GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Connect looses the mail connection to the outer world (Connect looses the mail connection to the outer world)
Connect looses the mail connection to the outer world [message #127240] Tue, 19 January 2016 00:56 Go to next message
MGyHardSoft is currently offline  MGyHardSoft
Messages: 31
Registered: July 2013
Location: Budapest
There is a strange thing happens since a month or two. After a while Connect cannot be contacted to from the external network for SMTP, Outlook or Web Client (HTTPS). What is really strange: if I VPN in to the local network, Web Client works perfectly from there.

1. I tried to restart the internal services of Connect. Does not help.
2. I tried to restart Connect service itself. Does not help.
3. What helps is to reboot the whole machine. "Fortunately" I can connect to the local network via (Kerio Control) VPN, and Web Admin works from there, so I can perform the reboot.

The fact that Connect heals by rebooting the machine indicates that there is no external factors in the problem (e.g. no firewall or DNS issue). I tried to find anything in the logs, even in the operating system's logs, without success. The machine is healthy, RAM usage is around 40 %, processor usage is around 5 %.

What is even more strange: I have two almost identical configuration which do the same:
- Kerio Control firewall 9.0.0 Virtual Appliance (VA)
- Kerio Connect 9.0.1 (394) running on Debian GNU/Linux 7.9 (Kerio VA), x86_64, with the latest operating system patches
- VMware ESXi 5.5U3 with the latest patch
- HP DL360p Gen8 server

The differences:
Server 1 uses VMware drivers, and the Connect runs as guest version 8, the other server uses HP drivers and the Connect runs as guest version 4. Server 1 had Connect 9 RC1 installed at some time, Server 2 was upgraded always to official versions, one-by-one.

Two days ago I have patched both ESXi-s and after the reboot I had to restart Server 2 again, then this morning again. Server 1 seem to work since then but the whole phenomenon is random, so it does not mean anything.

Both servers are running for years now with the latest HP patches. Two months ago everything was normal and unfortunately the errors cannot be connected to any specific change.

Have you got anything similar, or does anyone have a solution? What I thought is to make a backup, install fresh Connect and make a restore to that server, however, it is a lot of work and nothing assures that it will help.


Rgrds - Gyula
Re: Connect looses the mail connection to the outer world [message #127243 is a reply to message #127240] Tue, 19 January 2016 06:20 Go to previous messageGo to next message
PastaPaul is currently offline  PastaPaul
Messages: 11
Registered: March 2015
Location: Melbourne Australia
MGyHardSoft wrote on Tue, 19 January 2016 10:56
After a while Connect cannot be contacted to from the external network for SMTP, Outlook or Web Client (HTTPS). What is really strange: if I VPN in to the local network, Web Client works perfectly from there.


If it's working on the VPN (and I assume then for systems on the LAN), then it's more likely related to DNS or something with Kerio Control.

To check if it's a DNS issue on the client, when the problem happens try to access the Kerio Connect webmail from the client browser using the IP address rather than the DNS name.


Paul
Re: Connect looses the mail connection to the outer world [message #127245 is a reply to message #127243] Tue, 19 January 2016 07:58 Go to previous messageGo to next message
MGyHardSoft is currently offline  MGyHardSoft
Messages: 31
Registered: July 2013
Location: Budapest
PastaPaul wrote on Tue, 19 January 2016 06:20
If it's working on the VPN (and I assume then for systems on the LAN), then it's more likely related to DNS or something with Kerio Control.

But how can it be repaired with rebooting Control, which should have no effect on Control or DNS?

PastaPaul wrote on Tue, 19 January 2016 06:20
To check if it's a DNS issue on the client, when the problem happens try to access the Kerio Connect webmail from the client browser using the IP address rather than the DNS name.

Unfortunately it is not feasible as the whole site is behind a single IP and the reverse proxy should know the name from the request to dispatch it to the right server. The reverse proxy in Control sends the incoming requests to the IP addresses of the servers.


Rgrds - Gyula

[Updated on: Tue, 19 January 2016 10:02]

Report message to a moderator

Re: Connect looses the mail connection to the outer world [message #127263 is a reply to message #127245] Tue, 19 January 2016 19:08 Go to previous messageGo to next message
UnifiedTechs-Brian is currently offline  UnifiedTechs-Brian
Messages: 159
Registered: March 2011
Location: Vero Beach, FL
Have you tried restarting just the Control service instead of rebooting the whole machine? You have not ruled out an OS issue yet. You don't mention what OS it is installed on.

(Not saying it is not Connect causing the issue but this will confirm your belief)


- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
Re: Connect looses the mail connection to the outer world [message #127265 is a reply to message #127263] Tue, 19 January 2016 19:21 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
To confirm, restarting Kerio Control fixes the issue, correct? Based on your first reply I understood that rebooting the Kerio Connect system temporarily resolved the issue.
Regardless, I would investigate two things:
- Default gateway on Kerio Connect system. Make sure there is only one default route. Feel free to include the output of the routing table on your Kerio Connect system.
- Maximum connection limit in Kerio Control. Make sure you are running Kerio Control 9 as there were some improvements to the connection limit feature. Make sure the connection limits are set to the default values as described in this KB article http://kb.kerio.com/product/kerio-control/security/configuri ng-connection-limits-1756.html


Brian Carmichael
Instructional Content Architect
Re: Connect looses the mail connection to the outer world [message #127274 is a reply to message #127263] Tue, 19 January 2016 22:29 Go to previous messageGo to next message
MGyHardSoft is currently offline  MGyHardSoft
Messages: 31
Registered: July 2013
Location: Budapest
UnifiedTechs-Brian wrote on Tue, 19 January 2016 19:08
Have you tried restarting just the Control service instead of rebooting the whole machine? You have not ruled out an OS issue yet. You don't mention what OS it is installed on.

(Not saying it is not Connect causing the issue but this will confirm your belief)

Hi Brian, as I wrote in Point 1. and 2. I tried to restart first the internal Control services (SMTP, HTTPS, etc.), then the Kerio Control service (/etc/init.d/... restart) itself, but none of them helped, only the reboot of the whole Linux server.
The operating system (as it also written) is "Debian GNU/Linux 7.9 (Kerio VA), x86_64, with the latest operating system patches". "Kerio VA" means the official Kerio Virtual Appliance, it was installed from the OVF link of Kerio homepage, and I regularly run "apt-get update" and "apt-get upgrade" (maybe these cause the problem?).


Rgrds - Gyula
Re: Connect looses the mail connection to the outer world [message #127275 is a reply to message #127274] Tue, 19 January 2016 22:37 Go to previous messageGo to next message
UnifiedTechs-Brian is currently offline  UnifiedTechs-Brian
Messages: 159
Registered: March 2011
Location: Vero Beach, FL
Sorry my brain must have been elsewhere when I was typing as you do state all of that in your original post, it happens.

I'll bow out as my Linux skills are not anywhere near my windows experience.


- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
Re: Connect looses the mail connection to the outer world [message #127276 is a reply to message #127275] Tue, 19 January 2016 22:59 Go to previous messageGo to next message
MGyHardSoft is currently offline  MGyHardSoft
Messages: 31
Registered: July 2013
Location: Budapest
UnifiedTechs-Brian wrote on Tue, 19 January 2016 22:37
Sorry my brain must have been elsewhere when I was typing as you do state all of that in your original post, it happens.

I'll bow out as my Linux skills are not anywhere near my windows experience.

Anyway, thanks, Brian, that you tried to help!


Rgrds - Gyula
Re: Connect looses the mail connection to the outer world [message #127277 is a reply to message #127265] Wed, 20 January 2016 00:03 Go to previous messageGo to next message
MGyHardSoft is currently offline  MGyHardSoft
Messages: 31
Registered: July 2013
Location: Budapest
Brian Carmichael (Kerio) wrote on Tue, 19 January 2016 19:21
To confirm, restarting Kerio Control fixes the issue, correct? Based on your first reply I understood that rebooting the Kerio Connect system temporarily resolved the issue.
Regardless, I would investigate two things:
- Default gateway on Kerio Connect system. Make sure there is only one default route. Feel free to include the output of the routing table on your Kerio Connect system.
- Maximum connection limit in Kerio Control. Make sure you are running Kerio Control 9 as there were some improvements to the connection limit feature. Make sure the connection limits are set to the default values as described in this KB article http://kb.kerio.com/product/kerio-control/security/configuri ng-connection-limits-1756.html

Hello Mr. Carmichael! Smile
Restarting/rebooting Kerio Control does not help.

- ad route: both Connect servers have two routes:
Destination Gateway Genmask Flags Metric Ref Use Iface
default (Kerio Control) 0.0.0.0 UG 0 0 0 eth0
192.168.n.0 * 255.255.255.0 U 0 0 0 eth0
or in another format:
default via (Kerio Control) dev eth0
192.168.n.0/24 dev eth0 proto kernel scope link src 192.168.n.m

Maybe I am asking some stupid thing, but are the inbound connections affected by the routes?

- ad connection limit: I have just verified the logs of Control and the last connection overload happened a month ago:
[22/Dec/2015 15:50:17] CONNLIMIT(DST_PER_SRC) connlimit="100" dsthost=...
I did run Control 9.0.0 until this evening, now it is 9.0.1. They are the official Virtual Appliances, except for Server 1 the virtual machine is upgraded to version 8.


Rgrds - Gyula

[Updated on: Wed, 20 January 2016 01:06]

Report message to a moderator

Re: Connect looses the mail connection to the outer world [message #127278 is a reply to message #127245] Wed, 20 January 2016 00:10 Go to previous messageGo to next message
PastaPaul is currently offline  PastaPaul
Messages: 11
Registered: March 2015
Location: Melbourne Australia
MGyHardSoft wrote on Tue, 19 January 2016 17:58

But how can it be repaired with rebooting Control, which should have no effect on Control or DNS?


Agreed, unless the restart is forcing it to refresh something in the DNS? Can you confirm that users on the LAN always have access even when users on the outside network don't.

=MGyHardSoft wrote on Tue, 19 January 2016 17:58

Unfortunately it is not feasible as the whole site is behind a single IP and the reverse proxy should know the name from the request to dispatch it to the right server. The reverse proxy in Control sends the incoming requests to the IP addresses of the servers.


I'm not overly familiar with reverse proxy. My system uses a single IP and through Kerio Control I use NAT to reach the desired destination server. We already use port 443 for a webpage, so (after some good advice from Kerio) I setup a map to Kerio Connect using port 4043. To access the webmail we use https://xxx.xxx.xxx:4043/webmail




Re: Connect looses the mail connection to the outer world [message #127279 is a reply to message #127278] Wed, 20 January 2016 00:27 Go to previous messageGo to next message
MGyHardSoft is currently offline  MGyHardSoft
Messages: 31
Registered: July 2013
Location: Budapest
PastaPaul wrote on Wed, 20 January 2016 00:10
Agreed, unless the restart is forcing it to refresh something in the DNS? Can you confirm that users on the LAN always have access even when users on the outside network don't.

Thanks, it is really a possibility! Next time I try to restart only networking instead of rebooting the server. (There is only one problem: Server2 is a customer's one so it is not very polite to experiment with that...)

PastaPaul wrote on Wed, 20 January 2016 00:10
I'm not overly familiar with reverse proxy. My system uses a single IP and through Kerio Control I use NAT to reach the desired destination server. We already use port 443 for a webpage, so (after some good advice from Kerio) I setup a map to Kerio Connect using port 4043. To access the webmail we use https://xxx.xxx.xxx:4043/webmail

Reverse proxy is The Second Best Thing after the free beer. I operate a couple of webservers so I already use it, it was rather simple to include Connect, too.


Rgrds - Gyula
Re: Connect looses the mail connection to the outer world [message #127280 is a reply to message #127279] Wed, 20 January 2016 01:00 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
I think you are mixing Kerio Control and Kerio Connect. If I understand, restarting the entire server for Kerio Connect fixes the issue (not restarting Kerio Control). In this case, the issue is probably related to some type of local networking issue.
Possible networking issues that match the symptoms you describe:
- IPv6 is inadvertently being favored somehow (and doesn't work).
- Your networking equipment is forgetting the port associated with your Kerio Connect system due to inactivity and it only gets refreshed when you reboot (because the Kerio Connect system sends an ARP update).

Note that the reverse proxy only supports HTTP(S) so while remote access doesn't work, it would be interesting to know if it affects other protocols like SMTP or IMAP.


Brian Carmichael
Instructional Content Architect
Re: Connect looses the mail connection to the outer world [message #127282 is a reply to message #127280] Wed, 20 January 2016 01:19 Go to previous messageGo to next message
MGyHardSoft is currently offline  MGyHardSoft
Messages: 31
Registered: July 2013
Location: Budapest
Brian Carmichael (Kerio) wrote on Wed, 20 January 2016 01:00
I think you are mixing Kerio Control and Kerio Connect. If I understand, restarting the entire server for Kerio Connect fixes the issue (not restarting Kerio Control). In this case, the issue is probably related to some type of local networking issue.
Possible networking issues that match the symptoms you describe:
- IPv6 is inadvertently being favored somehow (and doesn't work).
- Your networking equipment is forgetting the port associated with your Kerio Connect system due to inactivity and it only gets refreshed when you reboot (because the Kerio Connect system sends an ARP update).

Note that the reverse proxy only supports HTTP(S) so while remote access doesn't work, it would be interesting to know if it affects other protocols like SMTP or IMAP.

I wish I could write that I just wanted to test your watchfulness, but unfortunately not. Yes, my sentence was referred to Connect, not to Control (I edited it to avoid confusion later).
Actually I tried also to restart Control and then reboot the whole firewall, but that really did not help.
Thank you for your advices, the next thing I will do is to switch off IPv6, it is not used anyway (yet).
My networking equipment is the VMware ESXi 5.5 switches. The whole thing including the firewall, the mail server, the webservers and others (e.g. MailStore Server) run on a single ESXi host and the machines are connected through the ESXi virtual switches. Connect itself has no direct connection to any of the network cards of the physical server.
Unfortunately in the error state the incoming SMTP is also blocked.


Rgrds - Gyula

[Updated on: Wed, 20 January 2016 01:56]

Report message to a moderator

Re: Connect looses the mail connection to the outer world [message #127283 is a reply to message #127282] Wed, 20 January 2016 01:39 Go to previous messageGo to next message
MGyHardSoft is currently offline  MGyHardSoft
Messages: 31
Registered: July 2013
Location: Budapest
It can also be interesting: Connect 1 uses static IP, Connect 2 uses DHCP. I doubt that restarting the networking on the first server will cause any effect, but we will see...

Rgrds - Gyula

[Updated on: Wed, 20 January 2016 01:55]

Report message to a moderator

Re: Connect looses the mail connection to the outer world [message #127328 is a reply to message #127283] Wed, 20 January 2016 22:53 Go to previous messageGo to previous message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
I doubt the DHCP configuration makes any difference. When the problem happens, perform some tests from the Kerio Connect operating system to see if it can ping past the firewall or resolve hostnames.


Brian Carmichael
Instructional Content Architect
Previous Topic: multiple email domain migration to one domain
Next Topic: Search in attachments
Goto Forum:
  


Current Time: Fri Sep 29 12:56:25 CEST 2023

Total time taken to generate the page: 0.07151 seconds