Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SYN Timeout on ASA 5510 - acl\nat issue?

Setting up an asa and I am not able to get the mail to flow. I have the following:

mail filter - dmz (natted to public address xx.xx.xx.167)

exch server - inside (nat to public address xx.xx.xx.168)

Mail obviously is supposed to flow from exch -> filter -> outside world and then the reverse as well. The mail makes it from exch to the filter, but then does not go any further, and the filter is not able to establish a connection with any external mail servers. Here is a log snippet:

22:07:33|302014|65.61.1.47|filter|Teardown TCP connection 180106 for outside:65.61.1.47/25 to dmz:filter/3901 duration 0:00:30 bytes 0 SYN Timeout

22:07:27|302014|65.61.1.47|filter|Teardown TCP connection 180105 for outside:65.61.1.47/25 to dmz:filter/3874 duration 0:00:30 bytes 0 SYN Timeout

22:07:03|302013|65.61.1.47|filter|Built outbound TCP connection 180106 for outside:65.61.1.47/25 (65.61.1.47/25) to dmz:filter/3901 (xx.xx.xx.167/3901)

22:07:03|106100|filter|65.61.1.47|access-list dmz_access_in permitted tcp dmz/filter(3901) -> outside/65.61.1.47(25) hit-cnt 1 first hit [0x66e89e63, 0x0]

22:06:57|302013|65.61.1.47|filter|Built outbound TCP connection 180105 for outside:65.61.1.47/25 (65.61.1.47/25) to dmz:filter/3874 (xx.xx.xx.167/3874)

22:06:57|106100|filter|65.61.1.47|access-list dmz_access_in permitted tcp dmz/filter(3874) -> outside/65.61.1.47(25) hit-cnt 1 first hit [0x66e89e63, 0x0]

I do not see any syslog entries regarding dropped/denied packets related to these connections. If you need more config info or other info, let me know.

2 REPLIES
Silver

Re: SYN Timeout on ASA 5510 - acl\nat issue?

I think the connection dies on a "SYN timeout". This means the Pix never sees the reply from the server. When you moved your server, you have to change its default gateway. It should point to the Pix's DMZ address.

New Member

Re: SYN Timeout on ASA 5510 - acl\nat issue?

I didn't move the server or change its address or networkconfig, I moved the asa in in place of my existing firewall to test it. The defgate is the asa's dmz address.

4082
Views
0
Helpful
2
Replies
CreatePlease login to create content