Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4571
Views
0
Helpful
2
Replies

SYN Timeout on ASA 5510 - acl\nat issue?

dsturgeon
Level 1
Level 1

‎07-25-2007 06:09 AM - edited ‎03-05-2019 05:28 PM

Setting up an asa and I am not able to get the mail to flow. I have the following:

mail filter - dmz (natted to public address xx.xx.xx.167)

exch server - inside (nat to public address xx.xx.xx.168)

Mail obviously is supposed to flow from exch -> filter -> outside world and then the reverse as well. The mail makes it from exch to the filter, but then does not go any further, and the filter is not able to establish a connection with any external mail servers. Here is a log snippet:

22:07:33|302014|65.61.1.47|filter|Teardown TCP connection 180106 for outside:65.61.1.47/25 to dmz:filter/3901 duration 0:00:30 bytes 0 SYN Timeout

22:07:27|302014|65.61.1.47|filter|Teardown TCP connection 180105 for outside:65.61.1.47/25 to dmz:filter/3874 duration 0:00:30 bytes 0 SYN Timeout

22:07:03|302013|65.61.1.47|filter|Built outbound TCP connection 180106 for outside:65.61.1.47/25 (65.61.1.47/25) to dmz:filter/3901 (xx.xx.xx.167/3901)

22:07:03|106100|filter|65.61.1.47|access-list dmz_access_in permitted tcp dmz/filter(3901) -> outside/65.61.1.47(25) hit-cnt 1 first hit [0x66e89e63, 0x0]

22:06:57|302013|65.61.1.47|filter|Built outbound TCP connection 180105 for outside:65.61.1.47/25 (65.61.1.47/25) to dmz:filter/3874 (xx.xx.xx.167/3874)

22:06:57|106100|filter|65.61.1.47|access-list dmz_access_in permitted tcp dmz/filter(3874) -> outside/65.61.1.47(25) hit-cnt 1 first hit [0x66e89e63, 0x0]

I do not see any syslog entries regarding dropped/denied packets related to these connections. If you need more config info or other info, let me know.

Labels:
0 Helpful
2 Replies 2

amritpatek
Level 6
Level 6

‎07-31-2007 11:49 AM

I think the connection dies on a "SYN timeout". This means the Pix never sees the reply from the server. When you moved your server, you have to change its default gateway. It should point to the Pix's DMZ address.

0 Helpful

dsturgeon
Level 1
Level 1
In response to amritpatek

‎08-01-2007 05:01 AM

I didn't move the server or change its address or networkconfig, I moved the asa in in place of my existing firewall to test it. The defgate is the asa's dmz address.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card