Port 25 Delay

Port 25 Delay

[Matt Hemingway]

Okay.  I'm gonna try to keep this short.  I'm not gonna go into too much detail...yet.

Problem: It takes 5 minutes for any machine (any OS) on one subnet, which we'll call Subnet1, to connect to mail.server.com:25.  From the same subnet, Subnet1, and again, from any machine, connecting to a website that is hosted on mail.server.com:80 it works fine.

We have another subnet, which we'll call Subnet2, where connecting to mail.server.com:25 works fine.  The difference between the 2 subnets is a firewall, which is also the gateway for both subnets.  The rules governing the 2 subnets are basically the same, except that Subnet2 has tighter restrictions.  Connected to the firewall is a router, which traffic coming from both subnets, going and coming from the internet must travel.

What I do know is:

It's not a routing problem.
It's not ident or port 113.
It's not OS specific.
We're not being blocked.
user@mail.server.com can e-mail us with no problems.

I've run ethereal on a machine in Subnet1 and a machine in Subnet2. The packets going to and from both machines to mail.server.com are (almost) identical.

We've rebooted the firewall and router....still no luck.

Any and all suggestions would be greatly appreciated.  If you want some more info, lemme know.

Thanks and godspeed!

-Matt

p.s. the winner gets a hug and possibly, if I get drunk enough, a kiss.

-- 
================
Matt Hemingway
PCNAlert
www.pcnalert.com
626-585-2788
================

Re: Port 25 Delay

[Jon Fullmer]

What specifically are you using as a firewall?  A Cisco router? A PIX
firewall? A Foundry layer 3 switch?

 - Jon

on 7/16/03 6:55 PM, Matt Hemingway at matt.hemingway@pcnalert.com wrote:

> Okay.  I'm gonna try to keep this short.  I'm not gonna go into too much
> detail...yet.
> 
> Problem: It takes 5 minutes for any machine (any OS) on one subnet, which
> we'll call Subnet1, to connect to mail.server.com:25.  From the same subnet,
> Subnet1, and again, from any machine, connecting to a website that is hosted
> on mail.server.com:80 it works fine.
> 
> We have another subnet, which we'll call Subnet2, where connecting to
> mail.server.com:25 works fine.  The difference between the 2 subnets is a
> firewall, which is also the gateway for both subnets.  The rules governing the
> 2 subnets are basically the same, except that Subnet2 has tighter
> restrictions.  Connected to the firewall is a router, which traffic coming
> from both subnets, going and coming from the internet must travel.
> 
> What I do know is:
> 
> It's not a routing problem.
> It's not ident or port 113.
> It's not OS specific.
> We're not being blocked.
> user@mail.server.com can e-mail us with no problems.
> 
> I've run ethereal on a machine in Subnet1 and a machine in Subnet2. The
> packets going to and from both machines to mail.server.com are (almost)
> identical.
> 
> We've rebooted the firewall and router....still no luck.
> 
> Any and all suggestions would be greatly appreciated.  If you want some more
> info, lemme know.
> 
> Thanks and godspeed!
> 
> -Matt
> 
> p.s. the winner gets a hug and possibly, if I get drunk enough, a kiss.

Re: Port 25 Delay

[Jamie Harris]

> It's not ident or port 113.

And you're 100% sure on this yeah?  You want to ensure that your server is
reporting the port closed not silently dropping the packet (or the
firewall silently dropping the packet) as you'll get exactly the behaviour
you are describing - a very long wait while connections are retried to
ident on the assumption that earlier packets were lost.

> Any and all suggestions would be greatly appreciated.  If you want some
> more info, lemme know.

How are your reverse name lookups behaving?  Can you reverse lookup the
hosts on both subnets.

cheers

Jamie...

-- 
**  This message was transmitted on 100% recycled electrons **

Re: Port 25 Delay

[Matt Hemingway]

Yeah, the problem is the with reverse lookups.  It's a long, twisted scary story, but it should be resolved today.

Thanks for the reply's all!

-Matt

On Thu, 17 Jul 2003 09:08:05 +0100 (BST)
"Jamie Harris" <jamie@jharris.homeip.net> wrote:

> > It's not ident or port 113.
> 
> And you're 100% sure on this yeah?  You want to ensure that your server is
> reporting the port closed not silently dropping the packet (or the
> firewall silently dropping the packet) as you'll get exactly the behaviour
> you are describing - a very long wait while connections are retried to
> ident on the assumption that earlier packets were lost.
> 
> > Any and all suggestions would be greatly appreciated.  If you want some
> > more info, lemme know.
> 
> How are your reverse name lookups behaving?  Can you reverse lookup the
> hosts on both subnets.
> 
> cheers
> 
> Jamie...
> 
> -- 
> **  This message was transmitted on 100% recycled electrons **
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


-- 
================
Matt Hemingway
PCNAlert
www.pcnalert.com
626-585-2788
================