252 Views
Last Modified: 2013-11-26
I cannot post configs of the router in question, I apologize for that. We are having an issue that when we apply an ACL to an interface it begins blocking traffic for what seems like no reason. The ACL only has one line permit ip any any. When it is applied in the inbound direction on an outside interface weird things begin to happen. An open RDP session to a server on the other side of the router is dropped, but the SSH connection to the router stays up. A mail marshall server we have goes through all normal smtp messages with the distant end MTA, but fails when the email payload is actually attempted to pass. When the ACL is removed, everything flows as normal again. I'm sorry for the vagueness of this question, attached is  a rudimentary diagram.
ACL-Problem.pptx
0
Comment
Question by:psychokraft
  • 4
  • 2
6 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 39631609
What is the router model number and what IOS is it running?

Could you try adding the following to your ACL and see what gets logged?

deny any log
0
 
LVL 2

Author Comment

by:psychokraft
ID: 39631830
Off the top of my head its a 7206. I will have to get back to you with the IOS. I can add this detail: there are 4 routers serving domains that are nearly identical save for ip addressing. 2 of the routers experience this issue, while two of them do not. Except for the ip addressing the configs are virtually identical. When we look at the log with the permit ip any any we see the traffic that is getting dropped being permitted by the ACL.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 39632385
If you have 4 routers with the same basic config and two are having issues, I would look at the version of IOS and make sure they are all running the same exact level of IOS.

I would also make sure that the ACL in question is applied to an interface on the same exact model of line card.

If everything is the same, I would open a TAC with Cisco.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 2

Author Comment

by:psychokraft
ID: 39638846
I apologize for the delay. As of today I cannot access the devices due to the holiday but I will attend to this question. I want to make sure it was resolved before I accept an answer so that thsi issue can be properly documented for anyone experiencing this in the future.
0
 
LVL 2

Accepted Solution

by:
psychokraft earned 0 total points
ID: 39667974
My colleague at the remote site worked on this extensively and found the problem. The fact that the permit ip any any log (I forgot to mention the log) created a log for every packet meant that control plane traffic must have been being created at a large rate. A configured CoPP policy map was configured with a low value. When my colleague either removed the CoPP or the log statement, traffic began to flow again. I would not have though of this and it seems counterintuitive but that is what fixed it.
0
 
LVL 2

Author Closing Comment

by:psychokraft
ID: 39677117
This solution points to logged traffic by the router as a source of control plane traffic. Future problems that may be encountered such as this should lead to an examination of the log statements at the end of ACL entries and any configured control plane policing or protection.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
The purpose of this video is to demonstrate how to set up a Mailchimp campaign. This will include styling and adding elements to a newsletter/email. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchim…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now