Solved

Cisco ACL interfering with SMTP

Posted on 2013-11-07
6
260 Views
Last Modified: 2013-11-26
I cannot post configs of the router in question, I apologize for that. We are having an issue that when we apply an ACL to an interface it begins blocking traffic for what seems like no reason. The ACL only has one line permit ip any any. When it is applied in the inbound direction on an outside interface weird things begin to happen. An open RDP session to a server on the other side of the router is dropped, but the SSH connection to the router stays up. A mail marshall server we have goes through all normal smtp messages with the distant end MTA, but fails when the email payload is actually attempted to pass. When the ACL is removed, everything flows as normal again. I'm sorry for the vagueness of this question, attached is  a rudimentary diagram.
ACL-Problem.pptx
0
Comment
Question by:psychokraft
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 39631609
What is the router model number and what IOS is it running?

Could you try adding the following to your ACL and see what gets logged?

deny any log
0
 
LVL 2

Author Comment

by:psychokraft
ID: 39631830
Off the top of my head its a 7206. I will have to get back to you with the IOS. I can add this detail: there are 4 routers serving domains that are nearly identical save for ip addressing. 2 of the routers experience this issue, while two of them do not. Except for the ip addressing the configs are virtually identical. When we look at the log with the permit ip any any we see the traffic that is getting dropped being permitted by the ACL.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 39632385
If you have 4 routers with the same basic config and two are having issues, I would look at the version of IOS and make sure they are all running the same exact level of IOS.

I would also make sure that the ACL in question is applied to an interface on the same exact model of line card.

If everything is the same, I would open a TAC with Cisco.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:psychokraft
ID: 39638846
I apologize for the delay. As of today I cannot access the devices due to the holiday but I will attend to this question. I want to make sure it was resolved before I accept an answer so that thsi issue can be properly documented for anyone experiencing this in the future.
0
 
LVL 2

Accepted Solution

by:
psychokraft earned 0 total points
ID: 39667974
My colleague at the remote site worked on this extensively and found the problem. The fact that the permit ip any any log (I forgot to mention the log) created a log for every packet meant that control plane traffic must have been being created at a large rate. A configured CoPP policy map was configured with a low value. When my colleague either removed the CoPP or the log statement, traffic began to flow again. I would not have though of this and it seems counterintuitive but that is what fixed it.
0
 
LVL 2

Author Closing Comment

by:psychokraft
ID: 39677117
This solution points to logged traffic by the router as a source of control plane traffic. Future problems that may be encountered such as this should lead to an examination of the log statements at the end of ACL entries and any configured control plane policing or protection.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Article by: Dermot
The life of crime is over for 22 year-old Christian Ian Salvador, a student from Isabela State University in the Philippines.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question