CISCO IRONPORT C170 - Incoming connection (ICID 999999) lost, message aborted:Receiving aborted

Srinivasan Suriyaprakasan · ‎01-16-2017

Message tracking logs shows "Incoming connection (ICID 999999) lost, message aborted : Receiving aborted". I would like to track those messages encounters such problem either by email alert or scheduled report to IT Administrator.

Is there any option in CISCO IRONPORT C170 to configure one of the option mentioned.

Thank you

Sri

Libin Varghese · ‎01-18-2017

Hi Srinivasan,

Please refer to the below articles to begin troubleshooting the error.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118295-technote-esa-00.html

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117801-problem-esa-00.html

As the connection closes abruptly I cannot see a way to set up specific alerts for that.

However, I would recommend setting up injection debug logs (Under System Administration -> Log Subscriptions) and packet captures (Under Help and Support -> Packet Capture) for the sending server to try and determine who is closing the connection improperly.

Thanks!

Libin V

Srinivasan Suriyaprakasan · ‎01-18-2017

Hi Libin,

Thank you for your response.

When the system log captures connection closes abruptly information, the same info, I need to monitor those emails. If there is no way to get specific alert, I can redirect the logs to syslog server and get the alerts which I try to avoid for other reasons.

I will try the options you mentioned.

Have a great day

Sri

Libin Varghese · ‎01-18-2017

Hi Sri,

Yes, that would be a possible option. You can push a copy of mail_logs to a syslog server and monitor or generate alerts for each time the term "Receiving aborted" is observed. However, this would not be configurable as an alert on the ESA itself.

What configuration options are available on the syslog server would depend on the server itself.

Thanks

Libin V

afsal.jalal · ‎01-17-2018

The issue can be resolved (bandaided) for the time being. When there is oversaturation during peak hours, the receiving of emails with attachments goto timeout. If you adjust the Total Time Limit for All Inbound Connections to 1 hour. This will allow to receive the emails. The over utilization is mostly caused by the web filter appliance (if you have any) being down or the users utilizing the Net.

This time limit can be set in the GUI under Network -> Listeners -> Edit Global Settings. The parameter you're looking for is most likely the 'Total Time Limit for All Inbound Connections' which is set to 15 minutes by default. However, the posted mail flow is most likely based on a network bandwidth issue where the sending mail server is not able to transmit the data in the session fast enough - or - the message is extremely large in size and cannot be transmitted within 15 minutes.

Even when raising the connection time limit to a higher value seems to be a good idea at the first glance, it is not. Please consider that overly long pending connections will decrease the available pool of 'Maximum Concurrent Connections' configured and you may end up with a decreased performance when increasing the connection time limit without prior analysis why the sending mail server requires too much time to deliver the message in. When the number of concurrent connections is reached, no additional incoming connection will be accepted by the appliance.

In case your 'Timeout for Unsuccessful Inbound Connections' is also configured to 15 minutes (it is 5 minutes by default), then I'd suggest to investigate if Path MTU Discovery (RFC1191) is blocked between the sender and your appliance, as this might also be a valid reason why the sender runs into a timeout as the ICMP response is blocked.

Hope this helps.