Iron port slow connection through firewall interface, data blanked out
Hi Alll
Installing a new pair of IronPort c170 appliances behind a ASA 5520 and currently getting blanked out response when connecting via telnet on port 25 to the outside interface. Testing this internally there are no issues and the hostname is shown, but from the outside, response is very slow and some information is masked as xxxxxxx.
Going through the ASA, esmtp stateful packet inspection is removed and the IPS has already been ruled out.
Has anyone come accross this issue before. Please could you shine some light on this.
Many thanks
Hello James,
when some of the information is masked, this means you still have SMTP fixup enabled on the ASA. I am not an expert on these devices, but here is an article on this topic that may be useful:
Article #1816: Why do we see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS? Link: http://tools.cisco.com/squish/E68cB
Hope that helps.
Andreas
Similar Messages
-
Client connecting through firewall
Hi
We have two clustered servers.Our client is connecting through
firewall NAT. When iam connect to first server the response is very slow and
at the same time clustering is not working.If i stop the second server the
response fast .
The same configaration is working fine when my client is local.
Can you explain the reason for this problem ?
Presently iam using weblogic 6.1 version.
Thank you
OK I spoke too soon. The user looked like it was working but it was working because it matched another IAS policy further down the list. It seems as though the PIX refuses to use ms-chap of any sort. If I include the authentication type in the VPN policy conditions as ms-chap, it skips the VPN policy I am using to authenticate this. If I remove it, then it gives an invalid authentication type as if whatever the PIX is sending the IAS server does not understand as ms-chap.
It seems like the PIX authentication is totally wrong for use with IAS. What else do I need to add to this configuration to gewt it to work with ms-chap of any kind? I really don't get it. -
Why is my iphone 4s slow connecting through wifi
hi, i've just got my new iphone 4s, all set up ok but when i want to go on the internet through wifi, it is painfully slow.
connecting through 3g is fine, but wifi is a no go. the phone does recognise my network, just doesn't connect to the internet. any help would be great.
many thanxYou're welcome.
You tried every thing listed/provided including resetting your router and checking/changing the channels along with everything included with this link?
http://support.apple.com/kb/HT4199
Have you reset network settings on the iPhone?
Have you tried connecting the iPhone to any other wireless network? Any problem there? -
Hello, we switched our home internet service from an ethernet modem to a wireless hot spot.
Do you know if there is a way to connect our time capsule to the hot spot?
Everything I read only suggests connecting through an ethernet cable. I'm hoping there is a way to do this.
Any help would be appreciated!
Thanks!!!No you can't join a wireless hotspot with a Time Capsule directly via it's 'join' option (tried and failed - well to be exact it kinda works but the Time Capsule's ethernet ports no longer work).
What you can do is buy an airport express and use it's 'join' option to connect to the iPhone's hotspot. Then you connect the airport express via ethernet to the time capsule (in bridge-mode).
You can then connect your computers to the time capsule via ethernet or use it's wireless function to set up wireless network (with a different name to that of the hotspot) that your wifi stuff can connect to.
Thingi -
Slow Connection Through Base Station
I have Virgin 10MB cable connection and it's normally bang on 10MB is measured using speedtest.net
If I connect through my Airport Extreme Base Station I get between 1MB and 2MB.
This never used to happen, started about 2-3 weeks ago. Can't see anything in the Airport config hat would really change this and certainly haven't made any config changes myself.
This is for a wired connection - not tested wireless.
Any help appreciatedI have the same problem. I am using Virgin Media's 20Mb/s cable service with their cable modem.
Connecting the modem directly to my Macbook, I get 18Mb/s at the ZDNet speedtest.
Connecting a TimeCapsule (which is similar to an Airport Extreme) between the Macbook and the cable modem (wired, not wireless) the speed drops to 0.5Mb/s
Previously, I was using an ADSL connection and the TimeCapsule worked fine.
I have no solution but I would be very interested in resolving this issue.
Thanks
Andrew -
Slow connection through a Linksys WET11
Hi There! I have a WET11 connected to a slot loading iMac. It has been configured and picks up the Netgear WPN824 router, which is on the floor below.
The iMac can connect to the internet but it is incredibly slow; slower than dial-up. How can I improve the speed through the WET11? Many thanks for your input. jdHi There! I have a WET11 connected to a slot loading iMac. It has been configured and picks up the Netgear WPN824 router, which is on the floor below.
The iMac can connect to the internet but it is incredibly slow; slower than dial-up. How can I improve the speed through the WET11? Many thanks for your input. jd -
Making connection through firewall
Hi,
I'm using Oracle Database server 8i (Enterprise Edition 8.1.7.0.0) and it's working fine. Now the students wants to work at home and I have to route port 1521 to the internet but... Always I try to make a connection to the server I have a time-out. And no, with the option CONNECTION_TIMEOUT_LISTENER = 0 configured at the server, it isn't working....
For the routing, I'm using debian 3.0 with iptables (all other routing and configurations of the firewall are working)
Can someone help me with the problem?
Greets,
Bartnot sure what you mean by having a 'EJB listening' on port 6666. Do you mean actually having a socket listening within the EJB code? If so then that is a suspicious EJB activity.
If not then i guess you mean the ORMI listening port of the OC4J application. This is normally set on port 23791 to allow the RMI communication to flow.
-lp -
Getting error when attempting to connect through infiniband interface
Hello,
I launched coherence with -Dtangosol.coherence.localhost=<infiniband address> on two machines. I get a message saying that one machine connected to the other, but no partitions are transfered. Instead I get a run time exception on my main thread. The code works fine, I tried with the ethernet address and the code ran.
I also tried the multicast test on these two machines through their respective infiniband interfaces and I got messages being transfered.
Any thoughts on something I might have missed?Hi Armando,
Can you please post the Coherence as well as multicast test logs from both nodes as an attachment to this thread.
thanks,
mark -
Ip connectivity through firewall segments
Hi,
We have an ASA that attaches to 6500-Core. The rough network diagram is attached here.
IP Segment's B&C have SVI on core, wherease segment A is on the ASA(Segment A is new & needs to be created).
The leg connecting ASA to Core is on security level 100 with name as Internal , the other leg of ASA connecting upwards to routers are on security level 0 with name as External.
If we need to add Segment A on ASA, can we assign it a security level of 50 ? The requirement is:
1. Segment A needs to talk to Segment B , but it shouldn't be talking to Segment C (includes ping response also)
How can we achieve this? Appreciate all help.Hi,
The use of "security-level" alone as a means to control which traffic is allowed is not advisable unless your network is very simple home/small office network. Judging by your information you have a setup that wont really work well with this kind of simple setting.
The problem with "security-level" is that it makes no distinction between the networks behind an interface. So if a source interfaces "security-level" is higher than the the destination interfaces "security-level" then all networks behind the source interface can access any network behind the destination interface. This makes it impossible to control the traffic on a per network basis.
I would suggest that you use an interface ACL to control the traffic on your interfaces. Atleast this new one that you are creating.
You would have to create an ACL that first blocks traffic from Segment A to Segment C and then allows all other traffic from Segment A (which would mean Internet access and connections to Segment B would be allowed)
At its simplest the interface ACL would look like this
access-list SEGMENT-A-IN remark Deny traffic to Segment C
access-list SEGMENT-A-IN deny ip any 10.60.10.0 255.255.255.0
access-list SEGMENT-A-IN remark Allow all other traffic
access-list SEGMENT-A-IN permit ip 10.80.10.0 255.255.255.0 any
access-group SEGMENT-A-IN in interface
This would not block the ICMP Echo reply from Segment A to Segment C. You would either have to block ICMP Echo from Segment C to Segment A or you would perhaps need to disable ICMP Inspection if you have it enabled and then the above ACL would also block ICMP Echo Reply.
Hope this helps
- Jouni -
I am connecting remotely to a computer with full access to our company firewall. The router (WRT54G v6) is causing the IP address to change on the wired computer and rendering it blocked by the company firewall.
Is there a way to retain the original IP address settings on the wired computer and still hookup wirelessly from mine?When you assign your wired computer a static LAN IP address, you will need to do this in the computer itself, not in the router. Also, be sure to follow the Linksys rules regarding the proper method of assigning a static LAN IP address.
For more information on this topic, please see my previous post at:
http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&message.id=10070&query.id=... -
Sockets connection through firewall
Is there any way to make a connection between a socket outside the FireWall and a server socket inside?
usually a firewall is transparent to software making socket connections, so it would really depend on the firewall configuration, if it will let the communication happen.
-
Slow connection through Oracle ODBC
Hello,
I have problems with connecting to ORACLE fr om IIS (Win2000) using Oracle's ODBC driver.
I am using Oracle 8.1.7 SE. I tried to change connection pooling timeout of the ODBC driver, but still connections time out after a minute or so and it takes 6-8 seconds to load a simple web page that reads only ~ 1 kb of information from ORACLE. The time to establish a connection to MS (Access ,SQL server) is less than a second. How can I establish connections to ORACLE faster?
Please help,
thanks,
GyorgyJustin,
thanks for your quick replies.
Using Oracle ODBC 32Bit Test:
the connection seems instantaneous. I tried to enable connection pooling for Oracle ODBC driver with a wait in the pool for 600s. Maybe this will keep it live and I can instantiate a fake connection every 10 minutes? I do not what else I could try ...
Gyorgy
<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR>Originally posted by Justin Cave ([email protected]):
Can you try connecting via ODBCTest or via the 'Test Connection' button in the DSN creation dialog box, to see how long that takes? Your tnspings are certainly reasonable.
I'm curious as to whether you see a difference between connecting via a DSN or through a DSN-less connection string.
Justin<HR></BLOCKQUOTE>
null -
Connecting through firewall (weird problem)
Hello,
I'm having a very weird problem with JMX on a Linux server. I'm aware of the fact that the out-of-the-box JMX agent doesn't work with firewalls and I'm using a custom agent or rather I'm trying to. The problem is that JConsole/Custom Client fails to connect to the agent with a NoSuchObjectException.
The Server side code looks as follows
public class TestServer {
public static void main(String[] args) throws Exception {
System.setProperty("java.rmi.server.randomIDs", "true");
LocateRegistry.createRegistry(15003);
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
JMXServiceURL serviceUrl = new JMXServiceURL(
"service:jmx:rmi://localhost:15002/jndi/rmi://localhost:15003/jmxrmi");
JMXConnectorServer connectorServer = JMXConnectorServerFactory
.newJMXConnectorServer(serviceUrl, null, mbs);
connectorServer.start();
Thread.sleep(Integer.MAX_VALUE);
The Client side code looks as following
public class TestClient {
public static void main(String[] args) throws Exception {
JMXServiceURL u = new JMXServiceURL(
"service:jmx:rmi:///jndi/rmi://ec2-67-202-2-113.z-2.compute-1.amazonaws.com:15002/jmxrmi");
JMXConnector c = JMXConnectorFactory.connect(u);
The Exception I'm getting is
Exception in thread "main" java.io.IOException: Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.NoSuchObjectException: no such object in table]
at javax.management.remote.rmi.RMIConnector.connect(Unknown Source)
at javax.management.remote.JMXConnectorFactory.connect(Unknown Source)
at javax.management.remote.JMXConnectorFactory.connect(Unknown Source)
at foo.bar.TestClient.main(TestClient.java:12)
The Java version on the Server is
java version "1.6.0_02"
Java(TM) SE Runtime Environment (build 1.6.0_02-b05)
Java HotSpot(TM) Client VM (build 1.6.0_02-b05, mixed mode, sharing)You were right. There was one more thing though which I figured out with Wireshark/Ethereal. The machines in Amazon's EC2 Network are running behind a NAT or something and I had to specify the external address with -Djava.rmi.server.hostname=BlaBlub.
-
Slow connection in one server if accessing through Cisco ACE
Hi,
Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
What need to do in my configuration? Below is my configuration
logging enable
logging timestamp
logging trap 7
logging buffered 7
logging monitor 7
logging host 167.81.126.5 udp/514
logging host 137.55.152.147 udp/514
resource-class SG_01
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum equal-to-min
boot system image:c4710ace-mz.A3_2_0.bin
login timeout 30
peer hostname singapore-ace2
hostname singapore-ace1
interface gigabitEthernet 1/1
channel-group 14
no shutdown
interface gigabitEthernet 1/2
channel-group 14
no shutdown
interface gigabitEthernet 1/3
channel-group 14
no shutdown
interface gigabitEthernet 1/4
channel-group 14
no shutdown
interface port-channel 14
description ISOLAN-ACE-TRUNK
ft-port vlan 99
switchport trunk native vlan 1
switchport trunk allowed vlan 12,14,112
no shutdown
clock timezone SGT 8 0
ntp server 137.55.152.1
context Admin
member SG_01
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any
ip domain-name ysn.psg.philips.com
probe http singapore_01
description This probe used to monitor application url-app-script
interval 5
passdetect interval 5
request method get url /insiteserverstatus/insiteserverstatus.aspx
expect status 200 200
open 1
probe http singapore_02
description This probe used to monitor IIS-login-page
interval 5
passdetect interval 5
request method get url /InSiteLumiledsApplication/
expect status 200 200
open 1
probe icmp uplink
description This probe used in conjunction with ft track host
interval 2
faildetect 2
passdetect interval 3
parameter-map type connection PARAM_L4STICKY-IP
exceed-mss allow
rserver host sggysnysn1ms013
ip address 137.55.152.135
inservice
rserver host sggysnysn1ms014
ip address 137.55.152.136
inservice
rserver host sggysnysn1ms018
ip address 137.55.152.145
inservice
serverfarm host PLI9058
probe singapore_01
probe singapore_02
rserver sggysnysn1ms013
inservice
rserver sggysnysn1ms014
inservice
rserver sggysnysn1ms018
inservice
sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
timeout 720
replicate sticky
serverfarm PLI9058
class-map type management match-any HTTPS-ALLOW_CLASS
class-map match-all L4STICKY-IP_141:ANY_CLASS
2 match virtual-address 137.55.152.141 any
class-map type http loadbalance match-any NO_MS018
50 match source-address 137.55.155.31 255.255.254.0
class-map type management match-any SSH-ALLOW_CLASS
2 match protocol ssh source-address 167.81.124.0 255.255.255.192
3 match protocol ssh source-address 167.81.126.0 255.255.255.192
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
class class-default
sticky-serverfarm SG_GROUP_01
insert-http X-Forwarded-For header-value "%is"
policy-map multi-match PLI9058-VIPs_POLICY
class L4STICKY-IP_141:ANY_CLASS
loadbalance vip inservice
loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
loadbalance vip icmp-reply
connection advanced-options PARAM_L4STICKY-IP
interface vlan 12
description Client-side vlan
bridge-group 1
no normalization
mac-sticky enable
access-group input ALL
access-group output ALL
service-policy input PLI9058-VIPs_POLICY
no shutdown
interface vlan 14
ip address 137.55.152.236 255.255.255.248
peer ip address 137.55.152.237 255.255.255.248
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 112
description Server-side vlan
bridge-group 1
no normalization
access-group input ALL
access-group output ALL
nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
no shutdown
interface bvi 1
ip address 137.55.152.189 255.255.255.192
alias 137.55.152.188 255.255.255.192
peer ip address 137.55.152.190 255.255.255.192
description Bridge-Group 1 Virtual Interface
no shutdown
ft interface vlan 99
ip address 192.168.1.1 255.255.255.252
peer ip address 192.168.1.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 100
heartbeat count 10
ft-interface vlan 99
ft group 1
peer 1
priority 150
peer priority 50
associate-context Admin
inservice
ft track host test1
track-host 137.55.152.234
peer track-host 137.55.152.235
peer probe uplink priority 50
probe uplink priority 50
ip route 0.0.0.0 0.0.0.0 137.55.152.233Hi Earsdale,
All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
If you need help with this troubleshooting, you can always open a TAC service request
Regards
Daniel -
RMI Connection Refused through Firewall
Hi,
I am having problems making an RMI connection through a firewall. On the server outside the firewall I have my servlet application running in an OC4J container and inside the firewall I have an EJB listening on port 6666. I have setup the firewall to allow connections through on port 6666. If I telnet from the machine outside the firewall on port 6666 I am able to make a connection to the EJB. So I know the firewall has been setup to handle the connection.
I run the servlet application and when it tries to make the connection it gives an error:
javax.naming.NamingException: Lookup error: java.net.ConnectException: Connection refused; nested exception is:
java.net.ConnectException: Connection refused
When I do a snoop on the external machine to see what data is trying to be sent to the internal machine there is no data. When doing the telnet test there was data.
I have the same servlet application deployed on a machine internally and it is able to make a connection to the EJB. The only problem is either the configuration of the application server on the external machine or the firewall configuration.
Anyone able to help me see what I am missing?
Thanks
Shawn Clarknot sure what you mean by having a 'EJB listening' on port 6666. Do you mean actually having a socket listening within the EJB code? If so then that is a suspicious EJB activity.
If not then i guess you mean the ORMI listening port of the OC4J application. This is normally set on port 23791 to allow the RMI communication to flow.
-lp
Maybe you are looking for
-
HP Photoprinter C7280 printer. The wireless radio is on but not functioning - so am unable to gain wifi connection and print! - Why? How do I fix, Thanks
-
Privacy Settings on MacBook Pro
I'm trying to change a security setting on my MacBook Pro to allow an app to be downloaded. The lock in the corner is locked but when I try to unlock it, it stays locked. I'm logged in as administrator and have opened the lock under Users. Why can't
-
In Windows 7 my latest ITunes version won't let the 'autohide' feature work for my task bar. I have mine set at the bottom of all pages, and they all work when the Itunes page is up. But not the ITunes home page itself. The task bar is gone, and w
-
I tunes will sync with i touch but wont transfer music or pics
i reset my i touch and pics and music wont transfer. all music is checked and plays in i tunes. any help?
-
Where is the scroll bar? It seems like this should be something intuitive under controls, view, etc., but I'm missing it! Help?