Solved

Issue with Cisco Asa 5540 firewall and Exchange Mail Flow

Posted on 2014-03-31
19
467 Views
Last Modified: 2014-09-22
Asa 5540 version 7.0(7) in front of exchange 2003 enterprise with the latest service pack, and GFI antispam box, queue builds up almost on daily basis, and we have to reload the firewall in order the get the email flowing, it works for a day then it happens again.
 no changes have happened since this started , we have relay taken care of already long time ago and we are good in that aspect. Also, "no fixup protocol smtp 25" was applied via command line on the firewall.

when I try to connect to our mx records' ip address from outside, i got "Could not open connection to the host, on port 25", if I do smtp test on mxtoolbox i get "
Connecting to 173.161.x.y

I'm the only administrator in the company, I have not made any changes for the past 6 months not even patching the exchange server. and everything was working fine until 4-5 days ago.

we confirmed in a previous question that it is a firewall issue not exchange, Please see question ID28389705.
0
Comment
Question by:Shando1971
  • 9
  • 6
  • 2
  • +1
19 Comments
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 50 total points
ID: 39968064
Try to upgrading the software on a Cisco ASA:

To download the ASA software, you must have a valid SMARTnet agreement. Log onto the Cisco Web site; you can find the download here: http://www.cisco.com/cgi-bin/tablebuild.pl/asa

Enter your login information, and click OK. The Web page will list the software downloads. This Web site offers all versions of the ASA software, the Adaptive Security Device Manager (ASDM) GUI for the ASA, and even translators to enable your SSL VPN messages to appear in other languages.

Once you've downloaded the necessary software, follow these steps:

1. Back up your current configuration file using TFTP. Alternatively, you can just paste it into Notepad and save it on your hard drive. Just make sure you have a copy somewhere in case something goes wrong.

2. Determine which version of ASA software you have now. Here's an example:

ASA5510# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(6)

Device Manager Version 5.0(6)

ASA5510# dir

Directory of disk0:/

5 -rw- 5474304 00:05:00 Jan 01 2003 asa706-k8.bin

675 -rw- 5823980 16:34:26 Nov 07 2006 asdm506.bin

255426560 bytes total (244064256 bytes free)

ASA5510#

3. You can use TFTP to move the image to the ASA. Here's an example:

ASA5510# copy tftp disk0

Address or name of remote host []? 10.253.15.77

Source filename []? asa802-k8.bin

Destination filename [disk0]? disk0:asa802-k8.bin

Accessing tftp://10.253.15.77/asa802-k8.bin...!!!!!! (truncated)

Writing file disk0:/asa802-k8.bin... !!!!! (truncated)

14524416 bytes copied in 118.210 secs (123088 bytes/sec)

3a. Or, all of you GUI lovers out there can use the ASDM GUI to do the transfer

4. Rename your old version to make sure you boot off the new version. Here's an example:

ASA5510# rename asa706-k8.bin asa706-k8.old

5. You can choose to upgrade your version of ASDM using the same method. Version 8.x of the ASA software can run version 6.x of the ASDM. In fact, if you reboot your ASA without upgrading the ASDM, you may not be able to use ASDM after it reboots. You'll find this out when using the show version command, as shown below:

Cisco Adaptive Security Appliance Software Version 8.0(2)

Detected an old ASDM version.

You will need to upgrade it before using ASDM.
Cisco2.png
Cisco3.png
0
 

Author Comment

by:Shando1971
ID: 39970290
If I had support I would have contacted them and not posted it here :)
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39994629
Where is the queue backing up?  How are things configured?

Is it:
 GFI-Anti-Spam -> Firewall -> Exchange server?
0
 

Author Comment

by:Shando1971
ID: 39994641
on the gfi box.
the gfi and exchange server are behind the firewall.
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39994661
So how is it queuing on GFI if both the GFI and Exchange are behind the firewall.
Do you have the link to the other EE Question you referenced?
0
 

Author Comment

by:Shando1971
ID: 39994691
question ID28389705

I really don't understand why inbound emails get queued on the gfi box with the outbound!

but this is what is happening, both outbound and inbound get stuck, but once we restart the firewall all email flows with no problem.
0
 
LVL 15

Assisted Solution

by:jrhelgeson
jrhelgeson earned 300 total points
ID: 39995015
Seriously, I don't know why it's so hard to provide a link to the question.

I looked in your question history, found your question:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28389705.html

and it appears that this issue has stretched back to June of last year?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28161766.html
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39995021
Let me see if I understand: When you state 'it stops mail flow', it sounds like the outbound queue fills up, and inbound mail flow stops.

Rebooting the firewall fixes the problem, both inbound & outbound works.

How old is your firewall?

Can you provide a "SHOW VERSION" and "SHOW FLASH" on the device?  

You've already disabled the no fixup for SMTP, correct?

Joel
0
 

Author Comment

by:Shando1971
ID: 39995078
actually the inbound email for some reason make it to the gfi queue and sit there, the queue.
here is the info for the flash and the ver.
New-Text-Document.txt
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 

Author Comment

by:Shando1971
ID: 39995080
I did disable  the no fixup but couldn't verify it as I get the error listed in the question ID i provided.
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39995210
If you would please post what you had put in your previous questions into this question. I'm no longer going to play detective to fix your problems.

What is the error you get?
0
 

Author Comment

by:Shando1971
ID: 39995235
here is the error
 "Could not open connection to the host, on port 25"
this is when I try to connect from outside the network.
0
 
LVL 20

Assisted Solution

by:Iain MacMillan
Iain MacMillan earned 150 total points
ID: 39998443
if i may step in......SMARTNet is the one thing you need to keep active on your firewall, otherwise you do not get any updates to the software (your software is very much out of date).  Given Exch03 is no longer supported, you really should be planning Exch10 upgrade (you cant go direct to 13).

Current ASA versions are 7.1.5 for the ADSM and 9.0.3 for the ASA itself.  Obviously you cant use the latest Java 7 update 51 or you cannot connect via ADSM.

something has changed somewhere, has GFI been updated?  
or any other security software/AV package??
check logs on the GFI server, it may indicate why its not communicating with the FW (DNS or IP address checks done)

if the emails are getting stuck, then the issue is with the GFI server and the firewall -- can you allow the Exch server to link directly to the firewall (change mail flow) to see if everything work then?
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39998933
This is a problem with the firewall that has existed for over a year.  I would recommend updating the firmware on the firewall as a start.  It seems pretty clear you're dealing with old, flaky hardware.

I'm afraid I cannot take troubleshooting any further without violating terms of service here on Experts Exchange (downloading firmware from non-standard sources, etc).  So I am at a loss as to what to tell you to do other than either get SmartNet on the device, or replace the firewall.  I'm not sure which would be the cheaper option.
0
 

Author Comment

by:Shando1971
ID: 39998959
Thank you very much for your help experts, and sorry for any aggravation I may have caused by not putting the link of the previous posted question, for some reason I thought I'm only allowed to put the question's id not a link to it!
I'll renew the smart net contract or replace the firewall.
0
 
LVL 20

Expert Comment

by:Iain MacMillan
ID: 40008608
no worries, renewing the contract will likely be cheaper (you may need to get a RAM upgrade if the unit doesn't already have at least 1GB already (the FW main page will tell you what you have -- total memory and total flash top left on main ASDM page).

costs will vary from country to country, but since its lapsed you might be initially more expensive now, and next year it will be cheaper just renewing.  For example in the UK, my ASA 5500 series device incurs about £500 per year for 24x7x4 (4 hour fix) for SMARTNet.
0
 

Accepted Solution

by:
Shando1971 earned 0 total points
ID: 40328355
Hi,
it turns out to be the Comcast DNS!!
after i switched to google dns on our domain controller, the problem is fixed and it has been fixed up until date of this comment, I really appreciate all your help.
0
 

Author Closing Comment

by:Shando1971
ID: 40336144
Found dns events on the exchange server, changed the dns from comcast to google on the domain controller.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now