ASA 8.0.4 and NTLM

Unanswered Question
Jun 1st, 2009


We've installed an ASA and were having issues between Outlook users on the Internet and our Exchange server behind the firewall. Outlook web access works and HTTPS is open from the Internet but when users try and set there "out of office" or look at "free busy" I see TCPReset-O in the logs on the session. From what I understand the outlook client is using RPC over HTTPS for this connection to the server. Has anyone seen this before with Outlook and Exchange through an ASA before?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
plumbis Tue, 06/02/2009 - 20:48

If this is DCERPC there is limited support on the firewall platforms for this protocol. I'd suggest getting captures on the outside interface to try and figure out who is sending the reset packets and why.

cisco24x7 Wed, 06/03/2009 - 02:28

I am not familiar with this but one of my colleagues worked on an ASA SSL VPN project and NTLM v2 authentication. He spent about four weeks working with Cisco developers on this issue. Despite what Cisco stated in the documentation, NTLM v2 authentication does NOT work with Cisco ASA. Because of this requirements, we decided to go with F5 Firepass SSL VPN.

Plumbis, there should be a Cisco TAC case on this issue.

mike-greene Wed, 06/03/2009 - 04:25


I do have a TAC case open but we have not been able to get it working yet. Packet captures show the client is sending the reset to the server so I'm not sure if the ASA is altering the NTLM traffic or not. I've have read a few posts referring to Web and SSL VPN issues with NTLM but we're just just coming over the Internet hitting our Exchange system without a VPN.

If we get this working I'll post the fix but I think TAC is leaning towards an application issue because the ASA is not dropping the traffic. This works fine on the LAN not going through he ASA so something is happening here.



This Discussion