I have a client that we recently replaced a PIX 520 with a Netscreen25. Now, this has to be noted before I continue: There was NO previous issue with the PIX and IMAP connectivity WHAT-SO-EVER.
They are experiencing an issue with the Netscreen, and the only service that is having a problem is IMAP connectivity. What is happening is that about 30 minutes or so, users will attempt a connection to their mailbox, and there would be a chance for about half of the users to get an error message "Error attempting connection. Connection with the server was reset." The user mailboxes are being hosted by a third-party ISP. We have confirmed that the ISP is NOT the cause of the issue.
Ther is no special configuration on the Netscreen at all.
I have come up with a solution to the problem, but so far Netscreen hasn't answered the $64,000 question: WHY?!?! The resolution: Create a DIP, and then configure NAT on the service along with assigning it to the DIP pool.
Now, the TRUSTED interface is globally NAT'ing traffic to the UNTRUSTED interface, and we are not doing this on a per-service-basis.
Has anyone out there run into a problem like this? Does anyone have ANY explinatino as to why using a DIP fixes this? We are at the point of telling the customer we are going to replace it with a PIX 515e (which is the right solution to begin with), but the SE recommended the Netscreen.
Oh yeah, we have escalated the TAC call to Level 3, and they are all moron's there. They asked for a debug on the fw, we sent it to them, but they are still unable to answer our question.
Sorry for the long-winded post, and for the sence of hostility, but you have to understand that we are getting VERY little help from Netscreen, and our client is getting very impatient.
![[mad]](/data/assets/smilies/mad.gif "[mad] [mad]")
Thanks.
They are experiencing an issue with the Netscreen, and the only service that is having a problem is IMAP connectivity. What is happening is that about 30 minutes or so, users will attempt a connection to their mailbox, and there would be a chance for about half of the users to get an error message "Error attempting connection. Connection with the server was reset." The user mailboxes are being hosted by a third-party ISP. We have confirmed that the ISP is NOT the cause of the issue.
Ther is no special configuration on the Netscreen at all.
I have come up with a solution to the problem, but so far Netscreen hasn't answered the $64,000 question: WHY?!?! The resolution: Create a DIP, and then configure NAT on the service along with assigning it to the DIP pool.
Now, the TRUSTED interface is globally NAT'ing traffic to the UNTRUSTED interface, and we are not doing this on a per-service-basis.
Has anyone out there run into a problem like this? Does anyone have ANY explinatino as to why using a DIP fixes this? We are at the point of telling the customer we are going to replace it with a PIX 515e (which is the right solution to begin with), but the SE recommended the Netscreen.
Oh yeah, we have escalated the TAC call to Level 3, and they are all moron's there. They asked for a debug on the fw, we sent it to them, but they are still unable to answer our question.
Sorry for the long-winded post, and for the sence of hostility, but you have to understand that we are getting VERY little help from Netscreen, and our client is getting very impatient.
Thanks.