Slow/dropped SMTP connections inbound from internet through PIX
Was wondering if any of you have seen a problem similar to this one. Not sure how long it's been going on. We found it while logging some email traffic, and noticed that a great deal of traffic is from the second and third servers listed in the MX record. This means that the sending SMTP server failed against the finst (internal) server, gave up, and sent it to the second/third listed server...
Here's the topology:
| PIX |
We use the static/conduit commands to configure the translation and permit inbound access (where x=internet address and y=private address:
When on the internal net, I can telnet to the internal address, port 25 and things work A-OK. But when I am out on the internet, I telnet to port 25 and it is so slow that it can't even complete the banner, and times out the connection. I tried from the internal net to telnet out to the external address, and the same delay happens there, too.
Judging by the fact that I can telnet to the port internally seems to rule out the server. The logs and monitoring on the SMTP server itself shows that there's plenty of available connections, and it is not overworked in any way.
I think this is an issue with the PIX. However, there is no outbound traffic problems, the internet link itself is not overworked. It is just this one function against this one server. It just happens that is the main inbound company email gateway. Not a good one to have the problem on!
I was originally telling the email people that it is their problem. When they showed me this, I feel certain that it is my problem to fix...
Help fellow PIX firewall bretheren! BTW, this is a PIX-520 with version 6.1(1).
Re: Slow/dropped SMTP connections inbound from internet through
Actually, the session is established, however, it is very slow. Most of the time, after the session is established, it stops responding (can't even complete the HELO, for example), then the connection eventually times out.
I have tried this with a Win2000 PC. At this point, I hadn't thought of trying it with a Unix box. Not sure why it would make any difference.
It seems that if any of the items you listed were missing, then it wouldn't work at all. In my case, it works, but painfully slowly.
To reiterate, in a significant percentage of cases, the sending server gives up on this connection, and sends to the second or third server in the MX record (which are all external). Those servers, in turn, begin trying to send to the first server (which is the internal one inside the PIX)).
Again, keep in mind that mail is flowing good enough to keep users from complaining. At this point, it is an efficiency issue that only the email people are calling me about. I've got to get it solved, but the house isn't burning down or anything.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :