We have a setup with a MS-TMG - ASA (8.2.4(4) in routing mode) - (internal) Router - FWSM - Router - Exchange with NLB. We have now the problem that IMAPS is not really working through this setup. It works from internal (without ASA and TMG inbetween), but not reliably through the internet.
There is a rule on the ASA which permits the ports from the TMG to the Exchange NLB address.
We opened a case with Microsoft and they told us that not all tcp-syn packets are received by the Exchange server which were sent by the TMG.
Thus I sniffed on the ASA with a packet capture and indeed, a lot of syn packets were on the interface to the TMG, but not anymore on the interface to the internal router.
I don't find anything really helpful in the ASA log and am at a loss.
This ASA also filters all other internet<->company traffic, so there's a lot of stuff running.
Maybe it's dropped in the ASP, or is the capture maybe not valid?
Here the show asp drop:
ASA01-Internet# sh asp drop
Invalid TCP Length (invalid-tcp-hdr-length) 1
Reverse-path verify failed (rpf-violated) 319
Flow is denied by configured rule (acl-drop) 477077
First TCP packet not SYN (tcp-not-syn) 10212
TCP data send after FIN (tcp-data-past-fin) 41
TCP failed 3 way handshake (tcp-3whs-failed) 824
TCP RST/FIN out of order (tcp-rstfin-ooo) 1419
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 6
TCP SYNACK on established conn (tcp-synack-ooo) 1
TCP packet SEQ past window (tcp-seq-past-win) 821
TCP invalid ACK (tcp-invalid-ack) 331
TCP Out-of-Order packet buffer full (tcp-buffer-full) 393
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1538
TCP RST/SYN in window (tcp-rst-syn-in-win) 4228
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 500
TCP packet failed PAWS test (tcp-paws-fail) 23039
Early security checks failed (security-failed) 13
DNS Inspect id not matched (inspect-dns-id-not-matched) 148
FP L2 rule drop (l2_acl) 4674
Dropped pending packets in a closed socket (np-socket-closed) 26
Last clearing: 16:43:13 CEST Feb 29 2012 by xxxxxxxxxxxx
Flow is denied by access rule (acl-drop) 56
NAT failed (nat-failed) 342
Inspection failure (inspect-fail) 6552
Last clearing: 16:43:13 CEST Feb 29 2012 by xxxxxxxxxxx
I hope somebody could help me to debug this better