cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4137
Views
0
Helpful
16
Replies

CUE can not contact SMTP

Mike Clements
Level 1
Level 1

Hi,

Handsets are a mix of 7971GE, 7975G and 7937G, PBX is a UC520-32U-8FXO-K9, switch is a WS-C4506 with gig PoE blades.

I wiped our UC520 and installed software pack 8.6.2 fresh, then re-configured to meet our spec.

I can not get CUE to send an email to the SMTP server, I want to have it forward voicemail messages to email via SMTP (don't want to use the IMAP interface).

I have tried

(a) sending test messages using the CLI (test voicemail notification email address my.address@mydomain.com), the response was "Could not connect to SMTP host: smtp.mydomain.com, port: 25" after waiting about 60-90 seconds

(b) sending test messages using the CUE WebUI (CUE -> System -> SMTP Settings -> Test SMTP Settings), the response was "Test Result: Could not connect to SMTP host: smtp.mydomain.com, port: 25" after waiting about 60-90 seconds

(c) logged into the CUE CLI (ISE 0/0) I can ping the SMTP server by DNS and IP, DNS resolves to the correct IP (10.90.0.1), that IP is on the same subnet as the UC520 with no firewall's in-between (other than the UC's own).

(d) similar to CUE, from CME/IOS I can ping the SMTP server by DNS & IP

(e) I can also telnet from CME/IOS to the SMTP server on port 25, connect properly and send a test message to myself.  Similarly I can using this command:

"telnet smtp.mydomain.com 25 /source-interface integrated-Service-Engine 0/0"

(f) I have tried 3 SMTP servers (GroupWise, Barracuda Anti-SPAM and FreeSMTP).  The logging shows no attempt to connect to the TCP port, no connections rejected etc...

(g) I have monitored the firewalls to see if its routing incorrectly, no traffic appears on the firewalls from the PBX.

(h) the SMTP sever can ping all the IP addresses of the PBX (10.90.0.4, 10.90.1.254, 10.90.3.1, 10.90.3.2, 172.16.90.4)

(.i) there is no SMTP relaying involved, the destination email address is hosted by the server itself

(j) I have tried using SMTP auth credentials, and without (they are not required by the server).

Please help, the only thing I can think of is the local firewall on the UC520 is blocking CUE sending SMTP but then its not blocking my telnet connection and I have "fiddled" with the access-lists to allow any and it still doesn't work.  Any ideas are welcome, would really like to get voicemail messages via email again.

I have posted a full config (CME/IOS & CUE) here (https://supportforums.cisco.com/message/4029850).  I considered copying it to this thread as well but I figured it would just clutter up the thread.

Thanks,

MC

16 Replies 16

Mike Clements
Level 1
Level 1

Just tried a trace per discussion: https://supportforums.cisco.com/message/4027277

MyPBX#service-module integrated-Service-Engine 0/0 session clear

[confirm]y [OK]

MyPBX#service-module integrated-Service-Engine 0/0 session

Trying 10.90.3.2, 2002 ... Open

Cisco Configuration Assistant. Version: 3.2 (3). Sun Sep 01 02:22:07 NZST 2013

User Access Verification

Username: admin

Password:

MyPBX#

MyPBX# no trace all

MyPBX# clear trace

MyPBX# trace voicemail msgnotif all

MyPBX# trace configapi smtp debug

MyPBX# trace entitymanager NotifDevice all

MyPBX# trace smtp all

MyPBX# show trace buffer tail

Press to exit...

MyPBX#

MyPBX# show trace buffer tail

Press to exit...

4240 09/02 11:32:13.281 capi smtp 0 SmtpServer: getSysdb(): Attribute: address

2341 09/02 11:32:13.282 capi smtp 0 SmtpSysdbNode: get(): address

4240 09/02 11:32:13.283 capi smtp 0 SmtpServer: getSysdb(): Attribute: port

2333 09/02 11:32:13.284 capi smtp 0 SmtpSysdbNode: get(): port

4240 09/02 11:32:13.285 capi smtp 0 SmtpServer: getSysdb(): Attribute: userid

2339 09/02 11:32:13.286 capi smtp 0 SmtpSysdbNode: get(): userid

4240 09/02 11:32:13.286 capi smtp 0 SmtpServer: getSysdb(): Attribute: password

2338 09/02 11:32:13.287 capi smtp 0 SmtpSysdbNode: get(): password

4240 09/02 11:32:13.287 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode

2341 09/02 11:32:13.289 capi smtp 0 SmtpSysdbNode: get(): securityMode

2304 09/02 11:32:18.428 VMSS mnot 0 EmailSender: sendEmailNotification: checkSendPreConditions passed

2304 09/02 11:32:18.428 capi smtp 0 SmtpServer: getSysdb(): Attribute: address

2333 09/02 11:32:18.430 capi smtp 0 SmtpSysdbNode: get(): address

2304 09/02 11:32:18.430 capi smtp 0 SmtpServer: getSysdb(): Attribute: port

2338 09/02 11:32:18.431 capi smtp 0 SmtpSysdbNode: get(): port

2304 09/02 11:32:18.431 capi smtp 0 SmtpServer: getSysdb(): Attribute: userid

2339 09/02 11:32:18.433 capi smtp 0 SmtpSysdbNode: get(): userid

2304 09/02 11:32:18.433 capi smtp 0 SmtpServer: getSysdb(): Attribute: password

2341 09/02 11:32:18.434 capi smtp 0 SmtpSysdbNode: get(): password

2304 09/02 11:32:18.435 capi smtp 0 SmtpServer: getSysdb(): Attribute: authRequired

2333 09/02 11:32:18.436 capi smtp 0 SmtpSysdbNode: get(): authRequired

2304 09/02 11:32:18.436 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode

2338 09/02 11:32:18.438 capi smtp 0 SmtpSysdbNode: get(): securityMode

2304 09/02 11:32:18.438 VMSS mnot 0 EmailSender: Begin processing email job, UID=0

2304 09/02 11:32:18.438 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode

2339 09/02 11:32:18.439 capi smtp 0 SmtpSysdbNode: get(): securityMode

2304 09/02 11:32:18.440 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode

2341 09/02 11:32:18.441 capi smtp 0 SmtpSysdbNode: get(): securityMode

2304 09/02 11:34:18.477 VMSS mnot 0 DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]

DEBUG SMTP: useEhlo true, useAuth false

DEBUG SMTP: trying to connect to host "smtp.mydomain.com", port 25, isSSL false

Send failed, UID=0

2304 09/02 11:34:18.490 VMSS mnot 0 EmailSender: Error sending emailjavax.mail.MessagingException: Could not connect to SMTP host: smtp.mydomain.com, port: 25;

  nested exception is:

        java.net.SocketTimeoutException: connect timed out

8794 09/02 11:34:18.558 capi smtp 0 SmtpServer: getSysdb(): Attribute: address

2341 09/02 11:34:18.559 capi smtp 0 SmtpSysdbNode: get(): address

8794 09/02 11:34:18.559 capi smtp 0 SmtpServer: getSysdb(): Attribute: port

2333 09/02 11:34:18.561 capi smtp 0 SmtpSysdbNode: get(): port

8794 09/02 11:34:18.561 capi smtp 0 SmtpServer: getSysdb(): Attribute: userid

2338 09/02 11:34:18.562 capi smtp 0 SmtpSysdbNode: get(): userid

8794 09/02 11:34:18.562 capi smtp 0 SmtpServer: getSysdb(): Attribute: password

2339 09/02 11:34:18.563 capi smtp 0 SmtpSysdbNode: get(): password

8794 09/02 11:34:18.564 capi smtp 0 SmtpServer: getSysdb(): Attribute: securityMode

2341 09/02 11:34:18.565 capi smtp 0 SmtpSysdbNode: get(): securityMode

MyPBX# no trace all

MyPBX# clear trace

MyPBX#

Hello MC,

This issue is usually related to the network configuration. CUE should route the SMTP request to it's gateway 10.90.3.2, which is an IP on the UC, which then should route over to Vlan1 and to your SMTP server. The traffic shouldn't be blocked internally, which appears to not be the case since you can telnet from CUE on port 25.

Is their a firewall enabled on the SMTP server? Is there any incoming networks you have to define on the mail server before it will accept mail from the CUE network?

I would not worry about authentication at this point, we would get a different error if it was an authentication issue.

Thanks,

-john

Hi John,

The server hosting SMTP is NetWare, it has no host based firewalls of any type.  There is nothing between the UC500 and the SMTP service to block access as long as the UC500 uses the internal ports (not the DMZ port).  If it were using the DMZ port then I should have seen its attempts on the DMZ firewall anyway.


The SMTP server allows connection from any network, it does not restrict based on IP.  Note I also tried two other SMTP servers just to be sure.

Do the access-list's I have allow the traffic required?  I don't know Cisco ACL's well enough to be sure.

As far as I know there is no telnet command within CUE, so the telnet testing I have done is from CME/IOS.  And I just noticied something if I use the command "telnet smtp.mydomain.com 25" then the SMTP server shows a connection from 10.90.0.4 as expected (that is CME/IOS's IP address).

But if I issue the command "telnet smtp.mydomain.com 25 /source-interface integrated-Service-Engine 0/0" then the SMTP server still sees the connection from 10.90.0.4.... Not from 10.90.3.1 as expected.

So the telnet source interface command does not seem to work... Maybe it is a connectivity issue from 10.90.3.1 to 10.90.0.1 (SMTP) but ping is working so it would have to be specific to TCP.

MC

Bump

Hello Mike,

What is the default gateway on the SMTP server? Can you ping 10.90.3.1 from the SMTP server? Is there any asymmetric routing involved i.e. request from the CUE goes directly to the SMTP server, but the response goes to another firewall (default gateway) and then reaches CUE? In that case, the firewall could potentially block the responses as it did not see the original requests.

Hope this helps.

Nagaraja

Hi Nagaraja,

What is the default gateway on the SMTP server?

SMTP server is 10.90.0.1/24 -> DG: 10.90.0.254

CME/IOS is 10.90.0.4/24 -> DG: 10.90.0.254

CUE is 10.90.3.1/30 -> DG: 10.90.3.2

Is there any asymmetric routing involved i.e. request from the CUE goes directly to the SMTP server, but the response goes to another firewall (default gateway) and then reaches CUE?

Traffic from CUE to the SMTP server would go 10.90.3.1 -> 10.90.3.2 -> 10.90.0.4 -> 10.90.0.1.

And traffic from SMTP server to CUE goes 10.90.0.1 -> 10.90.0.254 -> 10.90.0.4 -> 10.90.3.2 -> 10.90.3.1

There are no firewall's in either path, only routers except for IOS's IP based ACL's

Can you ping 10.90.3.1 from the SMTP server?

Yes, I can ping from CUE & CME/IOS to SMTP server and vice versa, so I don't expect it is a routing issue.  I can also ping each host in the route from the SMTP server and CUE i.e. 10.90.3.1, 10.90.3.2, 10.90.0.4, 10.90.0.1, 10.90.0.254

However the telnet testing appears inconclusive (refer my post above) as the tool does not appear to send the traffic from the ISE.

Cheers,

MC

Is it possible for you to add a static route on your SMTP server and route all 10.90.3.0 traffic to 10.90.0.4?

Nagaraja,

UPDATE: LOL sorry had not seen your post before I tested this out,  Yes a static route on the SMTP server worked.

I just tried adding a static route to the SMTP server to route traffic to 10.90.3.0/30 via 10.90.0.4 and the CLI voicemail test notification worked!

So this must be the IOS firewall, I don't understand how IOS's firewall works so can you help?

access-list 1 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 10.90.0.4

access-list 1 permit 10.90.0.0 0.0.0.255

access-list 1 permit 10.90.1.0 0.0.0.255

access-list 1 permit 10.90.3.0 0.0.0.3

access-list 2 remark SIP trunk provider (peer)

access-list 2 permit 27.111.14.66

access-list 2 deny   any

access-list 101 remark Interface Integrated-Service-Engine0/0

access-list 101 permit icmp any any

access-list 101 permit igmp any any

access-list 101 permit ip any any

access-list 101 permit tcp any any

access-list 101 permit udp any any

access-list 102 remark Interface Loopback0

access-list 102 permit icmp any any

access-list 102 permit igmp any any

access-list 102 permit ip any any

access-list 102 permit tcp any any

access-list 102 permit udp any any

access-list 104 remark Interface Vlan1

access-list 104 permit icmp any any

access-list 104 permit igmp any any

access-list 104 permit ip any any

access-list 104 permit tcp any any

access-list 104 permit udp any any

access-list 105 remark Interface Vlan100

access-list 105 permit icmp any any

access-list 105 permit igmp any any

access-list 105 permit ip any any

access-list 105 permit tcp any any

access-list 105 permit udp any any

access-list 106 remark Interface FastEthernet0/0

access-list 106 permit icmp any any

access-list 106 permit udp host 27.111.14.66 eq 5060 any

access-list 106 permit udp host 27.111.14.66 any eq 5060

access-list 106 permit udp any any range 16384 32767

access-list 106 deny   ip any any log

I can post a full config if thats useful?

MC

Message was edited by: Mike Clements

Hello Mike,

What kind of device is 10.90.0.254? Is it a firewall or a router? This is a common feature in any stateful firewall. The statefull firewalls allow traffic only when they see the complete transaction i.e. for TCP traffic, they need to see SYN-SYNACK-ACK to send the traffic through (although in some firewalls you can bypass statefull inspection for specific traffic but not advisable). In this case, since the 10.90.0.254 was not seeing the original request from the CUE but was seeing the response from the SMTP server, it was dropping the responses.

Hope this helps.

Nagaraja

Hi Nagaraja

It is both a firewall and a router but in this configuration it is only acting as a router, there is no firewall enabled.  The traffic is coming in on the same interface/VLAN/IP that it is leaving i.e. 10.90.0.254.  The router 10.90.0.254 has static routes for all the local subnets.

Since ping (ICMP) is working properly when initiated from either the SMTP server or CUE I imagine it is only affecting TCP.

Can you advise what ACL's I should have on the UC500 to allow traffic in with this network configuration?  I have tried permitting any ICMP, IGMP, IP, TCP and UDP but obviously that is not enough.

Does the UC500 have some application level inspection, something above layer 3?

MC

Is 10.90.0.254 an IOS Router?

No JunOS

MC

You may want to check that device to see what is blocking this interaction. All we did now is we bypassed 10.90.0.254 for CUE-SMTP interaction.

But we also made it so that 10.90.0.4 was receiving the TCP transaction from 10.90.0.1 directly rather than via 10.90.0.254 i.e. The UC500 is seeing a different hop for the TCP transaction.

The reason I ask if you can tell me what firewall rules I should have on the UC500 is I don't understand the firewall implementation on the UC500 properly so I might be missing something there.  However the JunOS device I do know fairly well and can say there is definitely no traffic manipulation or firewall'ing on there, just routing traffic.  It has no ACL's of any kind.

MC

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: