Solved

Cisco ACL interfering with SMTP

Posted on 2013-11-07
6
259 Views
Last Modified: 2013-11-26
I cannot post configs of the router in question, I apologize for that. We are having an issue that when we apply an ACL to an interface it begins blocking traffic for what seems like no reason. The ACL only has one line permit ip any any. When it is applied in the inbound direction on an outside interface weird things begin to happen. An open RDP session to a server on the other side of the router is dropped, but the SSH connection to the router stays up. A mail marshall server we have goes through all normal smtp messages with the distant end MTA, but fails when the email payload is actually attempted to pass. When the ACL is removed, everything flows as normal again. I'm sorry for the vagueness of this question, attached is  a rudimentary diagram.
ACL-Problem.pptx
0
Comment
Question by:psychokraft
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 39631609
What is the router model number and what IOS is it running?

Could you try adding the following to your ACL and see what gets logged?

deny any log
0
 
LVL 2

Author Comment

by:psychokraft
ID: 39631830
Off the top of my head its a 7206. I will have to get back to you with the IOS. I can add this detail: there are 4 routers serving domains that are nearly identical save for ip addressing. 2 of the routers experience this issue, while two of them do not. Except for the ip addressing the configs are virtually identical. When we look at the log with the permit ip any any we see the traffic that is getting dropped being permitted by the ACL.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 39632385
If you have 4 routers with the same basic config and two are having issues, I would look at the version of IOS and make sure they are all running the same exact level of IOS.

I would also make sure that the ACL in question is applied to an interface on the same exact model of line card.

If everything is the same, I would open a TAC with Cisco.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 2

Author Comment

by:psychokraft
ID: 39638846
I apologize for the delay. As of today I cannot access the devices due to the holiday but I will attend to this question. I want to make sure it was resolved before I accept an answer so that thsi issue can be properly documented for anyone experiencing this in the future.
0
 
LVL 2

Accepted Solution

by:
psychokraft earned 0 total points
ID: 39667974
My colleague at the remote site worked on this extensively and found the problem. The fact that the permit ip any any log (I forgot to mention the log) created a log for every packet meant that control plane traffic must have been being created at a large rate. A configured CoPP policy map was configured with a low value. When my colleague either removed the CoPP or the log statement, traffic began to flow again. I would not have though of this and it seems counterintuitive but that is what fixed it.
0
 
LVL 2

Author Closing Comment

by:psychokraft
ID: 39677117
This solution points to logged traffic by the router as a source of control plane traffic. Future problems that may be encountered such as this should lead to an examination of the log statements at the end of ACL entries and any configured control plane policing or protection.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question