Issue with Cisco Asa 5540 firewall and Exchange Mail Flow

Posted on 2014-03-31
Medium Priority
Last Modified: 2014-09-22
Asa 5540 version 7.0(7) in front of exchange 2003 enterprise with the latest service pack, and GFI antispam box, queue builds up almost on daily basis, and we have to reload the firewall in order the get the email flowing, it works for a day then it happens again.
 no changes have happened since this started , we have relay taken care of already long time ago and we are good in that aspect. Also, "no fixup protocol smtp 25" was applied via command line on the firewall.

when I try to connect to our mx records' ip address from outside, i got "Could not open connection to the host, on port 25", if I do smtp test on mxtoolbox i get "
Connecting to 173.161.x.y

I'm the only administrator in the company, I have not made any changes for the past 6 months not even patching the exchange server. and everything was working fine until 4-5 days ago.

we confirmed in a previous question that it is a firewall issue not exchange, Please see question ID28389705.
Question by:Shando1971
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 2
  • +1

Assisted Solution

by:Hassan Besher
Hassan Besher earned 200 total points
ID: 39968064
Try to upgrading the software on a Cisco ASA:

To download the ASA software, you must have a valid SMARTnet agreement. Log onto the Cisco Web site; you can find the download here: http://www.cisco.com/cgi-bin/tablebuild.pl/asa

Enter your login information, and click OK. The Web page will list the software downloads. This Web site offers all versions of the ASA software, the Adaptive Security Device Manager (ASDM) GUI for the ASA, and even translators to enable your SSL VPN messages to appear in other languages.

Once you've downloaded the necessary software, follow these steps:

1. Back up your current configuration file using TFTP. Alternatively, you can just paste it into Notepad and save it on your hard drive. Just make sure you have a copy somewhere in case something goes wrong.

2. Determine which version of ASA software you have now. Here's an example:

ASA5510# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(6)

Device Manager Version 5.0(6)

ASA5510# dir

Directory of disk0:/

5 -rw- 5474304 00:05:00 Jan 01 2003 asa706-k8.bin

675 -rw- 5823980 16:34:26 Nov 07 2006 asdm506.bin

255426560 bytes total (244064256 bytes free)


3. You can use TFTP to move the image to the ASA. Here's an example:

ASA5510# copy tftp disk0

Address or name of remote host []?

Source filename []? asa802-k8.bin

Destination filename [disk0]? disk0:asa802-k8.bin

Accessing tftp://!!!!!! (truncated)

Writing file disk0:/asa802-k8.bin... !!!!! (truncated)

14524416 bytes copied in 118.210 secs (123088 bytes/sec)

3a. Or, all of you GUI lovers out there can use the ASDM GUI to do the transfer

4. Rename your old version to make sure you boot off the new version. Here's an example:

ASA5510# rename asa706-k8.bin asa706-k8.old

5. You can choose to upgrade your version of ASDM using the same method. Version 8.x of the ASA software can run version 6.x of the ASDM. In fact, if you reboot your ASA without upgrading the ASDM, you may not be able to use ASDM after it reboots. You'll find this out when using the show version command, as shown below:

Cisco Adaptive Security Appliance Software Version 8.0(2)

Detected an old ASDM version.

You will need to upgrade it before using ASDM.

Author Comment

ID: 39970290
If I had support I would have contacted them and not posted it here :)
LVL 15

Expert Comment

ID: 39994629
Where is the queue backing up?  How are things configured?

Is it:
 GFI-Anti-Spam -> Firewall -> Exchange server?
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 39994641
on the gfi box.
the gfi and exchange server are behind the firewall.
LVL 15

Expert Comment

ID: 39994661
So how is it queuing on GFI if both the GFI and Exchange are behind the firewall.
Do you have the link to the other EE Question you referenced?

Author Comment

ID: 39994691
question ID28389705

I really don't understand why inbound emails get queued on the gfi box with the outbound!

but this is what is happening, both outbound and inbound get stuck, but once we restart the firewall all email flows with no problem.
LVL 15

Assisted Solution

jrhelgeson earned 1200 total points
ID: 39995015
Seriously, I don't know why it's so hard to provide a link to the question.

I looked in your question history, found your question:


and it appears that this issue has stretched back to June of last year?

LVL 15

Expert Comment

ID: 39995021
Let me see if I understand: When you state 'it stops mail flow', it sounds like the outbound queue fills up, and inbound mail flow stops.

Rebooting the firewall fixes the problem, both inbound & outbound works.

How old is your firewall?

Can you provide a "SHOW VERSION" and "SHOW FLASH" on the device?  

You've already disabled the no fixup for SMTP, correct?


Author Comment

ID: 39995078
actually the inbound email for some reason make it to the gfi queue and sit there, the queue.
here is the info for the flash and the ver.

Author Comment

ID: 39995080
I did disable  the no fixup but couldn't verify it as I get the error listed in the question ID i provided.
LVL 15

Expert Comment

ID: 39995210
If you would please post what you had put in your previous questions into this question. I'm no longer going to play detective to fix your problems.

What is the error you get?

Author Comment

ID: 39995235
here is the error
 "Could not open connection to the host, on port 25"
this is when I try to connect from outside the network.
LVL 20

Assisted Solution

by:Iain MacMillan
Iain MacMillan earned 600 total points
ID: 39998443
if i may step in......SMARTNet is the one thing you need to keep active on your firewall, otherwise you do not get any updates to the software (your software is very much out of date).  Given Exch03 is no longer supported, you really should be planning Exch10 upgrade (you cant go direct to 13).

Current ASA versions are 7.1.5 for the ADSM and 9.0.3 for the ASA itself.  Obviously you cant use the latest Java 7 update 51 or you cannot connect via ADSM.

something has changed somewhere, has GFI been updated?  
or any other security software/AV package??
check logs on the GFI server, it may indicate why its not communicating with the FW (DNS or IP address checks done)

if the emails are getting stuck, then the issue is with the GFI server and the firewall -- can you allow the Exch server to link directly to the firewall (change mail flow) to see if everything work then?
LVL 15

Expert Comment

ID: 39998933
This is a problem with the firewall that has existed for over a year.  I would recommend updating the firmware on the firewall as a start.  It seems pretty clear you're dealing with old, flaky hardware.

I'm afraid I cannot take troubleshooting any further without violating terms of service here on Experts Exchange (downloading firmware from non-standard sources, etc).  So I am at a loss as to what to tell you to do other than either get SmartNet on the device, or replace the firewall.  I'm not sure which would be the cheaper option.

Author Comment

ID: 39998959
Thank you very much for your help experts, and sorry for any aggravation I may have caused by not putting the link of the previous posted question, for some reason I thought I'm only allowed to put the question's id not a link to it!
I'll renew the smart net contract or replace the firewall.
LVL 20

Expert Comment

by:Iain MacMillan
ID: 40008608
no worries, renewing the contract will likely be cheaper (you may need to get a RAM upgrade if the unit doesn't already have at least 1GB already (the FW main page will tell you what you have -- total memory and total flash top left on main ASDM page).

costs will vary from country to country, but since its lapsed you might be initially more expensive now, and next year it will be cheaper just renewing.  For example in the UK, my ASA 5500 series device incurs about £500 per year for 24x7x4 (4 hour fix) for SMARTNet.

Accepted Solution

Shando1971 earned 0 total points
ID: 40328355
it turns out to be the Comcast DNS!!
after i switched to google dns on our domain controller, the problem is fixed and it has been fixed up until date of this comment, I really appreciate all your help.

Author Closing Comment

ID: 40336144
Found dns events on the exchange server, changed the dns from comcast to google on the domain controller.

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month15 days, 5 hours left to enroll

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question