IPS Blocking out Outlook connectivity of VPN Users.
Cisco IPS 4240, v5.1(3)S255
VPN users of our client's organization are complaining that the Outlook connectivity to Exchange through VPN is getting frequently timed out. Even if they do connect, the connection simply hangs in the middle of transferring mail. This problem is visible only with VPN Users. Local LAN users are not facing any such issues.
When the IPS is put in the bypass mode, the VPN users have no performance issues. To mitigate this issue, we even tried filtering out all the blocking actions other than logging packets on all signatures between the IPs allocated for VPN users, and the Exchange Server IPs. Still the same problem persists.
This is causing immense difficulties since there are a number of Roaming users in the client's organization, and the issue has reached crisis proportion. Urgent help is required. Thanks in advance.
Re: IPS Blocking out Outlook connectivity of VPN Users.
I believe you are running into a bug where TCP streams where being timed out after 36 seconds of inactivity (vice the 3600 that was supposed to be in effect). I suggest installing the 5.1(4) service pack and the S263 signature update to bring your binaries up to the latest versions.
For diagnostic purposes, you could try tuning signature 1301 to turn on produce alert and setting the tcp-idle-timeout value to a much larger number, say 360000 due to the /100 factor.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...