ASA ---> Barracuda --> Exchange emails deferred

Jean Paul Enerst · ‎11-30-2011

Hi all,

I am hopping that someone here has experienced this issue and can shade some lights for me! With that being said, let's get to the bottom of this. Our ASA 5510 has been in place for nearly two years, we never have any issue what so ever with it. All along the ASA has been using the default policy. Lately, we beeen getting email deferred in our Barracuda Spam firewall. Google quickly reveals that ESMTP does not play nice with Barracuda witch i disabled eventhough we haven't had any issue with it before. However, the issue remains, we still getting email deferred in the barracuda.

While doing more troubleshooting on the ASA, I constated when issue the command show local-host + IP of the Barracuda, there is an IP address in outside of the interface that can get up to 96 UDP port 53 connections with the Barracuda, this connection never get lower than 20! However, when checking the default setup for the Barracuda, i have the values below:

Incoming SMTP Timeout: 20

Message per SMTP Session : 8

Maximum SMTP Error SMTP Session: 2

Maximum Connection per Client 30m:40

My question is if that ASA show up to 96 DNS session with an outside host to my barracuda, won't that push the barracuda to play email deferred timeout ? Should I change the barracuda default setting? Or should i change the connections limits for the Barracuda in the ASA?

Any comments or suggestion will be more than appreciate,

Thanks a lot,

Ernest

clark.d · ‎11-30-2011

Is the email deferred going out or coming in? The barracuda will make outbound dns connections if it is the smart host for your exchange server.

Sent from Cisco Technical Support iPad App

Jean Paul Enerst · ‎12-01-2011

In fact, yes Barracuda is doing DNS for exchange and Barracuda had wrong DNS server! The IP with too many outbound DNS querry is a type of our legitimate DNS server. And last, Barracuda connection sessions was less than the open connection sessions saw in the Firewall.

I have the DNS IP for proper DNS server and also increade about connection limit. It has been more than 12 hours, and I haven't seen any 'deferred' email yet! This connection limit may be the fix, I hope, but i am still monitoring.

Thanks for the assistance,

Ernest

Jean Paul Enerst · ‎12-02-2011

Hi all,

It seems that the connection limits wasn't the root of the issue as I am still getting emails deferred/timeout. But at least now, I only have the error for incoming connection, no more outbound! This morning when analyse the log of the ASA, i found a connection to the Barracuda that only last one second(start time 08:29:17 and close time 08:29:18 ). The FW deny the connection as per below, my question here what does no connection from server meants, did the server refuse the connection????

Dec 02 2011 08:29:18 106015 Server 25 77.X.X.X 3686 Deny TCP (no connection) from Server/25 to 77.X.X.X/3686 flags RST on interface inside

Dec 02 2011 08:29:18 302014 77.X.X.X 3686 Server 25 Teardown TCP connection 223100284 for Outside:77.X.X.X/3686 to inside:Server/25 duration 0:00:01 bytes 581 TCP FINs

Dec 02 2011 08:29:17 302013 77.X.X.X 3686 Server 25 Built inbound TCP connection 223100284 for Outside:77.X.X.X/3686 (77.X.X.X/3686) to inside:Server/25 (208.x.x.x/25)

Thanks,

Ernest