Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1901
Views
0
Helpful
14
Replies

Can't telnet to outgoing port 25 on ESA C000V

Go to solution
35kod
Level 1
Level 1

‎03-14-2022 09:20 AM

Hi there,

 

We are setting up the above appliance to replace a C170. At the moment it's going ok until we try to confirm the outgoing interface is accepting connections. We can telnet xx.xx.xx.xx 25 on the incoming mail port (data1) but not on the outgoing (data2) which has a private listener.

 

We connect and are instantly disconnected:

Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
554 host.domain.com
Connection closed by foreign host.

 

NETSTAT on ESA:

tcp4 0 0 xx.xx.xx.xx.25 *.* LISTEN

So I believe it's set up correctly.

 

We also added the IP address of that interface to the RELAYLIST and doing that allowed us to telnet to it from the ESA itself (as a test)

 

We also tried to send an email from the box over telnet on the working interface and that email never delivered even though it was a success message from the command line.

 

We're behind a firewall and have allowed connections to both ports IP addresses  (we get the telnet session up briefly so this is not an issue but just a note)

 

Any help or guidance would be great and thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to 35kod

‎03-15-2022 08:49 AM

Hello,

 

That may be something you need to check further on the networking side, but, at least now you'll be able to test and confirm within the logs which IP address the ESA is seeing during the connection. You could perhaps try to telnet from different clients/servers/network devices/etc to see if maybe that helps you narrow things down. Or if you plan on using Exchange or another SMTP MTA for this connection, then you can telnet from there. 

 

Thanks!

-Dennis M.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎03-14-2022 12:07 PM - edited ‎03-14-2022 12:07 PM

Hello,

 

Firstly, just a heads up that the C000V is not supported in production nor meant to be used for any production/live email traffic. If this is in production, you'll want to move up to a C100V at minimum, or more preferably a C300V/C600V.

 

For your question, it sounds like you configured the Listener, but, did not configure the Sender Group(s) to allow traffic from whatever IP address you're connecting from. Secondary Private IF/Listener would be rejecting connections by default. 

 

Are you able to view the mail logs on the ESA while you telnet? You can do something like 'tail mail_logs' from the CLI and then try the telnet connection. It may give you some more detail on why it's being rejected.

 

Thanks!

-Dennis M.

 

 

0 Helpful

Go to solution
35kod
Level 1
Level 1
In response to dmccabej

‎03-14-2022 01:38 PM

Hi Denis,

 

Thanks for the reply. I will check the mail logs first thing in the morning and check the settings you suggested.

 

Regarding the version, thanks for pointing that out. I don’t control the account so have to request the licenses. it’s not a massive issue but if I could get an evaluation license myself it would save some bother and time. 

If not is it possible copy the current licence to a new version deploy? Also, our old version was C170 so we had to manually set up the ESA as the config file wasn’t accepted because of version issues (we presume) so I can probably just export and import the config when I deploy the production version, is this correct?

 

Thanks again 

 

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to 35kod

‎03-14-2022 07:38 PM

The same license that was used for the C000V (should be an .XML file) can be used on an unlimited number of additional virtual machines. So, you would just spin up a new virtual ESA and then apply the same license. 

 

For migrating from an older x70 device, you can follow the steps in the article here: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/214616-migrating-a-configuration-from-an-older.html

 

When following the steps, just stop after the Join Your vESA to Your ESA Cluster section. Clustering devices together is the easiest way to copy any configuration over. You could also export and import the config, but, sometimes you can run into issues on different models, or different AsyncOS versions, clustered vs. non-clustered, or some other gotchas

 

Thanks!

-Dennis M.

0 Helpful

Go to solution
35kod
Level 1
Level 1
In response to dmccabej

‎03-15-2022 01:49 AM

Morning Denis,

 

I have downloaded C300V and will get it installed soon, I will also request the XML licence file so hopefully I will have that ready soon. I added the full network we use xx.xx.xx.xx/8 to the sender group of the interface that is terminating the telnet connection and tried to telnnet while tailing the logs. I got the following:

Tue Mar 15 08:30:58 2022 Info:New SMTP ICID 53 interface External_relay (xx.xx.xx.xx) address xx.xx.xx.xx reverse dns host unknown verified no
Tue Mar 15 08:30:58 2022 Info: ICID 53 REJECT SG None match ALL SBRS not enabled country not enabled
Tue Mar 15 08:30:58 2022 Info: ICID 53 close

Tue Mar 15 08:31:16 2022 Warning: System limit reached: connection limit for IP xx.xx.xx.xx on listener OutBoundMail ICID 65: max: 10
Tue Mar 15 08:31:16 2022 Info: ICID 65 Receiving Failed: Connection limit exceeded
Tue Mar 15 08:31:16 2022 Info: ICID 65 close

 

I believe this is because our DNS is still pointing to the C170 so this issue should resolve when we point our DNS to the new C300V I'm guessing? 

Lastly, I'll take a look at the link you provided but I think we're too far apart in the versions for the "upload configuration" to work as we tried it already and it looks like there's different options in the XML between versions.

 

Thanks again

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to 35kod

‎03-15-2022 06:54 AM - edited ‎03-15-2022 06:55 AM

Hello,

 

It looks like you may be adding the connecting IP address in the wrong place as it's not matching the correct Sender Group and Mail Flow Policy. Are you selecting the correct Listener when making these changes?

 

From the GUI:

  1. Mail Policies --> HAT Overview
  2. From the Listener: drop-down, select the secondary Private listener you configured that you are trying to connect to (looks like OutBoundMail)
  3. Click on the Sender Group (e.g. RELAYLIST) that you wish to add these IP addresses to
  4. Click Add Sender --> Add your IP range in the Sender field (CIDR format is fine)
  5. Click on Submit and then Commit Changes --> Commit Changes

 

After confirming you've done the above then you can retry the telnet connection.

 

Thanks!

-Dennis M.

 

0 Helpful

Go to solution
35kod
Level 1
Level 1

‎03-15-2022 07:43 AM

Hi Denis,

I did that already and it still doesn't work. What I did find was that if I put an entry in the HAT table for 0.0.0.0/0 it works fine and I can send an email from the terminal over telnet.

 

Another test I did was to add te inbound interface to the HAT table, ssh to the ESA and telnet to the outgoing port which worked and if I removed that entry it failed so these tests lead me to believe that the HAT table is working and the entry is on the correct listener.

 

Now, if I add my own IP or network to the HAT table the telnet connection is still immediately terminated. So for some reason my specific HAT entry is failing and I can't see why.

Regards

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to 35kod

‎03-15-2022 08:18 AM

If 0.0.0.0/0 is working, then it sounds like the IP address you're entering is incorrect. You would want to enter the IP address of the connecting (client) machine. So, if you're trying to telnet from your laptop/PC to the ESA, then you would enter the IP address of your laptop/PC. 

 

You can review and confirm the connecting IP address in the mail logs. It will be what I highlighted below.

 

Tue Mar 15 08:30:58 2022 Info:New SMTP ICID 53 interface External_relay (xx.xx.xx.xx) address xx.xx.xx.xx reverse dns host unknown verified no
Tue Mar 15 08:30:58 2022 Info: ICID 53 REJECT SG None match ALL SBRS not enabled country not enabled
Tue Mar 15 08:30:58 2022 Info: ICID 53 close

Tue Mar 15 08:31:16 2022 Warning: System limit reached: connection limit for IP xx.xx.xx.xx on listener OutBoundMail ICID 65: max: 10
Tue Mar 15 08:31:16 2022 Info: ICID 65 Receiving Failed: Connection limit exceeded
Tue Mar 15 08:31:16 2022 Info: ICID 65 close

 

0 Helpful

Go to solution
35kod
Level 1
Level 1
In response to dmccabej

‎03-15-2022 08:36 AM

Hi Denis,

Yep I completely agree with you and I have entered the IP address of my machine on it's own, or in the form of IP/mask (/32) and the entire /23 range and none get me in. 

 

That address that you have highlighted comes back as the last/broadcast address of the subnet that we are using for the two interfaces!!

 

Regards

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to 35kod

‎03-15-2022 08:49 AM

Hello,

 

That may be something you need to check further on the networking side, but, at least now you'll be able to test and confirm within the logs which IP address the ESA is seeing during the connection. You could perhaps try to telnet from different clients/servers/network devices/etc to see if maybe that helps you narrow things down. Or if you plan on using Exchange or another SMTP MTA for this connection, then you can telnet from there. 

 

Thanks!

-Dennis M.

0 Helpful

Go to solution
35kod
Level 1
Level 1
In response to dmccabej

‎03-15-2022 09:02 AM

Hi Denis,

 

OK I'll try to figure out what's missing. The problem I'm having is when I telnet to the other (working) interface it's the exact same log but the connection is persisted. 

 

Regards

0 Helpful

Go to solution
35kod
Level 1
Level 1
In response to dmccabej

‎03-15-2022 09:05 AM

Oh actually, what I have noticed now that I was logging in from elsewhere. 

On the interface that doesn't work it says:

SBRS not enabled country not enabled

 

On the interface that does work it says:

SBRS None country Ireland

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to 35kod

‎03-15-2022 06:17 PM - edited ‎03-15-2022 06:33 PM

The connection is working on the other Interface/Listener because it is configured properly. Also, SBRS does not come into play on Private Listeners nor for private IP spaces, hence why you see that message and why perhaps the other Listener is accepting the connection. For Private Listeners, you must enter the IP addresses/hosts into the Sender Groups manually. If you have a support contract then it may be easiest just to open up a TAC case so that we can help you take a closer look. It really sounds like a simple misconfiguration on the Sender Group. Though, it's a bit hard to confirm without all the details.

0 Helpful

Go to solution
35kod
Level 1
Level 1
In response to dmccabej

‎03-16-2022 05:27 AM

Hi Denis,

 

Issue resolved. As we both thought the HAT table was fine. The ESA is behind a firewall and the rules we had added had enabled NAT by default, hence the reason the connecting client's IP address was wrong. Disabled the NAT option and the HAT table came into affect.

 

Thanks for your time and patience Dennis.

Regards

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to 35kod

‎03-16-2022 06:44 AM

That's great to hear! Good catch and thanks for letting us know! 

 

Thanks!

-Dennis M.

0 Helpful
Customers Also Viewed These Support Documents