[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Issue with Cisco Asa 5540 firewall and Exchange Mail Flow

Posted on 2014-03-31
Medium Priority
Last Modified: 2014-09-22
Asa 5540 version 7.0(7) in front of exchange 2003 enterprise with the latest service pack, and GFI antispam box, queue builds up almost on daily basis, and we have to reload the firewall in order the get the email flowing, it works for a day then it happens again.
 no changes have happened since this started , we have relay taken care of already long time ago and we are good in that aspect. Also, "no fixup protocol smtp 25" was applied via command line on the firewall.

when I try to connect to our mx records' ip address from outside, i got "Could not open connection to the host, on port 25", if I do smtp test on mxtoolbox i get "
Connecting to 173.161.x.y

I'm the only administrator in the company, I have not made any changes for the past 6 months not even patching the exchange server. and everything was working fine until 4-5 days ago.

we confirmed in a previous question that it is a firewall issue not exchange, Please see question ID28389705.
Question by:Shando1971
  • 9
  • 6
  • 2
  • +1

Assisted Solution

by:Hassan Besher
Hassan Besher earned 200 total points
ID: 39968064
Try to upgrading the software on a Cisco ASA:

To download the ASA software, you must have a valid SMARTnet agreement. Log onto the Cisco Web site; you can find the download here: http://www.cisco.com/cgi-bin/tablebuild.pl/asa

Enter your login information, and click OK. The Web page will list the software downloads. This Web site offers all versions of the ASA software, the Adaptive Security Device Manager (ASDM) GUI for the ASA, and even translators to enable your SSL VPN messages to appear in other languages.

Once you've downloaded the necessary software, follow these steps:

1. Back up your current configuration file using TFTP. Alternatively, you can just paste it into Notepad and save it on your hard drive. Just make sure you have a copy somewhere in case something goes wrong.

2. Determine which version of ASA software you have now. Here's an example:

ASA5510# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(6)

Device Manager Version 5.0(6)

ASA5510# dir

Directory of disk0:/

5 -rw- 5474304 00:05:00 Jan 01 2003 asa706-k8.bin

675 -rw- 5823980 16:34:26 Nov 07 2006 asdm506.bin

255426560 bytes total (244064256 bytes free)


3. You can use TFTP to move the image to the ASA. Here's an example:

ASA5510# copy tftp disk0

Address or name of remote host []?

Source filename []? asa802-k8.bin

Destination filename [disk0]? disk0:asa802-k8.bin

Accessing tftp://!!!!!! (truncated)

Writing file disk0:/asa802-k8.bin... !!!!! (truncated)

14524416 bytes copied in 118.210 secs (123088 bytes/sec)

3a. Or, all of you GUI lovers out there can use the ASDM GUI to do the transfer

4. Rename your old version to make sure you boot off the new version. Here's an example:

ASA5510# rename asa706-k8.bin asa706-k8.old

5. You can choose to upgrade your version of ASDM using the same method. Version 8.x of the ASA software can run version 6.x of the ASDM. In fact, if you reboot your ASA without upgrading the ASDM, you may not be able to use ASDM after it reboots. You'll find this out when using the show version command, as shown below:

Cisco Adaptive Security Appliance Software Version 8.0(2)

Detected an old ASDM version.

You will need to upgrade it before using ASDM.

Author Comment

ID: 39970290
If I had support I would have contacted them and not posted it here :)
LVL 15

Expert Comment

ID: 39994629
Where is the queue backing up?  How are things configured?

Is it:
 GFI-Anti-Spam -> Firewall -> Exchange server?
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 39994641
on the gfi box.
the gfi and exchange server are behind the firewall.
LVL 15

Expert Comment

ID: 39994661
So how is it queuing on GFI if both the GFI and Exchange are behind the firewall.
Do you have the link to the other EE Question you referenced?

Author Comment

ID: 39994691
question ID28389705

I really don't understand why inbound emails get queued on the gfi box with the outbound!

but this is what is happening, both outbound and inbound get stuck, but once we restart the firewall all email flows with no problem.
LVL 15

Assisted Solution

jrhelgeson earned 1200 total points
ID: 39995015
Seriously, I don't know why it's so hard to provide a link to the question.

I looked in your question history, found your question:


and it appears that this issue has stretched back to June of last year?

LVL 15

Expert Comment

ID: 39995021
Let me see if I understand: When you state 'it stops mail flow', it sounds like the outbound queue fills up, and inbound mail flow stops.

Rebooting the firewall fixes the problem, both inbound & outbound works.

How old is your firewall?

Can you provide a "SHOW VERSION" and "SHOW FLASH" on the device?  

You've already disabled the no fixup for SMTP, correct?


Author Comment

ID: 39995078
actually the inbound email for some reason make it to the gfi queue and sit there, the queue.
here is the info for the flash and the ver.

Author Comment

ID: 39995080
I did disable  the no fixup but couldn't verify it as I get the error listed in the question ID i provided.
LVL 15

Expert Comment

ID: 39995210
If you would please post what you had put in your previous questions into this question. I'm no longer going to play detective to fix your problems.

What is the error you get?

Author Comment

ID: 39995235
here is the error
 "Could not open connection to the host, on port 25"
this is when I try to connect from outside the network.
LVL 20

Assisted Solution

by:Iain MacMillan
Iain MacMillan earned 600 total points
ID: 39998443
if i may step in......SMARTNet is the one thing you need to keep active on your firewall, otherwise you do not get any updates to the software (your software is very much out of date).  Given Exch03 is no longer supported, you really should be planning Exch10 upgrade (you cant go direct to 13).

Current ASA versions are 7.1.5 for the ADSM and 9.0.3 for the ASA itself.  Obviously you cant use the latest Java 7 update 51 or you cannot connect via ADSM.

something has changed somewhere, has GFI been updated?  
or any other security software/AV package??
check logs on the GFI server, it may indicate why its not communicating with the FW (DNS or IP address checks done)

if the emails are getting stuck, then the issue is with the GFI server and the firewall -- can you allow the Exch server to link directly to the firewall (change mail flow) to see if everything work then?
LVL 15

Expert Comment

ID: 39998933
This is a problem with the firewall that has existed for over a year.  I would recommend updating the firmware on the firewall as a start.  It seems pretty clear you're dealing with old, flaky hardware.

I'm afraid I cannot take troubleshooting any further without violating terms of service here on Experts Exchange (downloading firmware from non-standard sources, etc).  So I am at a loss as to what to tell you to do other than either get SmartNet on the device, or replace the firewall.  I'm not sure which would be the cheaper option.

Author Comment

ID: 39998959
Thank you very much for your help experts, and sorry for any aggravation I may have caused by not putting the link of the previous posted question, for some reason I thought I'm only allowed to put the question's id not a link to it!
I'll renew the smart net contract or replace the firewall.
LVL 20

Expert Comment

by:Iain MacMillan
ID: 40008608
no worries, renewing the contract will likely be cheaper (you may need to get a RAM upgrade if the unit doesn't already have at least 1GB already (the FW main page will tell you what you have -- total memory and total flash top left on main ASDM page).

costs will vary from country to country, but since its lapsed you might be initially more expensive now, and next year it will be cheaper just renewing.  For example in the UK, my ASA 5500 series device incurs about £500 per year for 24x7x4 (4 hour fix) for SMARTNet.

Accepted Solution

Shando1971 earned 0 total points
ID: 40328355
it turns out to be the Comcast DNS!!
after i switched to google dns on our domain controller, the problem is fixed and it has been fixed up until date of this comment, I really appreciate all your help.

Author Closing Comment

ID: 40336144
Found dns events on the exchange server, changed the dns from comcast to google on the domain controller.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month20 days, 2 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question