Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Unable to tracert behind Cisco Pix

Posted on 2013-12-13
8
Medium Priority
?
485 Views
Last Modified: 2014-02-08
So I have a client that uses MS Exchange 2010 and the network sits behind a Cisco Pix. This server is unable to email anyone with an MSN account. At first I thought it was a blacklist issue, but confirmed it was not. Then I check my queue and realized that all messages get stuck when addressed to msn.com, then I did a telnet to mx1.hotmail.com 25 and was able to connect but when I tracert 216.32.183.201 i get nothing but timeouts, I went to another mail server also behind a pix and I have the same issue. Is this just a coincidence? I have multiple mail servers behind ASAs and don't have this issue, is there something on the PIX causing this?
0
Comment
Question by:TJacoberger1
  • 5
  • 3
8 Comments
 

Author Comment

by:TJacoberger1
ID: 39717736
Update, I am able to send email to Hotmail from the second server, so I am no longer convinced its a pix issue even though I cannot tracert.

Problem remains however, whenever I try to send an email to MSN Hotmail Live or Outlook, the email sits in my queue and is eventually delayed then fails. I do not have issues with any other domains.


2013-12-13T19:15:21.714Z,Outbound Email,08D05B0BC3DEC948,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:15:42.723Z,Outbound Email,08D05B0BC3DEC948,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:16:34.042Z,Outbound Email,08D0C64EF869F803,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:16:55.049Z,Outbound Email,08D0C64EF869F803,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:17:55.074Z,Outbound Email,08D0C64EF869F808,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:18:16.073Z,Outbound Email,08D0C64EF869F808,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:19:16.075Z,Outbound Email,08D0C64EF869F80B,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:19:37.056Z,Outbound Email,08D0C64EF869F80B,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:20:37.098Z,Outbound Email,08D0C64EF869F80E,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:20:58.084Z,Outbound Email,08D0C64EF869F80E,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:21:04.871Z,Outbound Email,08D0C64F99FC7570,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:21:25.880Z,Outbound Email,08D0C64F99FC7570,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:22:25.910Z,Outbound Email,08D0C64F99FC7576,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:22:46.913Z,Outbound Email,08D0C64F99FC7576,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
2013-12-13T19:23:46.909Z,Outbound Email,08D0C64F99FC7579,0,,205.178.189.131:25,*,,attempting to connect
2013-12-13T19:24:07.927Z,Outbound Email,08D0C64F99FC7579,1,,205.178.189.131:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.178.189.131:25"
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39717829
Two things. One, it is probably a good idea to run the "no fixup protocol smtp 25" command on your PIX's. Microsoft uses ESMTP which has a few things about it that don't conform purely to the standard, and the PIX/ASA attempts to "correct" the packets. I have yet to see this correction... well... correct anything. Normally it causes issues. The other great thing about that command, is that, depending on code version, it doesn't show up in the configuration. You have to blindly run the command and remember to reapply it to any PIX/ASA that has had its configuration erased. Before running this command, go to mxtoolbox.com and enter your domain. It will come back with a bit of info. From there, run the "SMTP test". In the session transcript window, if you see "200***************************" then you are experiencing the fixup protocol issue. Run the command, and then rerun the smtp test and you will get a response relative to your server's information. This might not fix your issue, but it certainly shouldn't hurt.

Second, on the traceroute topic, PIX/ASA by default does not allow any type of icmp through the firewall. You will need to permit that traffic inbound on the outside interface, and possibly add "inspect icmp" to the global service policy (or whichever policy is applied to your interfaces). If the rule doesn't exist yet, you shouldn't be able to get a traceroute response from any website.
0
 

Author Comment

by:TJacoberger1
ID: 39717857
Ok, so I was able to determine that the issue has nothing to do with the router. Its related to my exchange server and DNS, when I create a new send connector and include each specific domain then route it through a smart host the emails go through. So when I use my DNS MX records to route mail I cannot send to MSN Outlook Live or Hotmail. Any ideas why?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 20

Expert Comment

by:rauenpc
ID: 39717935
do you have reverse DNS configured correctly?
0
 

Author Comment

by:TJacoberger1
ID: 39718006
on the domain controller?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39719560
When you send an email, it arrives at a destination server. As part of an integrity/spam check, two thing are usually required to pass. One is that the sending domain (your domain.com) has not been blacklisted, and also that the source ip the emailed was received from resolves to a matching domain. The email server does a reverse dns lookup for 1.2.3.4 (your public ip) and expects that the response matches your domain.com. If it does not match, your email can be rejected on the basis that it could be a spoofed message. The reverse dns entry is controlled by whomever truly owns the public IP address. Commonly, this is your ISP, but if you have public dns servers then you would have control over the entries. To check reverse dns, run the command "nslookup [your public ip] 8.8.8.8". If it does not have a response of your domain.com then reverse dns is not setup.
0
 

Accepted Solution

by:
TJacoberger1 earned 0 total points
ID: 39830894
I ended up creating a separate send connector on my exchange server, adding the problem domains and relaying through a smart host. Still unclear why my exchange server is not able to reach these domains, it must be DNS, but this is a good work around until I get it figured out.
0
 

Author Closing Comment

by:TJacoberger1
ID: 39843920
Resolved by Me.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question