KB ID 0000130
Problem
You receive an Event ID 3033 error, with the following description,
‘The average of the most recent <?> heartbeat intervals used by clients is less than or equal to <?>. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed. For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, “Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology”
‘
Solution
If you have an ISA Firewall the fix is Here http://support.microsoft.com/?kbid=905013
However thats not much help if you have a Cisco ASA, if that’s the case do the following,
If you have Active Sync already running through the outside Interface, skip to step 2
1. Allow the https Traffic in;
[box]
Newer than version 8.3 Commands Petes-ASA# configure terminal Petes-ASA(config)# object network OBJ-Exchange-Server Petes-ASA(config-network-object)# host 192.168.1.1 Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp http http Petes-ASA(config-network-object)# exit Petes-ASA(config)# access-list inbound permit tcp any object OBJ-Exchange-Server eq http Petes-ASA(config)# access-group inbound in interface outside 8.3 and Older Commands Petes-ASA# configure terminal Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq https Petes-ASA(config)#access-group inbound in interface outside Petes-ASA(config)#static (inside,outside) tcp interface https 192.168.1.1 https netmask 255.255.255.255
[/box]
Note: Above assumes 192.168.1.1 is the inside IP address of the Exchange Server.
If your Mail server has a Static Public address you will not need to do port forwarding (Like the example above) in that case you would have;
[box]
Newer than version 8.3 Commands Petes-ASA# configure terminal PetesASA(config)# access-list inbound permit tcp any host 192.168.1.1 PetesASA(config)# access-group inbound in interface outside PetesASA(config)# object network OBJ-Exchange-Server PetesASA(config-network-object)# host 192.168.1.1 PetesASA(config-network-object)# nat (inside,outside) static 123.123.123.123 PetesASA(config-network-object)# exit 8.3 and Older Commands Petes-ASA# configure terminal Petes-ASA(config)# access-list inbound extended permit tcp any host 123.123.123.123 eq https Petes-ASA(config)#access-group inbound in interface outside
[/box]
Note: Above assumes the Exchange servers public IP address is 123.123.123, and 192.168.1.1 is the private IP address.
2. Create Class Map and apply bind it to an access-list.
Note: For versions older than 8.3 use the public IP address in the ACL.
[box]
Petes-ASA# configure terminal Petes-ASA(config)# access-list ACL-HTTPS-INSPECT permit tcp any host 192.168.1.1 eq https Petes-ASA(config)# class-map CM-HTTPS-INSPECT Petes-ASA(config-cmap)# match access-list ACL-HTTPS-INSPECT Petes-ASA(config-cmap)# exit
[/box]
3. Create a Policy Map and add the class map you created above and set your timeout, (here it’s set to 9 minutes).
[box]
Petes-ASA(config)# policy-map PM-HTTPS-TIMEOUT Petes-ASA(config-pmap)# class CM-HTTPS-INSPECT Petes-ASA(config-pmap-c)# set connection timeout tcp 0:09:00 reset Petes-ASA(config-pmap-c)# exit Petes-ASA(config-pmap)# exit
[/box]
4. Apply Policy map to the Interface using a Service-Policy command.
[box]
Petes-ASA(config)# service-policy PM-HTTPS-TIMEOUT interface outside
[/box]
Note: You can only have one Global Policy, but you can also have one policy applied to an interface
Related Articles, References, Credits, or External Links
Original Article Written 10/11/09