SYN Timeout on ASA 5510 - acl\nat issue?

Unanswered Question
Jul 25th, 2007

Setting up an asa and I am not able to get the mail to flow. I have the following:

mail filter - dmz (natted to public address xx.xx.xx.167)

exch server - inside (nat to public address xx.xx.xx.168)

Mail obviously is supposed to flow from exch -> filter -> outside world and then the reverse as well. The mail makes it from exch to the filter, but then does not go any further, and the filter is not able to establish a connection with any external mail servers. Here is a log snippet:

22:07:33|302014|65.61.1.47|filter|Teardown TCP connection 180106 for outside:65.61.1.47/25 to dmz:filter/3901 duration 0:00:30 bytes 0 SYN Timeout

22:07:27|302014|65.61.1.47|filter|Teardown TCP connection 180105 for outside:65.61.1.47/25 to dmz:filter/3874 duration 0:00:30 bytes 0 SYN Timeout

22:07:03|302013|65.61.1.47|filter|Built outbound TCP connection 180106 for outside:65.61.1.47/25 (65.61.1.47/25) to dmz:filter/3901 (xx.xx.xx.167/3901)

22:07:03|106100|filter|65.61.1.47|access-list dmz_access_in permitted tcp dmz/filter(3901) -> outside/65.61.1.47(25) hit-cnt 1 first hit [0x66e89e63, 0x0]

22:06:57|302013|65.61.1.47|filter|Built outbound TCP connection 180105 for outside:65.61.1.47/25 (65.61.1.47/25) to dmz:filter/3874 (xx.xx.xx.167/3874)

22:06:57|106100|filter|65.61.1.47|access-list dmz_access_in permitted tcp dmz/filter(3874) -> outside/65.61.1.47(25) hit-cnt 1 first hit [0x66e89e63, 0x0]

I do not see any syslog entries regarding dropped/denied packets related to these connections. If you need more config info or other info, let me know.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amritpatek Tue, 07/31/2007 - 11:49

I think the connection dies on a "SYN timeout". This means the Pix never sees the reply from the server. When you moved your server, you have to change its default gateway. It should point to the Pix's DMZ address.

dsturgeon Wed, 08/01/2007 - 05:01

I didn't move the server or change its address or networkconfig, I moved the asa in in place of my existing firewall to test it. The defgate is the asa's dmz address.

Actions

This Discussion