Iron port slow connection through firewall interface, data blanked out

Hi Alll
Installing a new pair of IronPort c170 appliances behind a ASA 5520 and currently getting blanked out response when connecting via telnet on port 25 to the outside interface.  Testing this internally there are no issues and the hostname is shown, but from the outside, response is very slow and some information is masked as xxxxxxx.
Going through the ASA, esmtp stateful packet inspection is removed and the IPS has already been ruled out.
Has anyone come accross this issue before. Please could you shine some light on this.
Many thanks

Hello James,
when some of the information is masked, this means you still have SMTP fixup enabled on the ASA. I am not an expert on these devices, but here is an article on this topic that may be useful:
Article #1816: Why do we see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS? Link: http://tools.cisco.com/squish/E68cB
Hope that helps.
Andreas

Similar Messages

  • Client connecting through firewall

    Hi
              We have two clustered servers.Our client is connecting through
              firewall NAT. When iam connect to first server the response is very slow and
              at the same time clustering is not working.If i stop the second server the
              response fast .
              The same configaration is working fine when my client is local.
              Can you explain the reason for this problem ?
              Presently iam using weblogic 6.1 version.
              Thank you
              

    OK I spoke too soon. The user looked like it was working but it was working because it matched another IAS policy further down the list. It seems as though the PIX refuses to use ms-chap of any sort. If I include the authentication type in the VPN policy conditions as ms-chap, it skips the VPN policy I am using to authenticate this. If I remove it, then it gives an invalid authentication type as if whatever the PIX is sending the IAS server does not understand as ms-chap.
    It seems like the PIX authentication is totally wrong for use with IAS. What else do I need to add to this configuration to gewt it to work with ms-chap of any kind? I really don't get it.

  • Why is my iphone 4s slow connecting through wifi

    hi, i've just got my new iphone 4s, all set up ok but when i want to go on the internet through wifi, it is painfully slow.
    connecting through 3g is fine, but wifi is a no go. the phone does recognise my network, just doesn't connect to the internet. any help would be great.
    many thanx

    You're welcome.
    You tried every thing listed/provided including resetting your router and checking/changing the channels along with everything included with this link?
    http://support.apple.com/kb/HT4199
    Have you reset network settings on the iPhone?
    Have you tried connecting the iPhone to any other wireless network? Any problem there?

  • We traded our home internet service for a Sprint Hot Spot.  The hot spot does not have an ethernet port to connect through.  Can we connect our time capsule to the wireless hot spot?

    Hello, we switched our home internet service from an ethernet modem to a wireless hot spot. 
    Do you know if there is a way to connect our time capsule to the hot spot? 
    Everything I read only suggests connecting through an ethernet cable.  I'm hoping there is a way to do this.
    Any help would be appreciated!
    Thanks!!!

    No you can't join a wireless hotspot with a Time Capsule directly via it's 'join' option (tried and failed - well to be exact it kinda works but the Time Capsule's ethernet ports no longer work).
    What you can do is buy an airport express and use it's 'join' option to connect to the iPhone's hotspot. Then you connect the airport express via ethernet to the time capsule (in bridge-mode).
    You can then connect your computers to the time capsule via ethernet or use it's wireless function to set up wireless network (with a different name to that of the hotspot) that your wifi stuff can connect to.
    Thingi

  • Slow Connection Through Base Station

    I have Virgin 10MB cable connection and it's normally bang on 10MB is measured using speedtest.net
    If I connect through my Airport Extreme Base Station I get between 1MB and 2MB.
    This never used to happen, started about 2-3 weeks ago. Can't see anything in the Airport config hat would really change this and certainly haven't made any config changes myself.
    This is for a wired connection - not tested wireless.
    Any help appreciated

    I have the same problem. I am using Virgin Media's 20Mb/s cable service with their cable modem.
    Connecting the modem directly to my Macbook, I get 18Mb/s at the ZDNet speedtest.
    Connecting a TimeCapsule (which is similar to an Airport Extreme) between the Macbook and the cable modem (wired, not wireless) the speed drops to 0.5Mb/s
    Previously, I was using an ADSL connection and the TimeCapsule worked fine.
    I have no solution but I would be very interested in resolving this issue.
    Thanks
    Andrew

  • Slow connection through a Linksys WET11

    Hi There! I have a WET11 connected to a slot loading iMac. It has been configured and picks up the Netgear WPN824 router, which is on the floor below.
    The iMac can connect to the internet but it is incredibly slow; slower than dial-up. How can I improve the speed through the WET11? Many thanks for your input. jd

    Hi There! I have a WET11 connected to a slot loading iMac. It has been configured and picks up the Netgear WPN824 router, which is on the floor below.
    The iMac can connect to the internet but it is incredibly slow; slower than dial-up. How can I improve the speed through the WET11? Many thanks for your input. jd

  • Making connection through firewall

    Hi,
    I'm using Oracle Database server 8i (Enterprise Edition 8.1.7.0.0) and it's working fine. Now the students wants to work at home and I have to route port 1521 to the internet but... Always I try to make a connection to the server I have a time-out. And no, with the option CONNECTION_TIMEOUT_LISTENER = 0 configured at the server, it isn't working....
    For the routing, I'm using debian 3.0 with iptables (all other routing and configurations of the firewall are working)
    Can someone help me with the problem?
    Greets,
    Bart

    not sure what you mean by having a 'EJB listening' on port 6666. Do you mean actually having a socket listening within the EJB code? If so then that is a suspicious EJB activity.
    If not then i guess you mean the ORMI listening port of the OC4J application. This is normally set on port 23791 to allow the RMI communication to flow.
    -lp

  • Getting error when attempting to connect through infiniband interface

    Hello,
    I launched coherence with -Dtangosol.coherence.localhost=<infiniband address> on two machines. I get a message saying that one machine connected to the other, but no partitions are transfered. Instead I get a run time exception on my main thread. The code works fine, I tried with the ethernet address and the code ran.
    I also tried the multicast test on these two machines through their respective infiniband interfaces and I got messages being transfered.
    Any thoughts on something I might have missed?

    Hi Armando,
    Can you please post the Coherence as well as multicast test logs from both nodes as an attachment to this thread.
    thanks,
    mark

  • Ip connectivity through firewall segments

    Hi,
    We have an ASA that attaches to 6500-Core. The rough network diagram is attached here.
    IP Segment's B&C have SVI on core, wherease segment A is on the ASA(Segment A is new & needs to be created).
    The leg connecting ASA to Core is on security level 100 with name as Internal , the other leg of ASA connecting upwards to routers are on security level 0 with name as External.
    If we need to add Segment A on ASA, can we assign it a security level of 50 ? The requirement is:
    1. Segment A needs to talk to Segment B , but it shouldn't be talking to Segment C (includes ping response also)
    How can we achieve this? Appreciate all help.

    Hi,
    The use of "security-level" alone as a means to control which traffic is allowed is not advisable unless your network is very simple home/small office network. Judging by your information you have a setup that wont really work well with this kind of simple setting.
    The problem with "security-level" is that it makes no distinction between the networks behind an interface. So if a source interfaces "security-level" is higher than the the destination interfaces "security-level" then all networks behind the source interface can access any network behind the destination interface. This makes it impossible to control the traffic on a per network basis.
    I would suggest that you use an interface ACL to control the traffic on your interfaces. Atleast this new one that you are creating.
    You would have to create an ACL that first blocks traffic from Segment A to Segment C and then allows all other traffic from Segment A (which would mean Internet access and connections to Segment B would be allowed)
    At its simplest the interface ACL would look like this
    access-list SEGMENT-A-IN remark Deny traffic to Segment C
    access-list SEGMENT-A-IN deny ip any 10.60.10.0 255.255.255.0
    access-list SEGMENT-A-IN remark Allow all other traffic
    access-list SEGMENT-A-IN permit ip 10.80.10.0 255.255.255.0 any
    access-group SEGMENT-A-IN in interface
    This would not block the ICMP Echo reply from Segment A to Segment C. You would either have to block ICMP Echo from Segment C to Segment A or you would perhaps need to disable ICMP Inspection if you have it enabled and then the above ACL would also block ICMP Echo Reply.
    Hope this helps
    - Jouni

  • Connecting through firewall

    I am connecting remotely to a computer with full access to our company firewall.  The router (WRT54G v6) is causing the IP address to change on the wired computer and rendering it blocked by the company firewall.
    Is there a way to retain the original IP address settings on the wired computer and still hookup wirelessly from mine?

    When you assign your wired computer a static LAN IP address, you will need to do this in the computer itself, not in the router.  Also, be sure to follow the Linksys rules regarding the proper method of assigning a static LAN IP address.
    For more information on this topic, please see my previous post at:
     http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&message.id=10070&query.id=...

  • Sockets connection through firewall

    Is there any way to make a connection between a socket outside the FireWall and a server socket inside?

    usually a firewall is transparent to software making socket connections, so it would really depend on the firewall configuration, if it will let the communication happen.

  • Slow connection through Oracle ODBC

    Hello,
    I have problems with connecting to ORACLE fr om IIS (Win2000) using Oracle's ODBC driver.
    I am using Oracle 8.1.7 SE. I tried to change connection pooling timeout of the ODBC driver, but still connections time out after a minute or so and it takes 6-8 seconds to load a simple web page that reads only ~ 1 kb of information from ORACLE. The time to establish a connection to MS (Access ,SQL server) is less than a second. How can I establish connections to ORACLE faster?
    Please help,
    thanks,
    Gyorgy

    Justin,
    thanks for your quick replies.
    Using Oracle ODBC 32Bit Test:
    the connection seems instantaneous. I tried to enable connection pooling for Oracle ODBC driver with a wait in the pool for 600s. Maybe this will keep it live and I can instantiate a fake connection every 10 minutes? I do not what else I could try ...
    Gyorgy
    <BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR>Originally posted by Justin Cave ([email protected]):
    Can you try connecting via ODBCTest or via the 'Test Connection' button in the DSN creation dialog box, to see how long that takes? Your tnspings are certainly reasonable.
    I'm curious as to whether you see a difference between connecting via a DSN or through a DSN-less connection string.
    Justin<HR></BLOCKQUOTE>
    null

  • Connecting through firewall (weird problem)

    Hello,
    I'm having a very weird problem with JMX on a Linux server. I'm aware of the fact that the out-of-the-box JMX agent doesn't work with firewalls and I'm using a custom agent or rather I'm trying to. The problem is that JConsole/Custom Client fails to connect to the agent with a NoSuchObjectException.
    The Server side code looks as follows
    public class TestServer {
    public static void main(String[] args) throws Exception {
    System.setProperty("java.rmi.server.randomIDs", "true");
    LocateRegistry.createRegistry(15003);
    MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
    JMXServiceURL serviceUrl = new JMXServiceURL(
    "service:jmx:rmi://localhost:15002/jndi/rmi://localhost:15003/jmxrmi");
    JMXConnectorServer connectorServer = JMXConnectorServerFactory
    .newJMXConnectorServer(serviceUrl, null, mbs);
    connectorServer.start();
    Thread.sleep(Integer.MAX_VALUE);
    The Client side code looks as following
    public class TestClient {
    public static void main(String[] args) throws Exception {
    JMXServiceURL u = new JMXServiceURL(
    "service:jmx:rmi:///jndi/rmi://ec2-67-202-2-113.z-2.compute-1.amazonaws.com:15002/jmxrmi");
    JMXConnector c = JMXConnectorFactory.connect(u);
    The Exception I'm getting is
    Exception in thread "main" java.io.IOException: Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.NoSuchObjectException: no such object in table]
         at javax.management.remote.rmi.RMIConnector.connect(Unknown Source)
         at javax.management.remote.JMXConnectorFactory.connect(Unknown Source)
         at javax.management.remote.JMXConnectorFactory.connect(Unknown Source)
         at foo.bar.TestClient.main(TestClient.java:12)
    The Java version on the Server is
    java version "1.6.0_02"
    Java(TM) SE Runtime Environment (build 1.6.0_02-b05)
    Java HotSpot(TM) Client VM (build 1.6.0_02-b05, mixed mode, sharing)

    You were right. There was one more thing though which I figured out with Wireshark/Ethereal. The machines in Amazon's EC2 Network are running behind a NAT or something and I had to specify the external address with -Djava.rmi.server.hostname=BlaBlub.

  • Slow connection in one server if accessing through Cisco ACE

    Hi,
    Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
    What need to do in my configuration? Below is my configuration
    logging enable
    logging timestamp
    logging trap 7
    logging buffered 7
    logging monitor 7
    logging host 167.81.126.5 udp/514
    logging host 137.55.152.147 udp/514
    resource-class SG_01
      limit-resource all minimum 0.00 maximum unlimited
      limit-resource sticky minimum 10.00 maximum equal-to-min
    boot system image:c4710ace-mz.A3_2_0.bin
    login timeout 30
    peer hostname singapore-ace2
    hostname singapore-ace1
    interface gigabitEthernet 1/1
      channel-group 14
      no shutdown
    interface gigabitEthernet 1/2
      channel-group 14
      no shutdown
    interface gigabitEthernet 1/3
      channel-group 14
      no shutdown
    interface gigabitEthernet 1/4
      channel-group 14
      no shutdown
    interface port-channel 14
      description ISOLAN-ACE-TRUNK
      ft-port vlan 99
      switchport trunk native vlan 1
      switchport trunk allowed vlan 12,14,112
      no shutdown
    clock timezone SGT 8 0
    ntp server 137.55.152.1
    context Admin
      member SG_01
    access-list ALL line 8 extended permit ip any any
    access-list ALL line 9 extended permit icmp any any
    ip domain-name ysn.psg.philips.com
    probe http singapore_01
      description This probe used to monitor application url-app-script
      interval 5
      passdetect interval 5
      request method get url /insiteserverstatus/insiteserverstatus.aspx
      expect status 200 200
      open 1
    probe http singapore_02
      description This probe used to monitor IIS-login-page
      interval 5
      passdetect interval 5
      request method get url /InSiteLumiledsApplication/
      expect status 200 200
      open 1
    probe icmp uplink
      description This probe used in conjunction with ft track host
      interval 2
      faildetect 2
      passdetect interval 3
    parameter-map type connection PARAM_L4STICKY-IP
      exceed-mss allow
    rserver host sggysnysn1ms013
      ip address 137.55.152.135
      inservice
    rserver host sggysnysn1ms014
      ip address 137.55.152.136
      inservice
    rserver host sggysnysn1ms018
      ip address 137.55.152.145
      inservice
    serverfarm host PLI9058
      probe singapore_01
      probe singapore_02
      rserver sggysnysn1ms013
        inservice
      rserver sggysnysn1ms014
        inservice
      rserver sggysnysn1ms018
        inservice
    sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
      timeout 720
      replicate sticky
      serverfarm PLI9058
    class-map type management match-any HTTPS-ALLOW_CLASS
    class-map match-all L4STICKY-IP_141:ANY_CLASS
      2 match virtual-address 137.55.152.141 any
    class-map type http loadbalance match-any NO_MS018
      50 match source-address 137.55.155.31 255.255.254.0
    class-map type management match-any SSH-ALLOW_CLASS
      2 match protocol ssh source-address 167.81.124.0 255.255.255.192
      3 match protocol ssh source-address 167.81.126.0 255.255.255.192
    class-map type management match-any remote_access
      2 match protocol xml-https any
      3 match protocol icmp any
      5 match protocol ssh any
      6 match protocol http any
      7 match protocol https any
      8 match protocol snmp any
    policy-map type management first-match remote_mgmt_allow_policy
      class remote_access
        permit
    policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
      class class-default
        sticky-serverfarm SG_GROUP_01
        insert-http X-Forwarded-For header-value "%is"
    policy-map multi-match PLI9058-VIPs_POLICY
      class L4STICKY-IP_141:ANY_CLASS
        loadbalance vip inservice
        loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
        loadbalance vip icmp-reply
        connection advanced-options PARAM_L4STICKY-IP
    interface vlan 12
      description Client-side vlan
      bridge-group 1
      no normalization
      mac-sticky enable
      access-group input ALL
      access-group output ALL
      service-policy input PLI9058-VIPs_POLICY
      no shutdown
    interface vlan 14
      ip address 137.55.152.236 255.255.255.248
      peer ip address 137.55.152.237 255.255.255.248
      service-policy input remote_mgmt_allow_policy
      no shutdown
    interface vlan 112
      description Server-side vlan
      bridge-group 1
      no normalization
      access-group input ALL
      access-group output ALL
      nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
      no shutdown
    interface bvi 1
      ip address 137.55.152.189 255.255.255.192
      alias 137.55.152.188 255.255.255.192
      peer ip address 137.55.152.190 255.255.255.192
      description Bridge-Group 1 Virtual Interface
      no shutdown
    ft interface vlan 99
      ip address 192.168.1.1 255.255.255.252
      peer ip address 192.168.1.2 255.255.255.252
      no shutdown
    ft peer 1
      heartbeat interval 100
      heartbeat count 10
      ft-interface vlan 99
    ft group 1
      peer 1
      priority 150
      peer priority 50
      associate-context Admin
      inservice
    ft track host test1
      track-host 137.55.152.234
      peer track-host 137.55.152.235
      peer probe uplink priority 50
      probe uplink priority 50
    ip route 0.0.0.0 0.0.0.0 137.55.152.233

    Hi Earsdale,
    All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
    I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
    Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
    If you need help with this troubleshooting, you can always open a TAC service request
    Regards
    Daniel

  • RMI Connection Refused through Firewall

    Hi,
    I am having problems making an RMI connection through a firewall. On the server outside the firewall I have my servlet application running in an OC4J container and inside the firewall I have an EJB listening on port 6666. I have setup the firewall to allow connections through on port 6666. If I telnet from the machine outside the firewall on port 6666 I am able to make a connection to the EJB. So I know the firewall has been setup to handle the connection.
    I run the servlet application and when it tries to make the connection it gives an error:
    javax.naming.NamingException: Lookup error: java.net.ConnectException: Connection refused; nested exception is:
    java.net.ConnectException: Connection refused
    When I do a snoop on the external machine to see what data is trying to be sent to the internal machine there is no data. When doing the telnet test there was data.
    I have the same servlet application deployed on a machine internally and it is able to make a connection to the EJB. The only problem is either the configuration of the application server on the external machine or the firewall configuration.
    Anyone able to help me see what I am missing?
    Thanks
    Shawn Clark

    not sure what you mean by having a 'EJB listening' on port 6666. Do you mean actually having a socket listening within the EJB code? If so then that is a suspicious EJB activity.
    If not then i guess you mean the ORMI listening port of the OC4J application. This is normally set on port 23791 to allow the RMI communication to flow.
    -lp

Maybe you are looking for