Solved

Cisco ACL interfering with SMTP

Posted on 2013-11-07
6
248 Views
Last Modified: 2013-11-26
I cannot post configs of the router in question, I apologize for that. We are having an issue that when we apply an ACL to an interface it begins blocking traffic for what seems like no reason. The ACL only has one line permit ip any any. When it is applied in the inbound direction on an outside interface weird things begin to happen. An open RDP session to a server on the other side of the router is dropped, but the SSH connection to the router stays up. A mail marshall server we have goes through all normal smtp messages with the distant end MTA, but fails when the email payload is actually attempted to pass. When the ACL is removed, everything flows as normal again. I'm sorry for the vagueness of this question, attached is  a rudimentary diagram.
ACL-Problem.pptx
0
Comment
Question by:psychokraft
  • 4
  • 2
6 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
Comment Utility
What is the router model number and what IOS is it running?

Could you try adding the following to your ACL and see what gets logged?

deny any log
0
 
LVL 2

Author Comment

by:psychokraft
Comment Utility
Off the top of my head its a 7206. I will have to get back to you with the IOS. I can add this detail: there are 4 routers serving domains that are nearly identical save for ip addressing. 2 of the routers experience this issue, while two of them do not. Except for the ip addressing the configs are virtually identical. When we look at the log with the permit ip any any we see the traffic that is getting dropped being permitted by the ACL.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
Comment Utility
If you have 4 routers with the same basic config and two are having issues, I would look at the version of IOS and make sure they are all running the same exact level of IOS.

I would also make sure that the ACL in question is applied to an interface on the same exact model of line card.

If everything is the same, I would open a TAC with Cisco.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 2

Author Comment

by:psychokraft
Comment Utility
I apologize for the delay. As of today I cannot access the devices due to the holiday but I will attend to this question. I want to make sure it was resolved before I accept an answer so that thsi issue can be properly documented for anyone experiencing this in the future.
0
 
LVL 2

Accepted Solution

by:
psychokraft earned 0 total points
Comment Utility
My colleague at the remote site worked on this extensively and found the problem. The fact that the permit ip any any log (I forgot to mention the log) created a log for every packet meant that control plane traffic must have been being created at a large rate. A configured CoPP policy map was configured with a low value. When my colleague either removed the CoPP or the log statement, traffic began to flow again. I would not have though of this and it seems counterintuitive but that is what fixed it.
0
 
LVL 2

Author Closing Comment

by:psychokraft
Comment Utility
This solution points to logged traffic by the router as a source of control plane traffic. Future problems that may be encountered such as this should lead to an examination of the log statements at the end of ACL entries and any configured control plane policing or protection.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Are you using email marketing software? If not, you're missing out on effortless marketing and the reaching of desired conversion rates through email marketing software.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now