smtp problem on PIX506e

[epronto]

Hi there,
I have a strange problem. Here it goes:
Exchange 2003 is behind PIX, static NAT is configured on PIX, no fixup protocol smtp. Sometimes (doesn't seem to be any pattern but approx. once a week) we stop recieving e-mails. My first check is to telnet smtp from the internet and of course it's unsuccessful. show xlate indicates everything is in place and monitoring the logs with the syslog server shows that translation takes place. My solution is to run clear xlate and i start immediately getting e-mails and telneting also works.
My thought is because I have a second smtp static translation to a different server it somehow affects my main smtp.
any idea would be much appreciated.

 

[themut]

It be could be possible xlate entries are not releasing when they should or you have one or more machines generating an enormous amount of translations. When the problem hapens again, do a "show xlate debug" and try to determine if there are any xlates which should have expired but didn't do so.
Try to determine the amount of xlates at the time the problem reapears with the "show xlate count" command. Of course it could be something else but if a clear xlate solves the issue it points in that direction.

 

[epronto]

thanks,
however I set it up one Saturday when nobody was in the office and on Sunday I noticed we didn't recieve e-mails.
So I guess it couldn't be an excessive amount of Xlates, though I didn't check it then.
In practice, is there any limitations on the amount of translations PIX506e can support? (I didn't find any while reading on this firewall.)

 

[themut]

Well the documents say the PIX 506E can handle 25000 concurrent connections, but not sure if in practice this number is acurate.

 

[epronto]

As per logs the PIX is usually at 250-300 translations. This doesn't seem too high.
I noticed though when I do telnet to my secondary smtp server right after telneting to primary smtp is either slow or can't connect at all. Doesn't it seem bizzare. Maybe PIX can't support two smtp static translations or has a bug or what else?

 

[LloydSev]

Why don't you post a sample of your config?

Computer/Network Technician
CCNA

 

[epronto]

User Access Verification

Password:
Type help or '?' for a list of available commands.
pixfirewall> en
Password: ********
pixfirewall# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password McbyqAroI5d2OaN/ encrypted
passwd Y8Ku4HI1dpTUN159 encrypted
hostname pixfirewall
fixup protocol dns maximum-length 1536
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host x.y.38.50 eq smtp
access-list acl_out permit gre any host x.y.38.52
access-list acl_out permit tcp any host x.y.38.52 eq pptp
access-list acl_out permit tcp any host x.y.38.51 eq smtp
access-list acl_out permit tcp any host x.y.38.50 eq imap4
access-list acl_out permit udp any host x.y.38.50 eq 143
access-list acl_out permit tcp any host x.y.38.51 eq pop3
access-list acl_out permit tcp any host x.y.38.50 eq ftp
access-list acl_out permit tcp any host x.y.38.51 eq www
access-list acl_out permit tcp any host x.y.38.50 eq www
access-list acl_out permit tcp any host x.y.38.51 eq https
access-list acl_out permit udp any host x.y.38.51 eq 443
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.1.1
no logging message 106011
mtu outside 1500
mtu inside 1500
ip address outside x.y.38.55 255.255.255.240
ip address inside 192.168.1.253 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.y.38.58-x.y.38.61 netmask 255.255.255.240
global (outside) 1 x.y.38.62 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.y.38.50 smtp 192.168.1.9 smtp netmask 255.255.255.255 0 0
static (inside,outside) udp x.y.38.52 1723 192.168.1.17 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.y.38.52 pptp 192.168.1.17 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.y.38.51 smtp 192.168.1.11 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.y.38.50 imap4 192.168.1.11 imap4 netmask 255.255.255.255 0 0
static (inside,outside) udp x.y.38.50 143 192.168.1.11 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.y.38.51 pop3 192.168.1.11 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.y.38.50 ftp 192.168.1.16 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.y.38.51

http://www 192.168.1.16

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp x.y.38.50

http://www 192.168.1.11

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp x.y.38.51 https 192.168.1.16 https netmask 255.255.255.255 0 0
static (inside,outside) udp x.y.38.51 443 192.168.1.16 443 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.y.38.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.254.0 inside
snmp-server host inside 192.168.1.157
no snmp-server location
no snmp-server contact
snmp-server community pixfirewall
snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.254.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:08ae0e9f1fc230633928db2f1aa66360
: end
pixfirewall#

 

[themut]

Post a "show conn count", "show xlate count" and "show xlate debug

 

[epronto]

Here it goes, and by the way, thanks for your time.



User Access Verification

Password:
Type help or '?' for a list of available commands.
pixfirewall> en
Password: ********
pixfirewall# sh conn count
113 in use, 3049 most used
pixfirewall# sh xlate count
108 in use, 426 most used
pixfirewall# sh xlate debug
94 in use, 426 most used
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
TCP PAT from inside:192.168.1.9/25 to outside:x.y.38.50/25 flags sr idle 0:00:01 timeout 0:00:30
TCP PAT from inside:192.168.2.33/2425 to outside:x.y.38.62/59687 flags r idle 0:00:30 timeout 0:00:30
TCP PAT from inside:192.168.2.158/1074 to outside:x.y.38.62/19239 flags r idle 21:13:37 timeout 0:00:30
TCP PAT from inside:192.168.2.158/1068 to outside:x.y.38.62/19234 flags r idle 21:13:38 timeout 0:00:30
TCP PAT from inside:192.168.2.33/2424 to outside:x.y.38.62/59683 flags r idle 0:00:33 timeout 0:00:30
TCP PAT from inside:192.168.2.11/1478 to outside:x.y.38.62/64801 flags r idle 24:16:06 timeout 0:00:30
TCP PAT from inside:192.168.2.33/2428 to outside:x.y.38.62/59694 flags r idle 0:00:09 timeout 0:00:30
TCP PAT from inside:192.168.2.33/2429 to outside:x.y.38.62/59695 flags r idle 0:00:09 timeout 0:00:30
TCP PAT from inside:192.168.2.33/2426 to outside:x.y.38.62/59692 flags r idle 0:00:16 timeout 0:00:30
TCP PAT from inside:192.168.2.162/1860 to outside:x.y.38.62/59693 flags r idle 0:00:15 timeout 0:00:30
TCP PAT from inside:192.168.2.162/1857 to outside:x.y.38.62/59690 flags r idle 0:00:17 timeout 0:00:30
TCP PAT from inside:192.168.2.162/1858 to outside:x.y.38.62/59691 flags r idle 0:00:17 timeout 0:00:30
TCP PAT from inside:192.168.2.162/1856 to outside:x.y.38.62/59688 flags r idle 0:00:23 timeout 0:00:30
TCP PAT from inside:192.168.1.9/3008 to outside:x.y.38.62/59689 flags r idle 0:00:07 timeout 0:00:30
TCP PAT from inside:192.168.2.33/2430 to outside:x.y.38.62/59696 flags r idle 0:00:09 timeout 0:00:30
TCP PAT from inside:192.168.2.176/3725 to outside:x.y.38.62/59142 flags r idle 0:08:33 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3854 to outside:x.y.38.62/59655 flags r idle 0:00:52 timeout 0:00:30
TCP PAT from inside:192.168.2.179/1093 to outside:x.y.38.62/59652 flags r idle 0:01:03 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3850 to outside:x.y.38.62/59650 flags r idle 0:01:04 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3851 to outside:x.y.38.62/59651 flags r idle 0:01:04 timeout 0:00:30
TCP PAT from inside:192.168.2.162/1845 to outside:x.y.38.62/59649 flags r idle 0:01:04 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3864 to outside:x.y.38.62/59662 flags r idle 0:00:58 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3862 to outside:x.y.38.62/59660 flags r idle 0:00:58 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3863 to outside:x.y.38.62/59661 flags r idle 0:00:58 timeout 0:00:30
TCP PAT from inside:192.168.2.24/1254 to outside:x.y.38.62/50957 flags r idle 1:54:46 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3855 to outside:x.y.38.62/59656 flags r idle 0:01:00 timeout 0:00:30
TCP PAT from inside:192.168.2.168/2074 to outside:x.y.38.62/59671 flags r idle 0:00:54 timeout 0:00:30
TCP PAT from inside:192.168.2.24/1256 to outside:x.y.38.62/50963 flags r idle 1:54:36 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3866 to outside:x.y.38.62/59664 flags r idle 0:00:57 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3867 to outside:x.y.38.62/59665 flags r idle 0:00:57 timeout 0:00:30
TCP PAT from inside:192.168.2.33/2421 to outside:x.y.38.62/59676 flags r idle 0:00:43 timeout 0:00:30
TCP PAT from inside:192.168.2.158/1057 to outside:x.y.38.62/19228 flags r idle 21:13:51 timeout 0:00:30
TCP PAT from inside:192.168.2.33/2422 to outside:x.y.38.62/59677 flags r idle 0:00:43 timeout 0:00:30
TCP PAT from inside:192.168.2.15/4956 to outside:x.y.38.62/40221 flags r idle 4:03:16 timeout 0:00:30
TCP PAT from inside:192.168.2.168/2077 to outside:x.y.38.62/59674 flags r idle 0:00:53 timeout 0:00:30
TCP PAT from inside:192.168.2.168/2078 to outside:x.y.38.62/59675 flags r idle 0:00:53 timeout 0:00:30
TCP PAT from inside:192.168.2.168/2076 to outside:x.y.38.62/59673 flags r idle 0:00:54 timeout 0:00:30
TCP PAT from inside:192.168.2.16/4286 to outside:x.y.38.62/57703 flags r idle 0:32:38 timeout 0:00:30
TCP PAT from inside:192.168.2.159/1068 to outside:x.y.38.62/41333 flags r idle 3:45:39 timeout 0:00:30
TCP PAT from inside:192.168.2.192/1129 to outside:x.y.38.62/40309 flags r idle 4:02:16 timeout 0:00:30
TCP PAT from inside:192.168.2.172/2611 to outside:x.y.38.62/55731 flags r idle 0:57:03 timeout 0:00:30
TCP PAT from inside:192.168.2.18/1063 to outside:x.y.38.62/42881 flags r idle 3:29:25 timeout 0:00:30
TCP PAT from inside:192.168.2.192/1148 to outside:x.y.38.62/40330 flags r idle 4:02:07 timeout 0:00:30
TCP PAT from inside:192.168.2.192/1147 to outside:x.y.38.62/40329 flags r idle 4:02:07 timeout 0:00:30
TCP PAT from inside:192.168.2.194/2223 to outside:x.y.38.62/48535 flags r idle 2:23:10 timeout 0:00:30
TCP PAT from inside:192.168.2.16/4105 to outside:x.y.38.62/49563 flags r idle 2:14:49 timeout 0:00:30
TCP PAT from inside:192.168.2.162/1526 to outside:x.y.38.62/59288 flags r idle 0:06:08 timeout 0:00:30
UDP PAT from inside:192.168.2.176/6350 to outside:x.y.38.62/1507 flags r idle 16:27:44 timeout 0:00:30
TCP PAT from inside:192.168.2.20/3779 to outside:x.y.38.62/44019 flags r idle 3:08:24 timeout 0:00:30
TCP PAT from inside:192.168.2.115/1100 to outside:x.y.38.62/40956 flags r idle 3:47:42 timeout 0:00:30
TCP PAT from inside:192.168.1.16/443 to outside:x.y.38.51/443 flags sr idle 0:01:37 timeout 0:00:30
NAT from inside:192.168.2.197 to outside:x.y.38.60 flags - idle 0:04:13 timeout 0:05:00
NAT from inside:192.168.1.1 to outside:x.y.38.59 flags - idle 0:01:34 timeout 0:05:00
NAT from inside:192.168.2.199 to outside:x.y.38.61 flags - idle 0:03:44 timeout 0:05:00
TCP PAT from inside:192.168.1.17/1723 to outside:x.y.38.52/1723 flags sr idle 7:02:09 timeout 0:00:30
GRE PAT from inside:192.168.1.17/50151 to outside:x.y.38.52/46 flags r idle 7:02:06 timeout 0:00:30
GRE PAT from inside:192.168.1.17/1723 to outside:x.y.38.52/45 flags r idle 7:02:06 timeout 0:00:30
TCP PAT from inside:192.168.2.116/1075 to outside:x.y.38.62/20020 flags r idle 21:00:20 timeout 0:00:30
TCP PAT from inside:192.168.2.162/4179 to outside:x.y.38.62/51262 flags r idle 1:50:44 timeout 0:00:30
TCP PAT from inside:192.168.2.178/1089 to outside:x.y.38.62/40037 flags r idle 4:09:20 timeout 0:00:30
TCP PAT from inside:192.168.2.139/1178 to outside:x.y.38.62/46176 flags r idle 2:44:46 timeout 0:00:30
TCP PAT from inside:192.168.2.172/2372 to outside:x.y.38.62/45687 flags r idle 2:50:07 timeout 0:00:30
TCP PAT from inside:192.168.2.172/2367 to outside:x.y.38.62/45680 flags r idle 2:50:10 timeout 0:00:30
TCP PAT from inside:192.168.2.172/2374 to outside:x.y.38.62/45691 flags r idle 2:50:07 timeout 0:00:30
NAT from inside:192.168.1.22 to outside:x.y.38.58 flags - idle 0:00:56 timeout 0:05:00
TCP PAT from inside:192.168.2.168/1080 to outside:x.y.38.62/39518 flags r idle 4:36:41 timeout 0:00:30
TCP PAT from inside:192.168.2.167/1531 to outside:x.y.38.62/59559 flags r idle 0:02:12 timeout 0:00:30
TCP PAT from inside:192.168.2.167/1105 to outside:x.y.38.62/51368 flags r idle 1:49:14 timeout 0:00:30
TCP PAT from inside:192.168.2.167/1534 to outside:x.y.38.62/59572 flags r idle 0:02:10 timeout 0:00:30
TCP PAT from inside:192.168.2.176/3718 to outside:x.y.38.62/59059 flags r idle 0:09:48 timeout 0:00:30
TCP PAT from inside:192.168.2.126/1040 to outside:x.y.38.62/59524 flags r idle 0:02:50 timeout 0:00:30
TCP PAT from inside:192.168.2.155/4419 to outside:x.y.38.62/1686 flags r idle 24:01:09 timeout 0:00:30
TCP PAT from inside:192.168.2.101/2860 to outside:x.y.38.62/52370 flags r idle 1:36:42 timeout 0:00:30
TCP PAT from inside:192.168.2.176/3417 to outside:x.y.38.62/42642 flags r idle 3:32:02 timeout 0:00:30
TCP PAT from inside:192.168.2.179/1086 to outside:x.y.38.62/59548 flags r idle 0:02:24 timeout 0:00:30
TCP PAT from inside:192.168.2.122/1082 to outside:x.y.38.62/44262 flags r idle 3:05:32 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3828 to outside:x.y.38.62/59630 flags r idle 0:01:36 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3829 to outside:x.y.38.62/59631 flags r idle 0:01:35 timeout 0:00:30
UDP PAT from inside:192.168.2.172/123 to outside:x.y.38.62/237 flags r idle 2:45:54 timeout 0:00:30
TCP PAT from inside:192.168.2.120/1118 to outside:x.y.38.62/43754 flags r idle 3:13:33 timeout 0:00:30
TCP PAT from inside:192.168.2.2/3490 to outside:x.y.38.62/4855 flags r idle 23:31:19 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3830 to outside:x.y.38.62/59632 flags r idle 0:01:34 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3843 to outside:x.y.38.62/59644 flags r idle 0:01:18 timeout 0:00:30
TCP PAT from inside:192.168.2.120/1882 to outside:x.y.38.62/59132 flags r idle 0:08:54 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3845 to outside:x.y.38.62/59645 flags r idle 0:01:17 timeout 0:00:30
TCP PAT from inside:192.168.2.163/3838 to outside:x.y.38.62/59641 flags r idle 0:01:18 timeout 0:00:30
TCP PAT from inside:192.168.2.109/3417 to outside:x.y.38.62/59590 flags r idle 0:02:01 timeout 0:00:30
TCP PAT from inside:192.168.2.109/3415 to outside:x.y.38.62/59589 flags r idle 0:02:01 timeout 0:00:30
TCP PAT from inside:192.168.2.172/2614 to outside:x.y.38.62/56015 flags r idle 0:54:22 timeout 0:00:30
TCP PAT from inside:192.168.2.176/3628 to outside:x.y.38.62/53468 flags r idle 1:22:11 timeout 0:00:30
pixfirewall#

 

[themut]

I am not 100% sure if this is the reason but there are some xlate entries which have been idle for quite some time:

TCP PAT from inside:192.168.2.158/1074 to outside:x.y.38.62/19239 flags r idle 21:13:37 timeout 0:00:30
TCP PAT from inside:192.168.2.158/1068 to outside:x.y.38.62/19234 flags r idle 21:13:38 timeout 0:00:30
TCP PAT from inside:192.168.2.11/1478 to outside:x.y.38.62/64801 flags r idle 24:16:06 timeout 0:00:30

Xlate entries should have timed out long ago:

timeout xlate 0:05:00

but since you have the connection timeout greater than the xlate timeout some xlates remain:

timeout conn 1:00:00

The xlate timeout should be greater than the connection (half-closed, udp, etc) timeout so you should modify this values to meet this criteria. I am suspecting at problem times there are so many xlate entries which didn't expire causing you the problem. Hence, a clear xlate solves the problem. Take into account that this is my suspision since there is no data at the time of the problem prior to a clear xlate command.

 

[epronto]

I've just read about it at Cisco and they say the timeout default value for xlate is three hours (I had 5 minutes).
It's bizzare because I never changed that setting.
I changed that back to three hours. Let's hope this was the case. I'll know if the problem's gone within a week.
Thanks for your time and expertize.

 

[themut]

You're welcome!

 

[sikek]

I have almost the same issue we have four vpn site. none of the vpn site can access the exchange 2000 server using outlook. we can telnet to the exchange box from these subnet and ping . But for some reason outlook on all clients will not work. I checked the show xlate debug and the default timer is correct at 3 hours. I know that outlook uses rpc to connect to the exchange server for commection. I did a show timeout and the rpc protocol is set to 10 minutes.We also have disable the mail guard feature on all pix. Thanks for any help.

 

[NetworkGhost]

Show some config

 

[lgarner]

Check the MTU and look for fragmentation. We had the same issue, and as I recall reducing the MTU at one or both sites fixed it.

 

[sikek]

First off thank for the reply lgarner and NetworkGhost . What should the MTU be reduce to?

 

[sikek]

I'm not sure if this the current settings for the MTU on the inside?

show mtu

mtu outside 1500

mtu inside 1500

Shouldn't that be bump up more?

 

[sikek]

Ok so i same to have a session problem too. I did a clear xlate and all outlook clients on vpn can access exchange. But i still don't know where the problem is coming from any ideas?

 

[martinp05]

hello,

maybe this helps:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320027&gssnb=1

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[epronto]

Sure this helps.
I didn't see your config, but it's known you have to disable Mailguard if you use Exchange. here is the command:
no fixup protocol smtp 25
Good luck