09-01-2013 04:00 PM - edited 03-21-2019 07:43 AM
Hi,
Handsets are a mix of 7971GE, 7975G and 7937G, PBX is a UC520-32U-8FXO-K9, switch is a WS-C4506 with gig PoE blades.
I wiped our UC520 and installed software pack 8.6.2 fresh, then re-configured to meet our spec.
I can not get CUE to send an email to the SMTP server, I want to have it forward voicemail messages to email via SMTP (don't want to use the IMAP interface).
I have tried
(a) sending test messages using the CLI (test voicemail notification email address my.address@mydomain.com), the response was "Could not connect to SMTP host: smtp.mydomain.com, port: 25" after waiting about 60-90 seconds
(b) sending test messages using the CUE WebUI (CUE -> System -> SMTP Settings -> Test SMTP Settings), the response was "Test Result: Could not connect to SMTP host: smtp.mydomain.com, port: 25" after waiting about 60-90 seconds
(c) logged into the CUE CLI (ISE 0/0) I can ping the SMTP server by DNS and IP, DNS resolves to the correct IP (10.90.0.1), that IP is on the same subnet as the UC520 with no firewall's in-between (other than the UC's own).
(d) similar to CUE, from CME/IOS I can ping the SMTP server by DNS & IP
(e) I can also telnet from CME/IOS to the SMTP server on port 25, connect properly and send a test message to myself. Similarly I can using this command:
"telnet smtp.mydomain.com 25 /source-interface integrated-Service-Engine 0/0"
(f) I have tried 3 SMTP servers (GroupWise, Barracuda Anti-SPAM and FreeSMTP). The logging shows no attempt to connect to the TCP port, no connections rejected etc...
(g) I have monitored the firewalls to see if its routing incorrectly, no traffic appears on the firewalls from the PBX.
(h) the SMTP sever can ping all the IP addresses of the PBX (10.90.0.4, 10.90.1.254, 10.90.3.1, 10.90.3.2, 172.16.90.4)
(.i) there is no SMTP relaying involved, the destination email address is hosted by the server itself
(j) I have tried using SMTP auth credentials, and without (they are not required by the server).
Please help, the only thing I can think of is the local firewall on the UC520 is blocking CUE sending SMTP but then its not blocking my telnet connection and I have "fiddled" with the access-lists to allow any and it still doesn't work. Any ideas are welcome, would really like to get voicemail messages via email again.
I have posted a full config (CME/IOS & CUE) here (https://supportforums.cisco.com/message/4029850). I considered copying it to this thread as well but I figured it would just clutter up the thread.
Thanks,
MC
09-01-2013 04:41 PM
Just tried a trace per discussion: https://supportforums.cisco.com/message/4027277
MyPBX#service-module integrated-Service-Engine 0/0 session clear
[confirm]y [OK]
MyPBX#service-module integrated-Service-Engine 0/0 session
Trying 10.90.3.2, 2002 ... Open
Cisco Configuration Assistant. Version: 3.2 (3). Sun Sep 01 02:22:07 NZST 2013
User Access Verification
Username: admin
Password:
MyPBX#
MyPBX# no trace all
MyPBX# clear trace
MyPBX# trace voicemail msgnotif all
MyPBX# trace configapi smtp debug
MyPBX# trace entitymanager NotifDevice all
MyPBX# trace smtp all
MyPBX# show trace buffer tail
Press
MyPBX#
MyPBX# show trace buffer tail
Press
4240 09/02 11:32:13.281 capi smtp 0 SmtpServer: getSysdb(): Attribute: address
2341 09/02 11:32:13.282 capi smtp 0 SmtpSysdbNode: get(): address
4240 09/02 11:32:13.283 capi smtp 0 SmtpServer: getSysdb(): Attribute: port
2333 09/02 11:32:13.284 capi smtp 0 SmtpSysdbNode: get(): port
4240 09/02 11:32:13.285 capi smtp 0 SmtpServer: getSysdb(): Attribute: userid
2339 09/02 11:32:13.286 capi smtp 0 SmtpSysdbNode: get(): userid
4240 09/02 11:32:13.286 capi smtp 0 SmtpServer: getSysdb(): Attribute: password
2338 09/02 11:32:13.287 capi smtp 0 SmtpSysdbNode: get(): password
4240 09/02 11:32:13.287 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode
2341 09/02 11:32:13.289 capi smtp 0 SmtpSysdbNode: get(): securityMode
2304 09/02 11:32:18.428 VMSS mnot 0 EmailSender: sendEmailNotification: checkSendPreConditions passed
2304 09/02 11:32:18.428 capi smtp 0 SmtpServer: getSysdb(): Attribute: address
2333 09/02 11:32:18.430 capi smtp 0 SmtpSysdbNode: get(): address
2304 09/02 11:32:18.430 capi smtp 0 SmtpServer: getSysdb(): Attribute: port
2338 09/02 11:32:18.431 capi smtp 0 SmtpSysdbNode: get(): port
2304 09/02 11:32:18.431 capi smtp 0 SmtpServer: getSysdb(): Attribute: userid
2339 09/02 11:32:18.433 capi smtp 0 SmtpSysdbNode: get(): userid
2304 09/02 11:32:18.433 capi smtp 0 SmtpServer: getSysdb(): Attribute: password
2341 09/02 11:32:18.434 capi smtp 0 SmtpSysdbNode: get(): password
2304 09/02 11:32:18.435 capi smtp 0 SmtpServer: getSysdb(): Attribute: authRequired
2333 09/02 11:32:18.436 capi smtp 0 SmtpSysdbNode: get(): authRequired
2304 09/02 11:32:18.436 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode
2338 09/02 11:32:18.438 capi smtp 0 SmtpSysdbNode: get(): securityMode
2304 09/02 11:32:18.438 VMSS mnot 0 EmailSender: Begin processing email job, UID=0
2304 09/02 11:32:18.438 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode
2339 09/02 11:32:18.439 capi smtp 0 SmtpSysdbNode: get(): securityMode
2304 09/02 11:32:18.440 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode
2341 09/02 11:32:18.441 capi smtp 0 SmtpSysdbNode: get(): securityMode
2304 09/02 11:34:18.477 VMSS mnot 0 DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]
DEBUG SMTP: useEhlo true, useAuth false
DEBUG SMTP: trying to connect to host "smtp.mydomain.com", port 25, isSSL false
Send failed, UID=0
2304 09/02 11:34:18.490 VMSS mnot 0 EmailSender: Error sending emailjavax.mail.MessagingException: Could not connect to SMTP host: smtp.mydomain.com, port: 25;
nested exception is:
java.net.SocketTimeoutException: connect timed out
8794 09/02 11:34:18.558 capi smtp 0 SmtpServer: getSysdb(): Attribute: address
2341 09/02 11:34:18.559 capi smtp 0 SmtpSysdbNode: get(): address
8794 09/02 11:34:18.559 capi smtp 0 SmtpServer: getSysdb(): Attribute: port
2333 09/02 11:34:18.561 capi smtp 0 SmtpSysdbNode: get(): port
8794 09/02 11:34:18.561 capi smtp 0 SmtpServer: getSysdb(): Attribute: userid
2338 09/02 11:34:18.562 capi smtp 0 SmtpSysdbNode: get(): userid
8794 09/02 11:34:18.562 capi smtp 0 SmtpServer: getSysdb(): Attribute: password
2339 09/02 11:34:18.563 capi smtp 0 SmtpSysdbNode: get(): password
8794 09/02 11:34:18.564 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode
2341 09/02 11:34:18.565 capi smtp 0 SmtpSysdbNode: get(): securityMode
MyPBX# no trace all
MyPBX# clear trace
MyPBX#
09-03-2013 11:32 AM
Hello MC,
This issue is usually related to the network configuration. CUE should route the SMTP request to it's gateway 10.90.3.2, which is an IP on the UC, which then should route over to Vlan1 and to your SMTP server. The traffic shouldn't be blocked internally, which appears to not be the case since you can telnet from CUE on port 25.
Is their a firewall enabled on the SMTP server? Is there any incoming networks you have to define on the mail server before it will accept mail from the CUE network?
I would not worry about authentication at this point, we would get a different error if it was an authentication issue.
Thanks,
-john
09-03-2013 12:12 PM
Hi John,
The server hosting SMTP is NetWare, it has no host based firewalls of any type. There is nothing between the UC500 and the SMTP service to block access as long as the UC500 uses the internal ports (not the DMZ port). If it were using the DMZ port then I should have seen its attempts on the DMZ firewall anyway.
The SMTP server allows connection from any network, it does not restrict based on IP. Note I also tried two other SMTP servers just to be sure.
Do the access-list's I have allow the traffic required? I don't know Cisco ACL's well enough to be sure.
As far as I know there is no telnet command within CUE, so the telnet testing I have done is from CME/IOS. And I just noticied something if I use the command "telnet smtp.mydomain.com 25" then the SMTP server shows a connection from 10.90.0.4 as expected (that is CME/IOS's IP address).
But if I issue the command "telnet smtp.mydomain.com 25 /source-interface integrated-Service-Engine 0/0" then the SMTP server still sees the connection from 10.90.0.4.... Not from 10.90.3.1 as expected.
So the telnet source interface command does not seem to work... Maybe it is a connectivity issue from 10.90.3.1 to 10.90.0.1 (SMTP) but ping is working so it would have to be specific to TCP.
MC
09-08-2013 04:35 AM
Bump
09-17-2013 02:41 PM
Hello Mike,
What is the default gateway on the SMTP server? Can you ping 10.90.3.1 from the SMTP server? Is there any asymmetric routing involved i.e. request from the CUE goes directly to the SMTP server, but the response goes to another firewall (default gateway) and then reaches CUE? In that case, the firewall could potentially block the responses as it did not see the original requests.
Hope this helps.
Nagaraja
09-18-2013 03:39 PM
Hi Nagaraja,
What is the default gateway on the SMTP server?
SMTP server is 10.90.0.1/24 -> DG: 10.90.0.254
CME/IOS is 10.90.0.4/24 -> DG: 10.90.0.254
CUE is 10.90.3.1/30 -> DG: 10.90.3.2
Is there any asymmetric routing involved i.e. request from the CUE goes directly to the SMTP server, but the response goes to another firewall (default gateway) and then reaches CUE?
Traffic from CUE to the SMTP server would go 10.90.3.1 -> 10.90.3.2 -> 10.90.0.4 -> 10.90.0.1.
And traffic from SMTP server to CUE goes 10.90.0.1 -> 10.90.0.254 -> 10.90.0.4 -> 10.90.3.2 -> 10.90.3.1
There are no firewall's in either path, only routers except for IOS's IP based ACL's
Can you ping 10.90.3.1 from the SMTP server?
Yes, I can ping from CUE & CME/IOS to SMTP server and vice versa, so I don't expect it is a routing issue. I can also ping each host in the route from the SMTP server and CUE i.e. 10.90.3.1, 10.90.3.2, 10.90.0.4, 10.90.0.1, 10.90.0.254
However the telnet testing appears inconclusive (refer my post above) as the tool does not appear to send the traffic from the ISE.
Cheers,
MC
09-18-2013 03:47 PM
Is it possible for you to add a static route on your SMTP server and route all 10.90.3.0 traffic to 10.90.0.4?
09-18-2013 03:53 PM
Nagaraja,
UPDATE: LOL sorry had not seen your post before I tested this out, Yes a static route on the SMTP server worked.
I just tried adding a static route to the SMTP server to route traffic to 10.90.3.0/30 via 10.90.0.4 and the CLI voicemail test notification worked!
So this must be the IOS firewall, I don't understand how IOS's firewall works so can you help?
access-list 1 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.90.0.4
access-list 1 permit 10.90.0.0 0.0.0.255
access-list 1 permit 10.90.1.0 0.0.0.255
access-list 1 permit 10.90.3.0 0.0.0.3
access-list 2 remark SIP trunk provider (peer)
access-list 2 permit 27.111.14.66
access-list 2 deny any
access-list 101 remark Interface Integrated-Service-Engine0/0
access-list 101 permit icmp any any
access-list 101 permit igmp any any
access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 102 remark Interface Loopback0
access-list 102 permit icmp any any
access-list 102 permit igmp any any
access-list 102 permit ip any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
access-list 104 remark Interface Vlan1
access-list 104 permit icmp any any
access-list 104 permit igmp any any
access-list 104 permit ip any any
access-list 104 permit tcp any any
access-list 104 permit udp any any
access-list 105 remark Interface Vlan100
access-list 105 permit icmp any any
access-list 105 permit igmp any any
access-list 105 permit ip any any
access-list 105 permit tcp any any
access-list 105 permit udp any any
access-list 106 remark Interface FastEthernet0/0
access-list 106 permit icmp any any
access-list 106 permit udp host 27.111.14.66 eq 5060 any
access-list 106 permit udp host 27.111.14.66 any eq 5060
access-list 106 permit udp any any range 16384 32767
access-list 106 deny ip any any log
I can post a full config if thats useful?
MC
Message was edited by: Mike Clements
09-18-2013 03:58 PM
Hello Mike,
What kind of device is 10.90.0.254? Is it a firewall or a router? This is a common feature in any stateful firewall. The statefull firewalls allow traffic only when they see the complete transaction i.e. for TCP traffic, they need to see SYN-SYNACK-ACK to send the traffic through (although in some firewalls you can bypass statefull inspection for specific traffic but not advisable). In this case, since the 10.90.0.254 was not seeing the original request from the CUE but was seeing the response from the SMTP server, it was dropping the responses.
Hope this helps.
Nagaraja
09-18-2013 04:07 PM
Hi Nagaraja
It is both a firewall and a router but in this configuration it is only acting as a router, there is no firewall enabled. The traffic is coming in on the same interface/VLAN/IP that it is leaving i.e. 10.90.0.254. The router 10.90.0.254 has static routes for all the local subnets.
Since ping (ICMP) is working properly when initiated from either the SMTP server or CUE I imagine it is only affecting TCP.
Can you advise what ACL's I should have on the UC500 to allow traffic in with this network configuration? I have tried permitting any ICMP, IGMP, IP, TCP and UDP but obviously that is not enough.
Does the UC500 have some application level inspection, something above layer 3?
MC
09-18-2013 04:09 PM
Is 10.90.0.254 an IOS Router?
09-18-2013 04:11 PM
No JunOS
MC
09-18-2013 04:14 PM
You may want to check that device to see what is blocking this interaction. All we did now is we bypassed 10.90.0.254 for CUE-SMTP interaction.
09-18-2013 04:19 PM
But we also made it so that 10.90.0.4 was receiving the TCP transaction from 10.90.0.1 directly rather than via 10.90.0.254 i.e. The UC500 is seeing a different hop for the TCP transaction.
The reason I ask if you can tell me what firewall rules I should have on the UC500 is I don't understand the firewall implementation on the UC500 properly so I might be missing something there. However the JunOS device I do know fairly well and can say there is definitely no traffic manipulation or firewall'ing on there, just routing traffic. It has no ACL's of any kind.
MC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide