Event ID 3033

KB ID 0000130 

Problem

You receive an Event ID 3033 error, with the following description,

‘The average of the most recent <?> heartbeat intervals used by clients is less than or equal to <?>. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed. For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, “Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology”

Solution

If you have an ISA Firewall the fix is Here http://support.microsoft.com/?kbid=905013

However thats not much help if you have a Cisco ASA, if that’s the case do the following,

If you have Active Sync already running through the outside Interface, skip to step 2

1. Allow the https Traffic in;

Newer than version 8.3 Commands

Petes-ASA# configure terminal
Petes-ASA(config)# object network OBJ-Exchange-Server
Petes-ASA(config-network-object)# host 192.168.1.1
Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp http http
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# access-list inbound permit tcp any object OBJ-Exchange-Server eq http
Petes-ASA(config)# access-group inbound in interface outside 
8.3 and Older Commands

Petes-ASA# configure terminal
Petes-ASA(config)#
access-list inbound extended permit tcp any interface outside eq https
Petes-ASA(config)#access-group inbound in interface outside
Petes-ASA(config)#static (inside,outside) tcp interface https 192.168.1.1 https netmask 255.255.255.255

Note: Above assumes 192.168.1.1 is the inside IP address of the Exchange Server.

If your Mail server has a Static Public address you will not need to do port forwarding (Like the example above) in that case you would have;

Newer than version 8.3 Commands

Petes-ASA# configure terminal
PetesASA(config)# access-list inbound permit tcp any host 192.168.1.1
PetesASA(config)# access-group inbound in interface outside
PetesASA(config)# object network OBJ-Exchange-Server
PetesASA(config-network-object)# host 192.168.1.1
PetesASA(config-network-object)# nat (inside,outside) static 123.123.123.123
PetesASA(config-network-object)# exit
8.3 and Older Commands 
Petes-ASA# configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp any host 123.123.123.123 eq https
Petes-ASA(config)#access-group inbound in interface outside

Note: Above assumes the Exchange servers public IP address is 123.123.123, and 192.168.1.1 is the private IP address.

2. Create Class Map and apply bind it to an access-list.

Note: For versions older than 8.3 use the public IP address in the ACL.

Petes-ASA# configure terminal
Petes-ASA(config)# access-list ACL-HTTPS-INSPECT permit tcp any host 192.168.1.1 eq https
Petes-ASA(config)# class-map CM-HTTPS-INSPECT
Petes-ASA(config-cmap)# match access-list ACL-HTTPS-INSPECT
Petes-ASA(config-cmap)# exit

3. Create a Policy Map and add the class map you created above and set your timeout, (here it’s set to 9 minutes).

Petes-ASA(config)# policy-map PM-HTTPS-TIMEOUT
Petes-ASA(config-pmap)# class CM-HTTPS-INSPECT
Petes-ASA(config-pmap-c)# set connection timeout tcp 0:09:00 reset
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit

4. Apply Policy map to the Interface using a Service-Policy command.

Petes-ASA(config)# service-policy PM-HTTPS-TIMEOUT interface outside

Note: You can only have one Global Policy, but you can also have one policy applied to an interface

Related Articles, References, Credits, or External Links

Original Article Written 10/11/09

Author: Migrated

Share This Post On