Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Connect looses the mail connection to the outer world (Connect looses the mail connection to the outer world)
  •  
MGyHardSoft

Messages: 19
Karma: 0
Send a private message to this user
There is a strange thing happens since a month or two. After a while Connect cannot be contacted to from the external network for SMTP, Outlook or Web Client (HTTPS). What is really strange: if I VPN in to the local network, Web Client works perfectly from there.

1. I tried to restart the internal services of Connect. Does not help.
2. I tried to restart Connect service itself. Does not help.
3. What helps is to reboot the whole machine. "Fortunately" I can connect to the local network via (Kerio Control) VPN, and Web Admin works from there, so I can perform the reboot.

The fact that Connect heals by rebooting the machine indicates that there is no external factors in the problem (e.g. no firewall or DNS issue). I tried to find anything in the logs, even in the operating system's logs, without success. The machine is healthy, RAM usage is around 40 %, processor usage is around 5 %.

What is even more strange: I have two almost identical configuration which do the same:
- Kerio Control firewall 9.0.0 Virtual Appliance (VA)
- Kerio Connect 9.0.1 (394) running on Debian GNU/Linux 7.9 (Kerio VA), x86_64, with the latest operating system patches
- VMware ESXi 5.5U3 with the latest patch
- HP DL360p Gen8 server

The differences:
Server 1 uses VMware drivers, and the Connect runs as guest version 8, the other server uses HP drivers and the Connect runs as guest version 4. Server 1 had Connect 9 RC1 installed at some time, Server 2 was upgraded always to official versions, one-by-one.

Two days ago I have patched both ESXi-s and after the reboot I had to restart Server 2 again, then this morning again. Server 1 seem to work since then but the whole phenomenon is random, so it does not mean anything.

Both servers are running for years now with the latest HP patches. Two months ago everything was normal and unfortunately the errors cannot be connected to any specific change.

Have you got anything similar, or does anyone have a solution? What I thought is to make a backup, install fresh Connect and make a restore to that server, however, it is a lot of work and nothing assures that it will help.

Rgrds - Gyula
  •  
PastaPaul

Messages: 10
Karma: 1
Send a private message to this user
MGyHardSoft wrote on Tue, 19 January 2016 10:56
After a while Connect cannot be contacted to from the external network for SMTP, Outlook or Web Client (HTTPS). What is really strange: if I VPN in to the local network, Web Client works perfectly from there.


If it's working on the VPN (and I assume then for systems on the LAN), then it's more likely related to DNS or something with Kerio Control.

To check if it's a DNS issue on the client, when the problem happens try to access the Kerio Connect webmail from the client browser using the IP address rather than the DNS name.


Paul
  •  
MGyHardSoft

Messages: 19
Karma: 0
Send a private message to this user
PastaPaul wrote on Tue, 19 January 2016 06:20
If it's working on the VPN (and I assume then for systems on the LAN), then it's more likely related to DNS or something with Kerio Control.

But how can it be repaired with rebooting Control, which should have no effect on Control or DNS?

PastaPaul wrote on Tue, 19 January 2016 06:20
To check if it's a DNS issue on the client, when the problem happens try to access the Kerio Connect webmail from the client browser using the IP address rather than the DNS name.

Unfortunately it is not feasible as the whole site is behind a single IP and the reverse proxy should know the name from the request to dispatch it to the right server. The reverse proxy in Control sends the incoming requests to the IP addresses of the servers.

[Updated on: Tue, 19 January 2016 10:02]


Rgrds - Gyula
  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Have you tried restarting just the Control service instead of rebooting the whole machine? You have not ruled out an OS issue yet. You don't mention what OS it is installed on.

(Not saying it is not Connect causing the issue but this will confirm your belief)

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
Brian Carmichael (Kerio)

Messages: 701
Karma: 70
Send a private message to this user
To confirm, restarting Kerio Control fixes the issue, correct? Based on your first reply I understood that rebooting the Kerio Connect system temporarily resolved the issue.
Regardless, I would investigate two things:
- Default gateway on Kerio Connect system. Make sure there is only one default route. Feel free to include the output of the routing table on your Kerio Connect system.
- Maximum connection limit in Kerio Control. Make sure you are running Kerio Control 9 as there were some improvements to the connection limit feature. Make sure the connection limits are set to the default values as described in this KB article http://kb.kerio.com/product/kerio-control/security/configuri ng-connection-limits-1756.html

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
MGyHardSoft

Messages: 19
Karma: 0
Send a private message to this user
UnifiedTechs-Brian wrote on Tue, 19 January 2016 19:08
Have you tried restarting just the Control service instead of rebooting the whole machine? You have not ruled out an OS issue yet. You don't mention what OS it is installed on.

(Not saying it is not Connect causing the issue but this will confirm your belief)

Hi Brian, as I wrote in Point 1. and 2. I tried to restart first the internal Control services (SMTP, HTTPS, etc.), then the Kerio Control service (/etc/init.d/... restart) itself, but none of them helped, only the reboot of the whole Linux server.
The operating system (as it also written) is "Debian GNU/Linux 7.9 (Kerio VA), x86_64, with the latest operating system patches". "Kerio VA" means the official Kerio Virtual Appliance, it was installed from the OVF link of Kerio homepage, and I regularly run "apt-get update" and "apt-get upgrade" (maybe these cause the problem?).

Rgrds - Gyula
  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Sorry my brain must have been elsewhere when I was typing as you do state all of that in your original post, it happens.

I'll bow out as my Linux skills are not anywhere near my windows experience.

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
MGyHardSoft

Messages: 19
Karma: 0
Send a private message to this user
UnifiedTechs-Brian wrote on Tue, 19 January 2016 22:37
Sorry my brain must have been elsewhere when I was typing as you do state all of that in your original post, it happens.

I'll bow out as my Linux skills are not anywhere near my windows experience.

Anyway, thanks, Brian, that you tried to help!

Rgrds - Gyula
  •  
MGyHardSoft

Messages: 19
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 19 January 2016 19:21
To confirm, restarting Kerio Control fixes the issue, correct? Based on your first reply I understood that rebooting the Kerio Connect system temporarily resolved the issue.
Regardless, I would investigate two things:
- Default gateway on Kerio Connect system. Make sure there is only one default route. Feel free to include the output of the routing table on your Kerio Connect system.
- Maximum connection limit in Kerio Control. Make sure you are running Kerio Control 9 as there were some improvements to the connection limit feature. Make sure the connection limits are set to the default values as described in this KB article http://kb.kerio.com/product/kerio-control/security/configuri ng-connection-limits-1756.html

Hello Mr. Carmichael! Smile
Restarting/rebooting Kerio Control does not help.

- ad route: both Connect servers have two routes:
Destination Gateway Genmask Flags Metric Ref Use Iface
default (Kerio Control) 0.0.0.0 UG 0 0 0 eth0
192.168.n.0 * 255.255.255.0 U 0 0 0 eth0
or in another format:
default via (Kerio Control) dev eth0
192.168.n.0/24 dev eth0 proto kernel scope link src 192.168.n.m

Maybe I am asking some stupid thing, but are the inbound connections affected by the routes?

- ad connection limit: I have just verified the logs of Control and the last connection overload happened a month ago:
[22/Dec/2015 15:50:17] CONNLIMIT(DST_PER_SRC) connlimit="100" dsthost=...
I did run Control 9.0.0 until this evening, now it is 9.0.1. They are the official Virtual Appliances, except for Server 1 the virtual machine is upgraded to version 8.

[Updated on: Wed, 20 January 2016 01:06]


Rgrds - Gyula
  •  
PastaPaul

Messages: 10
Karma: 1
Send a private message to this user
MGyHardSoft wrote on Tue, 19 January 2016 17:58

But how can it be repaired with rebooting Control, which should have no effect on Control or DNS?


Agreed, unless the restart is forcing it to refresh something in the DNS? Can you confirm that users on the LAN always have access even when users on the outside network don't.

=MGyHardSoft wrote on Tue, 19 January 2016 17:58

Unfortunately it is not feasible as the whole site is behind a single IP and the reverse proxy should know the name from the request to dispatch it to the right server. The reverse proxy in Control sends the incoming requests to the IP addresses of the servers.


I'm not overly familiar with reverse proxy. My system uses a single IP and through Kerio Control I use NAT to reach the desired destination server. We already use port 443 for a webpage, so (after some good advice from Kerio) I setup a map to Kerio Connect using port 4043. To access the webmail we use https://xxx.xxx.xxx:4043/webmail




  •  
MGyHardSoft

Messages: 19
Karma: 0
Send a private message to this user
PastaPaul wrote on Wed, 20 January 2016 00:10
Agreed, unless the restart is forcing it to refresh something in the DNS? Can you confirm that users on the LAN always have access even when users on the outside network don't.

Thanks, it is really a possibility! Next time I try to restart only networking instead of rebooting the server. (There is only one problem: Server2 is a customer's one so it is not very polite to experiment with that...)

PastaPaul wrote on Wed, 20 January 2016 00:10
I'm not overly familiar with reverse proxy. My system uses a single IP and through Kerio Control I use NAT to reach the desired destination server. We already use port 443 for a webpage, so (after some good advice from Kerio) I setup a map to Kerio Connect using port 4043. To access the webmail we use https://xxx.xxx.xxx:4043/webmail

Reverse proxy is The Second Best Thing after the free beer. I operate a couple of webservers so I already use it, it was rather simple to include Connect, too.

Rgrds - Gyula
  •  
Brian Carmichael (Kerio)

Messages: 701
Karma: 70
Send a private message to this user
I think you are mixing Kerio Control and Kerio Connect. If I understand, restarting the entire server for Kerio Connect fixes the issue (not restarting Kerio Control). In this case, the issue is probably related to some type of local networking issue.
Possible networking issues that match the symptoms you describe:
- IPv6 is inadvertently being favored somehow (and doesn't work).
- Your networking equipment is forgetting the port associated with your Kerio Connect system due to inactivity and it only gets refreshed when you reboot (because the Kerio Connect system sends an ARP update).

Note that the reverse proxy only supports HTTP(S) so while remote access doesn't work, it would be interesting to know if it affects other protocols like SMTP or IMAP.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
MGyHardSoft

Messages: 19
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Wed, 20 January 2016 01:00
I think you are mixing Kerio Control and Kerio Connect. If I understand, restarting the entire server for Kerio Connect fixes the issue (not restarting Kerio Control). In this case, the issue is probably related to some type of local networking issue.
Possible networking issues that match the symptoms you describe:
- IPv6 is inadvertently being favored somehow (and doesn't work).
- Your networking equipment is forgetting the port associated with your Kerio Connect system due to inactivity and it only gets refreshed when you reboot (because the Kerio Connect system sends an ARP update).

Note that the reverse proxy only supports HTTP(S) so while remote access doesn't work, it would be interesting to know if it affects other protocols like SMTP or IMAP.

I wish I could write that I just wanted to test your watchfulness, but unfortunately not. Yes, my sentence was referred to Connect, not to Control (I edited it to avoid confusion later).
Actually I tried also to restart Control and then reboot the whole firewall, but that really did not help.
Thank you for your advices, the next thing I will do is to switch off IPv6, it is not used anyway (yet).
My networking equipment is the VMware ESXi 5.5 switches. The whole thing including the firewall, the mail server, the webservers and others (e.g. MailStore Server) run on a single ESXi host and the machines are connected through the ESXi virtual switches. Connect itself has no direct connection to any of the network cards of the physical server.
Unfortunately in the error state the incoming SMTP is also blocked.

[Updated on: Wed, 20 January 2016 01:56]


Rgrds - Gyula
  •  
MGyHardSoft

Messages: 19
Karma: 0
Send a private message to this user
It can also be interesting: Connect 1 uses static IP, Connect 2 uses DHCP. I doubt that restarting the networking on the first server will cause any effect, but we will see...

[Updated on: Wed, 20 January 2016 01:55]


Rgrds - Gyula
Brian Carmichael (Kerio)

Messages: 701
Karma: 70
Send a private message to this user
I doubt the DHCP configuration makes any difference. When the problem happens, perform some tests from the Kerio Connect operating system to see if it can ping past the firewall or resolve hostnames.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Previous Topic: multiple email domain migration to one domain
Next Topic: Search in attachments
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Jul 22 04:50:40 CEST 2017

Total time taken to generate the page: 0.00527 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.