Cisco Firewall :: ASA5510 - Giving Error 421 SMTP And Connection Lost
Oct 10, 2011
I 've got some problem with my Mail Server since I've migrated to an ASA5510.Actually the server is in a DMZ with a private Ip ( 10.x.x.2) and it is translated to a Public IP ( 194.x.x.65).Some Users received in there mailbox a system administor error message :Object : Impossible to deliver : testYour message could not be deliver to one or more of its recipients: 421 SMTP connection went away!When they try to re sent it some times later, message is sent whithout problem.
We have an ASA5510 with the IPS ASA-SSM-10 module installed. All is working well except event notification. When sending a test email from the SSM IPS, we get the error "could not connect to SMTP host". The Exchange SMTP host does allow traffic from the IPS and ASA. I can ping to the SMTP host by IP and name. What am I missing here?
Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 126.96.36.199 12345 188.8.131.52 25.
Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow [code]...
Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.
I've got some problem with my Mail Server since I've migrated to an ASA5510.Actually the server is in a DMZ with a private Ip ( 10.x.x.2) and it is translated to a Public IP ( 194.x.x.65).I use these configuration :
I am currently on Time Warner Cable 10 mbps packge, and am using their wireless DOCIS3 modem/router. It is connected in my bedroom to the main computer. That computer stays connected. However, throughout the rest of the house (we have a two story townhome) it will drop completely or give limited connection...constantly. Sometimes I can have my laptop next to me and it will go out or give limited connection. The connection speed never drops, it just goes completely to no connection. Not for sure what is going on, if its on my end or time warner. Has been doing this for quite some time, the cable company comes out and changes the modem, but that's it, couple days later, goes back to doing it again.
I had been working on our client servers through Cisco VPN using internet datacard. But from past 3 weeks after logging into Cisco VPN using my username/password, when I try to connect to any of the servers, it is giving connection timed out error.
Whereas, my team members across other locations are able to connect to the servers using my VPN username/password.
I thought there might be some issue with my laptop or internet datacard. I got my laptop formatted, even tried out with fresh new laptops & new internet datacards, but the issue remains same.
I have tried using vpn_5.0.06.0160-k9 & vpnclient-5.0.05.0290-k9 to connect but issue did not get resolved.
I have 2 datacenters running same equipement (two Nexu 5596 with FEX).I just took a look at the log just to see if everything is ok and I saw that I have the same error message (a lot of times) at both location :
%SYSMGR-FEX100-5-HEARTBEAT_LOSS: Service "satctrl" heartbeat loss 2 ,max 7,I though it was a problem with my peerklink-keepalive connection but I see the word FEX ....so i'm not sure...
Note that at both locations, my Nexus are connected back to back through the management port using transceivers. So it's a copper cable from the first nexus, going into a transceiver, going to another transceiver in fiber and then back to copper to the other nexus.
I have a L2L IPSEC tunnel between a set of failover pair of two ASA5510's and a single ASA5505. Over time they will loose connectivity through the tunnel. The tunnel itself stays up, but cannot pass any traffic.When looking at the tunnel I always see this on the set of 5510's (marked in bold @ IPSEC ID 3)?
I have an E1200 and am time out and packet loss issues. The internet connection is fine for 30 seconds to five minuets and then everything times out for 15-20 seconds. Although it’s only a minor incontinence to web browsing, it makes playing games and watching videos a nightmare. “Lost connection to server error.” and the like…
I upgraded to a new router, the e1200 I am currently using, from my Tenda 10/100 N. The problems where the same that I am experience currently and the reason I bought it in the firs place.When I directly connect to the cable modem, I have no issues and everything is fine.I have run a trace route and the second hop, (the router to the modem) is the choke point.I have cloned the MAC address.I have updated the firmware and hard reset
I have throttled my MTU to automatic, 1500, and 1472. None making any difference.I have disabled NAT and all that does is kill my internet connection.I have disabled all firewalls router and windows, no change.I replaced the physical wire from the router to the modem.I have disconnected all devices except one computer, and no difference.I ran a DNS trace and I have… non routable local internet address 192.168.1.1 DNS-cac-lb-01.rr.com and DNS-cac-lb-02.rr.com.I am using windows 7 and my ISP is time Warner so-cal.
Up to today I used Verizoon 4G to a Windows Visata box running Internet connection Sharing to get my home lab connected to the Internet . All was working well.
Today I had Hughesnet come and installl their service and I can no longer get access to the Internet from my PC netowrk. my VPN to my office for my IP phone coomes up an works just fine. At the router I do have Internet access which then leads me to believe that my problem is NAT related.
My router is a 2851.
When I enter PING 184.108.40.206 I get !!!!! but when i enter PING 220.127.116.11 SOURCE 192.168.69.3 I get .....
i m trying to connect two routers a Cisco DPC3825 (r1) and DIR-655 (r2) and at the end getting the error. i have disabled the SPI firewall on r1 and connected an ethernet cable lan to lan between the two. i don't want to confuse with whatever the mess i have done previously,Tell step by step what i should do to connect these two routers.PS: in addition, the gateway ip of r1 is 192.168.0.1 with subnet mask of 255.255.254.0 and the gateway ip of r2 is 192.168.0.2 with subnet mask of 255.255.255.0. r1 has a ip range of 192.168.0.10 to 192.168.0.128 while r2 has range of 192.168.0.100 to 192.168.0.199.
After a successfull installation of NCS 1.2 into a vmware environment and run the setup I have the following error while trying to start or to have a status for NCS (ncs start ot ncs status):sh: /opt/CSCOlumos/bin/wcsadmin.sh No such file or directory
I have a WiFi printer connected to an CWAPP Cisco AP AP1250. I am using WPA2-PSK to connect to this AP. I find that the printer connects to the AP at times and at times it does not. I got an error message from the Capture an error on the backend controller of the network."Authentication Request received invalid RSN IE Mismatch WP2 algorithm"
The problem is that one of the clients loses the connection to the network time to time ,The error in the WLC logg is
*Dot1x_NW_MsgTask_0: Jul 06 17:42:38.934: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:843 Received EAPOL-key M2 msg has invalid information when mobile is in START state - invalid secure bit; KeyLen 24, Key type 1, client 00:21:6a:af:be:70
I have an 1841 that was working fine - I could SSH to it with my Radius login and console into it with local credentials ("Fred").I added another use ("Mike") with priv 15 so the end user could log in locally via console if needed.After that, we can both log in via console, but when we try to enter privileged mode we get "% Error in Authentication", before even entering the password.I can still log in via Radius SSH with no problems and access privilege mode via SSH.What am I missing so we can have two different users be able to log in locally with different credentials and access privileged mode, and keep my ssh radius working?
We're seeing "OutDiscard" error on a LAN switch connected to newly migrated Cisco IP phones. All the other error counters are clean except for the OutDiscard. (please see attached "show int count err" output.) [URL].
According to the link above, the common cause of such discards can be to free up buffer space.(Am I seeing a switch buffer issue?) How to identify/resolve the cause of the OutDiscard.The switch is 3750-E running c3750e-universalk9-mz.122-44.SE6.bin
I was using my internet on my Acer Windows 7 operating system wireless just fine on Monday. I tried to use it on Tuesday and could not connect to the internet wireless any longer. I get an error message next to my network stating ""The settings [COLOR=green ! important][COLOR=green ! important]saved[/COLOR][/COLOR] on this computer do not match the requirements of the network"I have never encotured this kind of problem before. I proceeded to call Comcast who did all kinds of trivial beginner troubleshooting such as restart the router, restart the modem turn on and off the computer.
Just bought first wireless router, when i insert CD and start setup, after a few seconds i get Error 301: internal error. i have rebooted and still no luck. I've tried going to 192.168.1.1, i got in one time but didn't understand half the stuff. now i can't go back into that page.
I have a Cisco ASA 5520 that we was working properly. I tried to create a VPN IPSEC to test but when I finished the wizard I lost the conection between the inside interface and outside. I use other interface for DMZ and other for printers network but this adapters are working properly. I have reviewed the NAT's and the ACL's but I don't see the problem?
I have delete the VPN IPSEC but it's still not working and I have the network down
I have a monitoring rule that checks the number of connections on the firewall using the following command: show conn count
My results are always between 3,000 and 9,000.A while back, I had an issue where all 130,000 connections were being used up. I configured a service policy to limit the number of connections between any two end points.
I'm monitoring the error logs and I'm noticing that my connection limit rule is being triggered on a regular basis. I receive the following message.Per-client connection limit exceeded 20000/20000 for output packet from x.x.x.x to x.x.x.x on interface outside
I'm confused as to the difference between the connections limited by my rule and the connections shown by "show conn count". why I never see any connections higher than 9,000 using "show conn count" yet I am seeing alerts stating that the firewall has reached 20000 connections?My firewall is an ASA5510 running.
We find ourselves in a difficult situation with the Cisco VPN Client version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrollment request"
When we attempt to use the Online enrollment method to create and enroll a new certificate. There is no additional information in the VPN client logs where we have set 3-High for all logs. In addition, Wire shark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enroll a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrollment dialog 2. Select Online 3. Select <New> for Certificate Authority 4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825) 5. Click Next to display the dialog where we can enter certificate details 6. Enter details in all fields except IP Address and Domain 7. Click Enroll which shows a dialog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrollment request. The fact that the client does not send any messages to the Cisco CA leads us to believe that we have a problem on the client machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the client on a Windows 7 64bit machine and attempted the steps listed above.
Trying to connect two systems together but was giving error that contact network administrator,one system is laptop with wireless and other is desktop but connect through cable but running windows XPSamson
I bought belkin N150 recently. I tried to configure with my ISP. They are surprised how I don't have DHCP option in the wifi configuration and asked me to upgrade my firmware. When I tried to upgrade. I downloaded the firmware from [URL] tried to upgrade. It is showing file format error.
Running ASDM V6.3 connecting to a couple of ASA5580's V8.2. After initial configuration everything seemed to work great, however, as of a few days ago I can no longer view statistical information. I can attach to the devices without a problem, view and edit all configuration information but the dashboard applets do not pull or display any statistical info. Resource, Interface, and Traffic status all time out with the error "Lost Connetion to Firewall". The syslog info is not display rather the error "Syslog Lost Connection". My first thought was a java issue on the client. I have ripped out and reinstalled even back-revisioned to no avail. I'm to the point where a dumpe of the management workstation is the next step. I'd like to avoid that extreme if possible.
Our ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.
The unit is configured as internet gateway. 4 NAT ports are active. When firewall disabled all works fine. When firewall enabled I do get connection lost at random interval. In firewall only 4 rules added to the default 3 rules. The added rules are:
1/ permit 192.168.1.22 port 25 to any 2/ permit 192.168.1.27 port 25 to any 3/ permit 192.168.1.10 port 25 to any 4/ deny any port 25 to any
I do get at random times connection lost when navigating with windows explorer on a PC with IP 192.168.1.x to a share on a PC with IP 172.25.152.74. The same happens when copying files. Sometimes it works, later it fails or reties are needed. When the firewall is switched off all runs fine.
Ping from 192.168.1.x to 172.25.152.74 allways give a <1ms response
Is there a RV082 perfomance problem or do I have a configuration problem?
I have ASA 5510 with 8.2.4 and 8.0.x OS and all seem to have common problem of idle TCP connections not timing out. The host to host connections are coming over VPN tunnels. I have default timeouts on all the firewalls. I have tried changing global timeouts and as well as host specific timeouts using MPF but doesn't work at all ! The problem is when TCP connections are sitting idle in conn table for days and when connection limit of 50,000 conns reach the firewall starts behaving unpredictably dropping packets or unresponsive! I need the unused idle connections to timeout which is NOT happening either by changing global values or MPF.
Actually all service from site to site is permitted, without restriction.I want to insert an ASA to block some internet traffic on main site.I try to configure my ASA5510.No problem for outgoing connection or to permit a single service on main site.But impossible to give access to all service/connection from all remote site to main site. [code]
I Changed my old firewall by an ASA5510, since that change my internet connexion is slower.Some websites takes longer to display.I would like to know if there are some specific configuration about TCP connection or DNS to setup?
I just configured the ISP DNS :
Dns server-group DefaultDNSname-server 18.104.22.168 name-server 22.214.171.124
I installed a new ASA using 8.2.2 version and ASDM 6.2.5 version in contexts mode.When i enable logging for ASDM as debugging i cannot use the real time log viewer because I have an error "Syslog connection Lost. Try restarting the syslog connection", I tried to reconnect using the icon at the bottom but nothing change.