Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
2
Replies

h323 inspection and MS Outlook problems

Go to solution
N3t W0rK3r
Level 3
Level 3

‎10-17-2012 07:03 AM - edited ‎03-11-2019 05:10 PM

Hello,

An odd problem suddenly appeared last week that affected remote clients using Outlook to connect back to our corporate Exchange 2003 server.  All these clients were behind Cisco routers that were running either the CBAC or zone-based IOS firewall. 

The problem was that upon launching the Outlook client on the remote PC, the client would not be able to connect the Exchange server.  Using Wireshark I was able to see that there was some kind of problem with the tcp/1720 session that's created during the Outlook launch process... this session just wouldn't progress much passed the three-way handshake... it was as if the server was no longer hearing the client.

After doing some reaserch I learned that this port is used by h323 call setup, and since the problem was only affecting remote clients, we looked closer at their site routers.  On a hunch, I decided to remove the ip inspect name FIREWALL h323 line from the config for one site as a test.  This was found to resolve the problem on this router and the others where the CBAC IOS firewall is used.  On the other routers where the ZBF is employed, I simply removed the match protocol h323 line from the appropriate class-map.

What's really puzzling me, is that we cannot figure out why this has suddenly come up!  The routers configs haven't changed and neither have the Outlook clients or Exchange server.  What's even more weird is that the problem didn't actually occur at all sites at the same time... it affect some sites on one day, and then the next day it spread to other sites, etc.

I believe we've band-aided it for now, but it would be nice to know exactly what happened and why.  Any insight or suggestions you can provide would be really helpful.

Thanks for reading this and have a great day!

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎10-21-2012 11:55 PM

Hi John,

There are known bug in regards to the ASA codes and the TCP proxy that the Inspection uses. I see that you are using CBAC and Zone based on IOS. Have you try to find common bugs on the version you are running?

If not, open a TAC case, I would like to check this deeply.

Mike

Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎10-21-2012 11:55 PM

Hi John,

There are known bug in regards to the ASA codes and the TCP proxy that the Inspection uses. I see that you are using CBAC and Zone based on IOS. Have you try to find common bugs on the version you are running?

If not, open a TAC case, I would like to check this deeply.

Mike

Mike
0 Helpful

Go to solution
N3t W0rK3r
Level 3
Level 3
In response to Maykol Rojas

‎10-24-2012 11:49 AM

Thanks for your response Mike.  To add to this, we just deployed a new ASA5540 8.4(4)1 on our WAN edge and found we had to, once again, disable h323 inpsection in order for remote Outlook clients to connect to our Exchange server.  So this is now happening on multiple platforms, and various firewalls.

I am still troubleshooting other issues that have arisen when we installed the new ASA, so once things stabilize, I will open a TAC case on this issue as you suggested.

Thanks again.

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card