Issue with Cisco Asa 5540 firewall and Exchange Mail Flow

Asa 5540 version 7.0(7) in front of exchange 2003 enterprise with the latest service pack, and GFI antispam box, queue builds up almost on daily basis, and we have to reload the firewall in order the get the email flowing, it works for a day then it happens again.
 no changes have happened since this started , we have relay taken care of already long time ago and we are good in that aspect. Also, "no fixup protocol smtp 25" was applied via command line on the firewall.

when I try to connect to our mx records' ip address from outside, i got "Could not open connection to the host, on port 25", if I do smtp test on mxtoolbox i get "
Connecting to 173.161.x.y

I'm the only administrator in the company, I have not made any changes for the past 6 months not even patching the exchange server. and everything was working fine until 4-5 days ago.

we confirmed in a previous question that it is a firewall issue not exchange, Please see question ID28389705.
Shando1971Connect With a Mentor Author Commented:
it turns out to be the Comcast DNS!!
after i switched to google dns on our domain controller, the problem is fixed and it has been fixed up until date of this comment, I really appreciate all your help.
Hassan BesherConnect With a Mentor Commented:
Try to upgrading the software on a Cisco ASA:

To download the ASA software, you must have a valid SMARTnet agreement. Log onto the Cisco Web site; you can find the download here:

Enter your login information, and click OK. The Web page will list the software downloads. This Web site offers all versions of the ASA software, the Adaptive Security Device Manager (ASDM) GUI for the ASA, and even translators to enable your SSL VPN messages to appear in other languages.

Once you've downloaded the necessary software, follow these steps:

1. Back up your current configuration file using TFTP. Alternatively, you can just paste it into Notepad and save it on your hard drive. Just make sure you have a copy somewhere in case something goes wrong.

2. Determine which version of ASA software you have now. Here's an example:

ASA5510# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(6)

Device Manager Version 5.0(6)

ASA5510# dir

Directory of disk0:/

5 -rw- 5474304 00:05:00 Jan 01 2003 asa706-k8.bin

675 -rw- 5823980 16:34:26 Nov 07 2006 asdm506.bin

255426560 bytes total (244064256 bytes free)


3. You can use TFTP to move the image to the ASA. Here's an example:

ASA5510# copy tftp disk0

Address or name of remote host []?

Source filename []? asa802-k8.bin

Destination filename [disk0]? disk0:asa802-k8.bin

Accessing tftp://!!!!!! (truncated)

Writing file disk0:/asa802-k8.bin... !!!!! (truncated)

14524416 bytes copied in 118.210 secs (123088 bytes/sec)

3a. Or, all of you GUI lovers out there can use the ASDM GUI to do the transfer

4. Rename your old version to make sure you boot off the new version. Here's an example:

ASA5510# rename asa706-k8.bin asa706-k8.old

5. You can choose to upgrade your version of ASDM using the same method. Version 8.x of the ASA software can run version 6.x of the ASDM. In fact, if you reboot your ASA without upgrading the ASDM, you may not be able to use ASDM after it reboots. You'll find this out when using the show version command, as shown below:

Cisco Adaptive Security Appliance Software Version 8.0(2)

Detected an old ASDM version.

You will need to upgrade it before using ASDM.
Shando1971Author Commented:
If I had support I would have contacted them and not posted it here :)
Where is the queue backing up?  How are things configured?

Is it:
 GFI-Anti-Spam -> Firewall -> Exchange server?
Shando1971Author Commented:
on the gfi box.
the gfi and exchange server are behind the firewall.
So how is it queuing on GFI if both the GFI and Exchange are behind the firewall.
Do you have the link to the other EE Question you referenced?
Shando1971Author Commented:
question ID28389705

I really don't understand why inbound emails get queued on the gfi box with the outbound!

but this is what is happening, both outbound and inbound get stuck, but once we restart the firewall all email flows with no problem.
jrhelgesonConnect With a Mentor Commented:
Seriously, I don't know why it's so hard to provide a link to the question.

I looked in your question history, found your question:

and it appears that this issue has stretched back to June of last year?
Let me see if I understand: When you state 'it stops mail flow', it sounds like the outbound queue fills up, and inbound mail flow stops.

Rebooting the firewall fixes the problem, both inbound & outbound works.

How old is your firewall?

Can you provide a "SHOW VERSION" and "SHOW FLASH" on the device?  

You've already disabled the no fixup for SMTP, correct?

Shando1971Author Commented:
actually the inbound email for some reason make it to the gfi queue and sit there, the queue.
here is the info for the flash and the ver.
Shando1971Author Commented:
I did disable  the no fixup but couldn't verify it as I get the error listed in the question ID i provided.
If you would please post what you had put in your previous questions into this question. I'm no longer going to play detective to fix your problems.

What is the error you get?
Shando1971Author Commented:
here is the error
 "Could not open connection to the host, on port 25"
this is when I try to connect from outside the network.
Iain MacMillanConnect With a Mentor IT ManagerCommented:
if i may step in......SMARTNet is the one thing you need to keep active on your firewall, otherwise you do not get any updates to the software (your software is very much out of date).  Given Exch03 is no longer supported, you really should be planning Exch10 upgrade (you cant go direct to 13).

Current ASA versions are 7.1.5 for the ADSM and 9.0.3 for the ASA itself.  Obviously you cant use the latest Java 7 update 51 or you cannot connect via ADSM.

something has changed somewhere, has GFI been updated?  
or any other security software/AV package??
check logs on the GFI server, it may indicate why its not communicating with the FW (DNS or IP address checks done)

if the emails are getting stuck, then the issue is with the GFI server and the firewall -- can you allow the Exch server to link directly to the firewall (change mail flow) to see if everything work then?
This is a problem with the firewall that has existed for over a year.  I would recommend updating the firmware on the firewall as a start.  It seems pretty clear you're dealing with old, flaky hardware.

I'm afraid I cannot take troubleshooting any further without violating terms of service here on Experts Exchange (downloading firmware from non-standard sources, etc).  So I am at a loss as to what to tell you to do other than either get SmartNet on the device, or replace the firewall.  I'm not sure which would be the cheaper option.
Shando1971Author Commented:
Thank you very much for your help experts, and sorry for any aggravation I may have caused by not putting the link of the previous posted question, for some reason I thought I'm only allowed to put the question's id not a link to it!
I'll renew the smart net contract or replace the firewall.
Iain MacMillanIT ManagerCommented:
no worries, renewing the contract will likely be cheaper (you may need to get a RAM upgrade if the unit doesn't already have at least 1GB already (the FW main page will tell you what you have -- total memory and total flash top left on main ASDM page).

costs will vary from country to country, but since its lapsed you might be initially more expensive now, and next year it will be cheaper just renewing.  For example in the UK, my ASA 5500 series device incurs about £500 per year for 24x7x4 (4 hour fix) for SMARTNet.
Shando1971Author Commented:
Found dns events on the exchange server, changed the dns from comcast to google on the domain controller.
