The average of the most recent <?> heartbeat intervals used by clients is less than or equal to <?>. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests toExchange ActiveSync do not expire before they have the opportunity to be processed. For more information about how to configure firewall settings whenusing Exchange ActiveSync, see Microsoft Knowledge Base article 905013, "Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology"

Cause:
Theres a good explaination of what this error is here http://msexchangeteam.com/archive/2006/04/03/424028.aspx

Fix:
If you have an ISA Firewall the Fix is Here http://support.microsoft.com/?kbid=905013

However thats not much help if you have a Cisco ASA, if thats the case do the following,

********** Scenario 1: If you have Active Sync running through the outside Interface **********

1. Allow the https Traffic in

access-list inbound extended permit tcp any interface outside eq https
access-group inbound in interface outside
static (inside,outside) tcp interface https 192.168.1.1 https netmask 255.255.255.255

Note: Assumes 192.168.1.1 is the IP address of the Exchange Server.

If your Mail server has a static Public address you will not need to do port forwarding (Like the example above) in that case you would have,

access-list inbound extended permit tcp any host 123.123.123.123 eq https
access-group inbound in interface outside

Note assumes the Exchange servers public IP address is 123.123.123

2. Create Class Map and apply is to that Access List

class-map https
match access-list Outside_2_MAIL

3. Create a Policy Map and add the class map you created above and set your timout (here its set to 9 minutes)

policy-map https_timeout
class https
set connection timeout tcp 0:09:00 reset

4. Apply Policy map to the Interface usinf a service Policy command

service-policy https_timeout interface MAIL

Note: Can only have one Global Policy but you can also have one Policy applied to an interface

********** Scenario 1: If you have Active Sync Coming through its own PIX/ASA interface **********

Note: In this example the interface is called MAIL

1. Allow the https Traffic in

access-list Outside_2_MAIL extended permit tcp any interface MAIL eq https
access-group Outside_2_MAIL in interface MAIL
static (inside,MAIL) tcp interface https 192.168.1.1 https netmask 255.255.255.255

Note: Assumes 192.168.1.1 is the IP address of the Exchange Server.

If your Mail server has a static Public address you will not need to do port forwarding (Like the example above) in that case you would have,

access-list inbound extended permit tcp any host 123.123.123.123 eq https
access-group inbound in interface MAIL

Note: assumes the Exchange servers public IP address is 123.123.123

2. Create Class Map and apply is to that Access List

class-map https
match access-list Outside_2_MAIL

3. Create a Policy Map and add the class map you created above and set your timeout (here its set to 9 minutes)

policy-map https_timeout
class https
set connection timeout tcp 0:09:00 reset

4. Apply Policy map to the Interface using a service Policy command

service-policy https_timeout interface MAIL

Note: Can only have one Global Policy but you can also have one Policy applied to an interface

Comments: