Re: How can i see traffic being dropped by Firewall?

powermann · ‎11-28-2011

Hi All. I have a problem where users on the inside of my network cannot receive emails when they use outlook and windows live to external mail servers. If email is unencrypted (eg hotmail) there are no issues. If however email is encrypted ( gmail on por 465 or outlook over ssl) then the users can receive but cannot send emails. I have already disable inspect esmpt and i have removed any outbound access-list. I want to see if there is anything elese that could be blocking the traffic. How can i do that?

My Firewall config it attached.

Marlon

cadet alain · ‎11-28-2011

Hi,

you can use packet-tracer or capture packets on the ASA to see which is the problem.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

http://www.brianyeager.org/?p=504

Regards.

Alain

Don't forget to rate helpful posts.

josecalv · ‎11-28-2011

Hi,

I believe that ASP drop captures will work for you here.

capture asp type asp-drop all headers-only (With the headers-only the ASA won't capture the payload of the packet so the capture buffer won't fill so fast).

After that if you do "show cap asp | inc" and then the IP address that you are tracking here you will be able to see if there are packets dropped by the ASA (if any).

powermann · ‎11-28-2011

Thanks for your help guys. I have tried both methods and i still cant see what is blocking it. Do you have any idea what can cause this behavior in the firewall even after the inspect esmtp has been removed?

josecalv · ‎11-28-2011

Hi,

If the ASA is not dropping the packets and the ESMTP inspection is disabled what's makes you believe that this is firewall related?

We need to confirm that though. Could you share the packet captures (in pcap format) of one outbound failing connection on both incoming and outgoing interfaces of the firewall?

I have had some cases related to this and they all were problems related to the endpoints. Generally when an e-mail fails you receive an e-mail back with an error code. Are you receiving any of those by any chance? Maybe that could help.

powermann · ‎11-28-2011

Hi Jose. I had by passed the firewall and the users worked fine. When they go back to their hotels they have no problems with emails. I even put a switch between the firewall and the outside/internet router and the email worked!

The only error you get is that there is a time out connecting to the server.

I will send the capture data when i get back to office. Thanks for your assistance.

josecalv · ‎11-29-2011

Hi,

When you do that kind of tests there could be a lot of things that you could by bypassing as well. I am afraid to say that that is not a conclusive test as I have seen on many other cases.

I will be waiting for the captures here.

powermann · ‎11-29-2011

Thanks for the reply Jose. I did a capture from my ip (172.17.12.100) going to smtp.gmail.com ( 74.125.157.102-109). The files are attached. Please let me know if you seen anything out of the ordinary. Much appreciated.

powermann · ‎11-30-2011

Hi All. I found a work around for the problem. I took Jose's advice and looked at it from the end point and found that windows 7 handles tcp windowing diffrently than previous OS's. I still think there is an issue somewhere but i am not sure where esle to look so i will work with this for now.

See note below. Thanks for your help guys.

Disable the auto tuning

Check the state or current setting of TCP Auto-Tuning

1. Open elevated command prompt with administrator’s privileges.

2. Type the following command and press Enter:

netsh interface tcp show global

The system will display the following text on screen, where you can check on the Auto-Tuning setting:

Querying active state…

TCP Global Parameters

———————————————-

Receive-Side Scaling State : enabled

Chimney Offload State : enabled

Receive Window Auto-Tuning Level : normal

Add-On Congestion Control Provider : none

ECN Capability : disabled

RFC 1323 Timestamps : disabled

Disable TCP Auto-Tuning

1. Open elevated command prompt with administrator’s privileges.

2. Type the following command and press Enter:

netsh interface tcp set global autotuning=disabled

Enable TCP Auto-Tuning

1. Open elevated command prompt with administrator’s privileges.

2. Type the following command and press Enter:

netsh interface tcp set global autotuning=normal

http://www.mydigitallife.info/disable-tcp-auto-tuning-to-solve-slow-network-cannot-load-web-page-or-download-email-problems-in-vista/