Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6985
Views
0
Helpful
3
Replies

Connection problem with Symantc DLP

Go to solution
Steflstefan
Level 1
Level 1

‎12-08-2017 01:05 PM - edited ‎03-08-2019 07:29 PM

We changed from Forcepoint to Cisco ESA.

 

The scenario for outgoing messages:
Internal ESA -> Symantec DLP -> External ESA

Symantec act like a proxy. If you start a telnet to Symantec IP Port 25, you will receive the smtp greeting from external ESA and you are speaking "directly" with external ESA through the Symantec.

After 40 messages, the internal ESA receive "451 4.4.2 Error: Connection lost to forwarding agent."when it tries to send a message. Monitor / Delivery Status shows Destination Domain and Latest Host Status = Down for long time.

When you than connect with telnet how described before, you 'll receive "451 4.4.2 Error: Connection lost to forwarding agent." again and again till you send a quit.


If the scenario is:
Internal ESA -> External ESA MailFlow goes up and I can send many messages in short time.

 

Formerly with the Forcepoint Appliances we don't have this problem.

 

Have anyone an idea what's happened? What means the "forwarding agent"?

Thanks in advance for any hints.
Greets, Stefan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Steflstefan
Level 1
Level 1
In response to Libin Varghese

‎12-13-2017 12:25 AM

Hello Libin,

one of your links has routed me to a good intention for this strange behavior.
The reason was TLS. Because SymantecDLP act like a "proxy server" between the ESA -> ESA connection the TLS wouldn't handled properly.
Our solution now:
on internal ESA set up a destination control to DLP IP with TLS off
on DLP disable TLS by remove STARTTLS from RequestProcessor.AllowExtensions in the Advanced Server Settings of each Network Prevent for Email server settings

on external ESA set up a HAT for DLP hosts with a mailflow policy and set TLS off in the mailflow policy

 

It seems that failed TLS connections to the "target" ESA (external ESA) will not be closed properly, if TLS connection fails. This results in mass open inbound connections.

Actually, we try to use TLS on all connection but in this case we have no chance to use it.
However, it works now.

Regards Stefan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎12-08-2017 09:15 PM

Based on the details provided it would appear the Symactec DLP system is throttling connections from the ESA.

 

I would recommend checking on the Symanted DLP to see if there is hard limit configured for the number of messages within an hour, number of messages over a single connection etc. set to 40.

 

This does not appear to be configuration on the ESA itself since ESA to ESA traffic is working without the same errors.

 

I did find a couple of articles online which may be useful to you:

https://support.symantec.com/en_US/article.HOWTO15644.html

https://support.symantec.com/en_US/article.TECH93068.html

 

Regards,

Libin Varghese

0 Helpful

Go to solution
Steflstefan
Level 1
Level 1
In response to Libin Varghese

‎12-13-2017 12:25 AM

Hello Libin,

one of your links has routed me to a good intention for this strange behavior.
The reason was TLS. Because SymantecDLP act like a "proxy server" between the ESA -> ESA connection the TLS wouldn't handled properly.
Our solution now:
on internal ESA set up a destination control to DLP IP with TLS off
on DLP disable TLS by remove STARTTLS from RequestProcessor.AllowExtensions in the Advanced Server Settings of each Network Prevent for Email server settings

on external ESA set up a HAT for DLP hosts with a mailflow policy and set TLS off in the mailflow policy

 

It seems that failed TLS connections to the "target" ESA (external ESA) will not be closed properly, if TLS connection fails. This results in mass open inbound connections.

Actually, we try to use TLS on all connection but in this case we have no chance to use it.
However, it works now.

Regards Stefan

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to Steflstefan

‎12-13-2017 12:27 AM

Stefan,

 

Thank you for sharing the solution.

 

Regards,

Libin Varghese

0 Helpful
Customers Also Viewed These Support Documents