I am trying to configure DHCP Server on a Cisco 2960-x Switch to achieve port-based address allocation. I would like the ip address assigned to any device connected to that port to be the same every time.
I have used the following guide to achieve this:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swdhcp82.html#wp1320905
The commands used are explained in detail here:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book.pdf
I have also tried various iterations of the following command to find something that works:
address ip-address client-id string [ascii]
What I am not sure about is the string after Client ID. Does it have to match your interface name? If not how does the DHCP server know which interface to relate the assigned IP address.
Here's my running-config:
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname otg
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$43Kk$SyzqQc5biarBjD2TD9Hw0/
enable password otgswitch
!
no aaa new-model
clock timezone UTC -5 0
clock summer-time UTC recurring
switch 1 provision ws-c2960x-24ts-l
no ip dhcp use vrf connected
ip dhcp use subscriber-id client-id
ip dhcp subscriber-id interface-name
!
ip dhcp pool mypool
network 192.168.200.0 255.255.255.0
reserved-only
address 192.168.200.20 client-id "GigabitEthernet1/0/2" ascii
address 192.168.200.25 client-id "GigaEth1/0/1" ascii
address 192.168.200.30 client-id "GE1/0/4" ascii
address 192.168.200.35 client-id 188b.4528.d482
address 192.168.200.45 client-id "188b.4528.d482" ascii
!
I then enables DHCP debug messages and here is what I receive:
Jan 4 02:55:49.112: DHCPD: Reload workspace interface Vlan1 tableid 0.
Jan 4 02:55:49.112: DHCPD: tableid for 192.168.200.245 on Vlan1 is 0
Jan 4 02:55:49.112: DHCPD: client's VPN is .
Jan 4 02:55:49.112: DHCPD: using subscriber-id as client-id
Jan 4 02:55:49.112: DHCPD: using received relay info.
Jan 4 02:55:49.112: DHCPD: DHCPDISCOVER received from client 0047.6931.2f30.2f on interface Vlan1.
Jan 4 02:55:49.112: DHCPD: using received relay info.
Please advise on what I might be doing wrong. Would appreciate your help.
I was facing problem due to loss of information in the dhcp binding table. In short the subscriber id automatically generated would not match my reservations. Here are some examples:
port# interface received SID(hex) expected SID(hex)
2 Gi1/0/2 0047-6931-2f30-2f 0047-6931-2f30-2f32
13 Gi1/0/13 0047-6931-2f30-2f31 0047-6931-2f30-2f31-33
24 Gi1/0/24 0047-6931-2f30-2f32 0047-6931-2f30-2f32-34
I was hitting IOS bug present in some 15.0 releases. I updated my ios to 15.2 and problem solved!
Related
I'm a novice setting up a server for the first time to implement WebRTC
Linux is using Centos7 and has set up KMS and Coturn.
However, there is one problem.
The client and server are not connected on the screen, so I checked the logs of kms
docker logs --follow kms
0:00:01.206579656 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:90:ServerMethods: Using above 80% of system limits will throw NOT_ENOUGH_RESOURCES exception
0:00:01.206607827 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:109:ServerMethods: System limits: unlimited threads, 32768 files
0:00:01.206902099 1 0x56191aac5010 INFO KurentoWorkerPool WorkerPool.cpp:67:WorkerPool: Worker thread pool size: 2
0:00:01.207158442 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:144:ServerMethods: RPC Request Cache is ENABLED
0:00:01.207351433 1 0x56191aac5010 INFO KurentoWebSocketTransport WebSocketTransport.cpp:187:initWebSocket: WebSocket server (ws://) listening on address '::', port 8888
0:00:01.207411744 1 0x56191aac5010 INFO KurentoWebSocketTransport WebSocketTransport.cpp:88:WebSocketTransport: Secure WebSocket server (wss://) not enabled
0:00:01.208078290 1 0x56191aac5010 INFO KurentoMediaServer main.cpp:259:main: Kurento Media Server started
0:02:29.095818552 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:164:generateDefaultCertificates: Unable to load the RSA certificate from file. Using the default certificate.
0:02:29.284074137 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:174:generateDefaultCertificates: Unable to load the ECDSA certificate from file. Using the default certificate.
0:02:29.290405426 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:110:remove_not_supported_codecs_from_array:<kmswebrtcendpoint0> Removing not supported codec 'AMR/8000'
0:02:29.515589312 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1132:kms_base_rtp_endpoint_start_transport_send:<kmswebrtcendpoint0> Media 'video' has REMB
0:02:29.515721223 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1078:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint0> Creating REMB for session ID 0 (kmswebrtcendpoint0-sess0) and remote video SSRC 3653849939
0:02:29.515746113 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1089:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint0> REMB: Set RTCP min interval to 500 ms
0:02:29.519063004 1 0x7f5064007580 WARN kmswebrtcsession kmswebrtcsession.c:823:kms_webrtc_session_set_stun_server_info:<kmswebrtcsession0> STUN server not configured! NAT traversal requires STUN or TURN
0:02:29.519107324 1 0x7f5064007580 WARN kmswebrtcsession kmswebrtcsession.c:843:kms_webrtc_session_set_relay_info:<kmswebrtcsession0> TURN relay server not configured! NAT traversal requires STUN or TURN
0:02:29.522346434 1 0x7f50700054f0 INFO KurentoWorkerPool WorkerPool.cpp:67:WorkerPool: Worker thread pool size: 2
0:02:40.930306053 1 0x7f5050001630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:110:remove_not_supported_codecs_from_array:<kmswebrtcendpoint1> Removing not supported codec 'AMR/8000'
0:02:40.951376487 1 0x7f5064018b30 INFO basertpendpoint kmsbasertpendpoint.c:1132:kms_base_rtp_endpoint_start_transport_send:<kmswebrtcendpoint1> Media 'video' has REMB
0:02:40.951898082 1 0x7f5064018b30 INFO basertpendpoint kmsbasertpendpoint.c:1078:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint1> Creating REMB for session ID 0 (kmswebrtcendpoint1-sess0) and remote video SSRC 3442416509
"NAT traversal requires STUN or TURN."
I don't know how to solve this part.
This is because the STUN server results from Trickle ICE were also successful.
If you know what I need to do, I'd appreciate it if you could tell me all the actions.
And please let me know if there is anything else I need to fill out!
STUN and TURN
You dont have to have coturn if you are doing local testing. The warning is saying if you want to go outside of your network (out of your router and to the web) you will need a STUN or TURN server.
Docker
Docker doesn't open the port 8888 by itself. You may need to open that port manually. To do this, add this -p 8888:8888 when creating your container.
Or if you are using the Desktop version you can enter it into Host port under the Optional settings when you first run it.
I've looked through the list of possible solutions, but I don't see this problem, here it is.
I had been using smtp for years for my crontab entry to provide status updates via email. Then it quit this week, and I was unable to fix it. Then I saw that it had become orphaned, and the suggestion was to move to msmtp. So I downloaded and installed it on my Ubuntu 18.10 system.
I'm trying to send email to my myaccount#gmail.com account.
It appears that I'm communicating properly with the gmail smtp server, as the debug below show. But it always gets a TLS Timeout.
I also don't understand why I have multiple EHLO entries. My system does not have a DNS domain name, so that I'm not sure what to put here; localhost seems to be working OK. Also, my Thunderbird emailer is working correctly with gmail.
Here's the debug output:
echo "Hello there" | msmtp --debug myaccount#gmail.com >/tmp/msmtpOut.txt
ignoring system configuration file /etc/msmtprc: No such file or directory
loaded user configuration file /home/myhome/.msmtprc
falling back to default account
using account default from /home/myhome/.msmtprc
host = smtp.gmail.com
port = 587
proxy host = (not set)
proxy port = 0
timeout = off
protocol = smtp
domain = localhost
auth = choose
user = myaccount
password = *
passwordeval = (not set)
ntlmdomain = (not set)
tls = on
tls_starttls = on
tls_trust_file = /etc/ssl/certs/ca-certificates.crt
tls_crl_file = (not set)
tls_fingerprint = (not set)
tls_key_file = (not set)
tls_cert_file = (not set)
tls_certcheck = on
tls_min_dh_prime_bits = (not set)
tls_priorities = (not set)
auto_from = off
maildomain = (not set)
from = myaccount#gmail.com
add_missing_from_header = on
dsn_notify = (not set)
dsn_return = (not set)
logfile = (not set)
syslog = (not set)
aliases = (not set)
reading recipients from the command line
<-- 220 smtp.gmail.com ESMTP 4sm116524ywc.22 - gsmtp
--> EHLO localhost
<-- 250-smtp.gmail.com at your service, [71.56.87.81]
<-- 250-SIZE 35882577
<-- 250-8BITMIME
<-- 250-STARTTLS
<-- 250-ENHANCEDSTATUSCODES
<-- 250-PIPELINING
<-- 250-CHUNKING
<-- 250 SMTPUTF8
--> STARTTLS
<-- 220 2.0.0 Ready to start TLS
TLS certificate information:
Owner:
Common Name: smtp.gmail.com
Organization: Google LLC
Locality: Mountain View
State or Province: California
Country: US
Issuer:
Common Name: Google Internet Authority G3
Organization: Google Trust Services
Country: US
Validity:
Activation time: Tue 21 May 2019 04:48:45 PM EDT
Expiration time: Tue 13 Aug 2019 04:32:00 PM EDT
Fingerprints:
SHA256: C7:78:B6:D6:4E:3E:2B:2F:08:6D:A4:84:E6:1D:87:8E:A1:DF:54:D2:AB:79:AC:A6:BB:50:E5:5D:EC:B4:20:4C
SHA1 (deprecated): 39:C5:E5:40:64:37:17:25:17:7F:E8:BA:20:F4:70:F4:FE:22:70:22
--> EHLO localhost
msmtp: cannot read from TLS connection: the operation timed out
msmtp: could not send mail (account default from /home/myhome/.msmtprc)
Build msmtp using --with-tls=openssl to solve the problem.
As regards as the EHLO command sent twice the RFC3207 states:
The server MUST discard any knowledge
obtained from the client, such as the argument to the EHLO command,
which was not obtained from the TLS negotiation itself. The client
MUST discard any knowledge obtained from the server, such as the list
of SMTP service extensions, which was not obtained from the TLS
negotiation itself. The client SHOULD send an EHLO command as the
first command after a successful TLS negotiation.
So that is the normal behaviour.
I have configured a freeradius proxy (3.0.16) on Ubuntu (4.15.0-47-generic). It receives the radius accounting packets from another radius server running on Ubuntu and writes those to another radius server on running on Fortigate.
Radius Server ---> Proxy Radius Server ---> Fortigate Radius Server
I have configured copy-acct-to-home-server to include the Realm in proxy.conf
proxy.conf ( Realm definition )
home_server myFortigate {
type = acct
ipaddr = <IP address of Fortigate Interface Running Radius>
port = 1813
secret = superSecret
}
home_server_pool myFortigatePool {
type = fail-over
home_server = myFortigate
}
realm myFortigateRealm {
acct_pool = myFortigatePool
nostrip
}
copy-acct-to-home-server entry
preacct {
preprocess
update control {
Proxy-To-Realm := myFortigateRealm
}
suffix
}
After I run the freeradius -X, I also run tcpdump from a new session
tcpdump -ni eth01 port 1812 or port 1813
and get the following log
15:03:40.225570 IP RADIUS_PROXY_IP.56813 > FORTIGATE_INTERFACE_IP.1813: RADIUS, Accounting-Request (4), id: 0x31 length: 371
15:03:40.236155 IP FORTIGATE_INTERFACE_IP.1813 > RADIUS_PROXY_IP.56813: RADIUS, Accounting-Response (5), id: 0x31 length: 27
Which basically shows it is sending the account request to fortigate radius server and receiving the accounting response.
But strangely freeradius -X debug output shows a request time out for the same radius server on Fortigate and it ultimately tags the server as zombie
Starting proxy to home server FORTIGATE_INTERFACE_IP port 1813
(14) Proxying request to home server FORTIGATE_INTERFACE_IP port 1813 timeout 30.000000
Waking up in 0.3 seconds.
(14) Expecting proxy response no later than 29.667200 seconds from now
Waking up in 3.5 seconds.
and Finally it gives up
25) accounting {
(25) [ok] = ok
(25) } # accounting = ok
(25) ERROR: Failed to find live home server: Cancelling proxy
(25) WARNING: No home server selected
(25) Clearing existing &reply: attributes
(25) Found Post-Proxy-Type Fail-Accounting
(25) Post-Proxy-Type sub-section not found. Ignoring.
So the situation is the Radius proxy is sending accounting packets to Fortigate Radius server (could be seen in both freeradius and fortigate logs)
tcpdump shows that Radius proxy is receiving accounting response from the fortigate, but for some reason freeradius process doesn't recognize (or can not read) accounting response. It may be some interoperability issue or I have missed to set some flag. Requesting help from the experts to isolate and rectify the issue.
A customer of ours has a Cisco 1841 router that is connected to another network via a IPSec VPN tunnel. Everything is working good, but occasionally the VPN tunnel will drop and come back up at a later time (sometimes in a few minutes or a few hours).
I have a feeling that the router is configured to drop the tunnel if there's not any network traffic across it after so many minutes, and then re-establishing the tunnel when traffic needs to go out across it.
What I'd like to do is have the router configured so that the tunnel stays up all the time. Documentation that I've seen makes mention of modifying group policies, but the router isn't configured for that, and I'd like to stay away from doing that if all possible.
A scrubbed copy of their router configuration is below. Any help would be appreciated.
--
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CustomerName
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gaBA$wXYb7px.gAAFR05JJ10510
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp relay information option vpn
ip dhcp relay information option
ip dhcp relay information trust-all
!
!
ip domain name CustomerName.us
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
!
crypto pki trustpoint TP-self-signed-475674154
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-475674154
revocation-check none
rsakeypair TP-self-signed-475674154
!
!
crypto pki certificate chain TP-self-signed-475674154
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34373536 37343135 34301E17 0D313330 38303132 30303834
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3437 35363734
31353430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A971CD18 93797FFA EB6BE936 2F3E66C4 8E295883 6C674012 A880FA08 FAE3490A
B362AB65 670E881C D2250574 720A6641 2A072F83 7A456DBC 0EDBBF4D FA675717
E45AABF5 3B94F956 8D7D0EDE 57E4048B 0D616B9A 96E2F6A0 5AADC8FB 803A991C
E0DA0B0B 7644D132 336C3DB3 7FD12D97 E9EF15EF AAC6CF12 4504AC41 C6D4BA1B
02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
11041830 16821441 6C6C7368 6F72652E 616C6C73 686F7265 2E757330 1F060355
1D230418 30168014 08293177 593054F5 0592E062 1CE0BB17 E3E71990 301D0603
551D0E04 16041408 29317759 3054F505 92E0621C E0BB17E3 E7199030 0D06092A
864886F7 0D010104 05000381 81008017 F56757B1 2D716F08 6748811E 2D86D83B
92288F4B 215BADE9 78BEB571 4E2B5673 15B3DF04 DEE340F5 380B0CA1 E4BEB665
FE80D4B2 27F302F9 CB7DEB45 5A3B5959 D46127A9 68783C20 B066BEEE 18705DCF
D26068C7 1F5EA80C 2644ECE2 FB1894EF 6F13CA87 4CD13494 9ADE31AF 5B752C11
375DEA79 14A3EBE0 F04FBD7E 96B1
quit
username CustomerName privilege 15 secret 5 $1$FpRX$rOCJ52eTZllenQD5sSUvT1
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key fM579D2i92r3j9tydsanFntyeakB6KWvJDoR7n79yxsWXe8p5o3hhh5N23vkt
v4 address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set red esp-aes 256 esp-sha-hmac
!
crypto map OUTSIDE_MAP 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set red
set pfs group1
match address crypto10
!
!
!
!
interface FastEthernet0/0
description Connected to Cable Modem
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map OUTSIDE_MAP
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1/0
switchport access vlan 2
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Vlan2
description CustomerName LAN
ip address 10.10.20.1 255.255.255.0
ip helper-address 172.16.3.100
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 10.0.0.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 184.178.184.1
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.20.2 5060 184.178.184.16 5060 extendable
ip nat inside source static udp 10.10.20.2 5060 184.178.184.16 5060 extendable
ip nat inside source static tcp 10.10.20.2 5090 184.178.184.16 5090 extendable
ip nat inside source static udp 10.10.20.2 9000 184.178.184.16 9000 extendable
ip nat inside source static udp 10.10.20.2 9001 184.178.184.16 9001 extendable
ip nat inside source static udp 10.10.20.2 9002 184.178.184.16 9002 extendable
ip nat inside source static udp 10.10.20.2 9003 184.178.184.16 9003 extendable
ip nat inside source static udp 10.10.20.2 9004 184.178.184.16 9004 extendable
ip nat inside source static udp 10.10.20.2 9005 184.178.184.16 9005 extendable
!
ip access-list extended crypto10
permit ip 10.10.20.0 0.0.0.255 172.16.3.0 0.0.0.255
!
access-list 101 deny ip 10.10.20.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet ssh
transport output all
line vty 5 15
privilege level 15
login local
transport input all
transport output all
!
scheduler allocate 20000 1000
end
--
I think here you can find answer for your question.
http://www.cisco.com/en/US/products/hw/routers/ps368/module_installation_and_configuration_guides_chapter09186a00806c1d08.html#wp2551278
IPSec SA Idle Timer Global Configuration Example
The following example globally configures the IPSec SA idle timer to
drop SAs for inactive peers after 600 seconds:
Router(config)# crypto ipsec security-association idle-time 600 IPSec
SA Idle Timer per Crypto Map Configuration Example
The following example configures the IPSec SA idle timer for the
crypto map named "test" to drop SAs for inactive peers after 600
seconds:
Router(config) # crypto map test 1 ipsec-isakmp
Router(config-crypto-map)# set security-association idle-time 600
I'm trying to login to Roundcube only the program won't let me.
I can login to the said account from the shell and mail is setup and working correctly on my server for user 'admin'. It's RC that is the problem. If I check my logs:
/usr/local/www/roundcube/logs/errors
they show:
[21-Sep-2013 17:19:02 +0100]: IMAP Error: Login failed for admin from ip.ip.ip.ip. Could not connect to ip.ip.ip.ip:143:
Connection refused in /usr/local/www/roundcube/program/lib/Roundcube/rcube_imap.php on line 184
(POST /roundcube/?_task=login&_action=login)
which doesn't give me many clues really, just leads me to:
public function connect($host, $user, $pass, $port=143, $use_ssl=null) {}
from
rcube_imap.php
Stuff I've tried, editing:
/usr/local/www/roundcube/config/main.inc.php
with:
// IMAP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or null to use
// best server supported one)
//$rcmail_config['imap_auth_type'] = LOGIN;
$rcmail_config['imap_auth_type'] = null;
// Log IMAP conversation to <log_dir>/imap or to syslog
$rcmail_config['imap_debug'] = /var/log/imap;
With a failed login attempt
/var/log/imap
doesn't even get written to, leaving me no clues. I'm using dovecot and Sendmail on a FreeBSD box with full root access. It's not an incorrect username password combination for sure.
Several Googles on the string 'Roundcube: Connection to storage server failed' are fruitless.
EDIT:
I needed an entry in
/etc/rc.conf
dovecot_enable="YES"
Schoolboy error.
I had the same problem with a letsencrypt certificate and resolve it by disabling peer authentication:
$config['imap_conn_options'] = array(
'ssl' => array('verify_peer' => true, 'verfify_peer_name' => false),
'tls' => array('verify_peer' => true, 'verfify_peer_name' => false),
);
Afterwards you can set the connection string like this (starttls):
$config['default_host'] = 'tls://your-host.tld';
$config['default_port'] = '143';
$config['smtp_server'] = 'tls://your-host.tld';
$config['smtp_port'] = '25';
Or like this (ssl approach):
$config['default_host'] = 'ssl://your-host.tld';
$config['default_port'] = '993';
$config['smtp_server'] = 'ssl://your-host.tld';
$config['smtp_port'] = '587';
Make sure you use the fully qualified hostname of the certificate in the connection string (like your-host.tld) and not an internal hostname (like localhost).
Hope that helps someone else.
Change the maildir to whatever your system uses.
Change Dovecot mail_location setting to
mail_location = maildir:~/Mail
Change Postfix home_mailbox setting to
home_mailbox = Mail/
Restart services and away you go
Taken from this fedoraforum post
If you run fail2ban, then dovecot might get banned following failed Roundcube login attempts. This has happened to me twice already...
First, check if this is indeed the case:
sudo fail2ban-client status dovecot
If you get an output similar to this:
Status for the jail: dovecot
|- Filter
| |- Currently failed: 1
| |- Total failed: 8
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 1
|- Total banned: 2
`- Banned IP list: X.X.X.X
i.e. the Currently banned number is higher than 0, then fail2ban was a bit overeager and you have to "unban" dovecot.
Run the fail2ban client in interactive mode:
sudo fail2ban-client -i
and at the fail2ban> prompt enter the following:
set dovecot unbanip X.X.X.X
where X.X.X.X is the IP address of your Dovecot server.
Exit from the interactive client and run sudo fail2ban-client status dovecot again. The Currently banned: field now should have a value of 0. What's more important, RoundCube should work again :-)
The issue is in your mail server.
Check your ports in your mail server and reset it (if necessary):
Port 25 (and 587) must be open for SMTP
Port 143 (and 993) must be open for IMAP
Port 110 must be open for POP3
Also open those ports in your firewall settings.
sudo dovecot should solve the problem.
If not restart dovecot
sudo service dovecot restart