Cisco Firewall :: 5510 Exchange Active Sync Stops Working
May 8, 2012
I know that I've run into this before but I can't remember the fix. I have a 5510. The 3 interfaces involved are INSIDE, OUTSIDE, and GUEST. Corporate users are allowed to put their iPhones on the Guest network, but the problem is that their Exchange ActiveSync stops working. It is tied to the external DNS name of the OWA server (we'll say webmail.abc.com). So the users are funneled out one public IP on the OUTSIDE interface and are trying to communicate with the outside of the OWA server, which is NATed to another public IP on the same outside interface. What do I need to do on the ASA to allow users on the guest network (behind the GUEST interface) to access the mail server using its public IP (behind the INSIDE interface)
I find are steps to turn on SSH access. I have quite a few customers with ASA5510's installed. SSH is set up and working fine on every one. After a period of time, you are no longer able to SSH into the firewall. Using Putty, it just sits there on a blank screen without giving a "denied access" message or a login prompt. Rebooting the firewall will solve the issue and SSH access works again. Today, I had a customer with and active/standby configuration where I had to reboot both of them to be able to log in. Most of my customers are on 8.2.software as most don't want to reconfigure for the new NAT, etc.
I'm sure others have seen this before since it appears to be occuring on almost every ASA that I have access to. Is there any fix to eliminate this or is there something that can be run from the ASDM that will grant SSH access again without just doing a reboot?
I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?
We have a ASA 5510 which was running 8.0.2, we recently upgraded it to 8.2.5 and since the upgrade remote users for exchange 2007 are not able to download any large email attachments(over or close to 1MB). This is only happening to Outlook anywhere users or OWA users who are connecting to the exchange server using https(443) externally. If the same users connects internally they do not face any issue. When i check the logs on ASA i am gettings lots of RESET-O and RESET-I entries. Looks like the connection between the client and the server gets reset.
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. [code]
Our ASA 5510 has been in place for nearly two years, we never have any issue what so ever with it. All along the ASA has been using the default policy. Lately, we beeen getting email deferred in our Barracuda Spam firewall. Google quickly reveals that ESMTP does not play nice with Barracuda witch i disabled eventhough we haven't had any issue with it before. However, the issue remains, we still getting email deferred in the barracuda.
While doing more troubleshooting on the ASA, I constated when issue the command show local-host + IP of the Barracuda, there is an IP address in outside of the interface that can get up to 96 UDP port 53 connections with the Barracuda, this connection never get lower than 20! However, when checking the default setup for the Barracuda, i have the values below:
Incoming SMTP Timeout: 20 Message per SMTP Session : 8 Maximum SMTP Error SMTP Session: 2 Maximum Connection per Client 30m:40
My question is if that ASA show up to 96 DNS session with an outside host to my barracuda, won't that push the barracuda to play email deferred timeout ? Should I change the barracuda default setting? Or should i change the connections limits for the Barracuda in the ASA?
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?
I recently setup a site to site vpn between a asa 5510 and router 1921. It was working great all night and this morning. When traffic stopped rolling through for a few hours the tunnel shutdown. I checked the router using cisco configuration and tells me the tunnel is up. When I check the asa it does not show up in the active tunnels. Any know what would cuase it to drop? and if so what can I do to avoid it.
i've an Cisco ASA 5510 with Security Appliance Software Version 8.0(2), in this ASA i've many L2L tunnels to this ASA, anda sometims new tunnels can't connect, the older tunnels still ok and working, yesterday this situation occured again and i've tried to clear all ipsec tunnels and try to reconnect again no one cames up again. At the time of this situation memory usage was about 78% and CPU is was around 5%. I've made a reload without changes and the situation returns to the normality.
At the time of the fail i've collect the outpu from debug crypto isakmp 255, the outpu was in the annexed file.
I have to be missing something small in my config. If I upgrade my ASA 5510 which I am routing and Na Ting off of, from 8.4.1 to 8.4.2.8, SIP stops. All phones go dead.
If I roll back to 8.4.1, SIP comes up.,... Go back to 8.4(2)8 and SIP goes down.....
This is without making any config changes. I have looked at it so long, I must be overlooking something simple.
If the 5510's support active/active ha. There is conflicting info. on the datasheet stating otherwise.
[URL]. As business needs grow, customers can install a Security Plus license, upgrading two of the Cisco ASA 5510 Adaptive Security Appliance interfaces to Gigabit Ethernet and enabling integration into switched network environments through VLAN support. This upgrade license maximizes business continuity by enabling Active/Active and Active/Standby high-availability services.
i read that you need only one L-ASA5510-SEC-PL for setting up a Active/Standby Failover. I installed the license on the 1st ASA and tried to setup the failover via the ASDM wizard. It always fails, because the 2nd device can't have a 'base' license.So does this mean, i really need another license?
i have a problem with a Failover Pair of 5510. The Boxes run with the software version 8.2.5.
If the Active ASA goes down, the Standby ASA switch to Active.
If i switch on the old Active ASA, both ASA are Active. This problem don't solved with the command 'no failover active' on the Standby box. This problem only solved with the command 'no failover' and then 'failover' on the Standby box.
I am adding a failover asa to an a firewall that is already in production. They are both 5510's, they both have the same abount of ram, have the same code versions. Will there be any downtime while adding the secondary in?
I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).I had the following setup working without issue:
[Internet] <-----> PIX <-----> 1841 <-----> [LAN]
I then tried to introduce VLANs and now I can not reach the Internet from the LAN. It seems that no nat translations are taking place.
-I can successfully ping the LAN from the PIX. -I can successfully ping the Internet from the PIX. -I can successfully ping the PIX inside_lan interface from the router -I can not ping the outside interface from the router -I can not ping the Internet from the router
I introduced the LAN side VLAN first and everything still worked. However, once i introduced the VLAN between the router and PIX, things have broken down. [code]
What I am attempting to do is setup snmpv3 on two failover 5510's .The problem I am running into, the snmp management software rejects one of the devices as it sees it as having a duplicate engine ID since the two devices share the same config. Would like to know how this would work in an active/active setup being able to poll both devices.
understanding clear about new Cisco ASA 5515-x, 5525-x.I know that this device supports IPS which is included to this appliance without any additional modules.But can this box support IPS and content-filering (Cisco ASA CX or so..) in the same time.
The problem also in next. Can two ASA 5510 with diffrent modules (in one AIP-SSM and in other CSC-SSM) be in active/active failover design?
I have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively. ASA was configured so that, when the primary fails, the secondary kicks in. [code]
It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over. I have to manually configure the device to use the secondary ISP. Currently, I'm looking at maybe this has something to do with the licensing.We are currently using a Base License, should we be upgrading to Security Plus?
I have a 5510 ASA and have been given another an told to make them active and standby. Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level. I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside? Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work.
I am managing a firewall setup with some ASA 5510's.One of the rules I have in the ACL list is to allow or deny (By disabling the rule) access to certain subnets.
I have a 3rd party vendor that from time to time need access to specific servers in the infrastructure, but I want to keep a certain level of control when they can access them and especially when they can not.
I know it works fine, I have done several tests to verify when they can connect and when they can not. But, now comes the tricky part, if they are already connected (Remote desktop) to the system, and I disable the rule, they are STILL!!! connected. It seems the firewall does not terminate the active session / cconnection when I disable the rule allowing them access..
I just added a new 5510 failover unit to an existing 5510 and when connecting my new outside interface on an Active/Standby firewall pair, i get errors messages (red x) on each port scan (monitor & syslog) although the error message indicate all ports are good...additionally the firewalls flip between active and standby non stop. I remove the new standby unit outside interface from a shared switch and everything clears up.
Since the power failure two days ago, my -ASA stops forwarding traffic to internal servers, for no apparent reason. Packet trace shows all OK, packet capture buffer stays empty when I try to http into the mail server. The only way to get it working is to change the Outside Ip to the one used for mail, then to change it back. It will work OK for a few hours, then stop, with nothing obvious in the logs.
We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows: HTTP[TCP/80~80]->10.0.0.6HTTPS[TCP/443~443]->10.0.0.6IMAP[TCP/143~143]->10.0.0.5IMAP SSL[TCP/993~993]->10.0.0.5SMTP SSL[TCP/587~587]->10.0.0.5
Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out. Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.
I have a asa 5510 vpn client groups configured and connected to the internal network DHCP server stops giving network service dhcp and the network goes down.
My VPN Cisco client connects to the ASA 5510 and everything looks good but when i try send traffic(RDP) severs connects and the logs shows a sync timeout. [code]
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?
