Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2148
Views
0
Helpful
2
Replies

High blocks for ironport traffic.

manmeetshergill
Level 1
Level 1

‎03-31-2012 12:51 PM

Hi All,

I have a iron port email security gateway placed behind a firewall.

Recently i had some latency issue on my firewall because of high traffic going through it, on further investigation i found a large number of drops from iron port going to global ip addresses .The cause for drops was "tcp out of state ack" .

I guess this is happening probably because of slow response from iron port. i have checked the latency in the network and cpu utilization is also normal.

I need to understand how iron port is handling tcp connections and what are the other possibilities for slow response?

Will the mail que effect the iron port response time at lower layers ?

Labels:
0 Helpful
2 Replies 2

Andreas Mueller
Level 4
Level 4

‎04-04-2012 04:03 AM

Hello,

in general a busy/full mail queue won't be a reason for delayed responces on TCP level, there is also a protection mechanism in place (resource conservation) that kicks in when the system runs out of resources due high traffic. Of course, on higher levels than TCP delays may occur because i.e. the appliance is waiting for a response from Senderbase, DNS, or LDAP. But back to your problem, those errors often indicate problems on routing, quoting a submission from another forum here:

"The most common cause of the problem? Asymmetric routing or using  firewall pairs and not sharing TCP state information between them.

When you have asymmetric routing the data might be going via the path  sender -> router 1 -> router 2 -> receiver in one way but the  return path is receiver -> firewall -> router 1 -> sender. In  this scenario the firewall is not seeing the TCP session establish  properly as its missing all the traffic from the sender to the receiver  so it will always drop it as "out of state".  "

Are you using a Checkpoint firewall BTW? Because it seems most of these errors reported relate to stateful inspection.

Regards,

Andreas

0 Helpful

manmeetshergill
Level 1
Level 1
In response to Andreas Mueller

‎04-04-2012 06:46 AM

Hi Andreas,

Thanks for your reply. Yes i am using cpt cluster in unicast load sharing mode between. Can you suggest me a solution to reduce these number of drops ? As this is utilising a lot of firewall resource.

Regards

Manmeet

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents