Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2672
Views
0
Helpful
1
Replies

Incoming connection lost and delay in mail delivery by 10 mins , needs to check why ?

bsrinu001
Level 1
Level 1

‎03-23-2017 09:20 AM

Hi Team, 

Requesting to check why incoming connection is lost and mail delay by 10 mins in delivery ! 

 attached log for reference :

zurmgwcdc003.amer.zurich.corp - 23 Mar 2017 10:56 (GMT -05:00)
Copyright © 2003-2015 Cisco Systems, Inc. All rights reserved. 1
CONTENT SECURITY MANAGEMENT APPLIANCE
zurmgwcdc003.amer.zurich.corp
Message Details
Envelope and Header Summary
Received Time: 22 Mar 2017 10:10:44 (GMT -05:00)
MID: 405127569
Message Size: 17.39 (KB)
Subject: Your one-time passcode to view the message
Envelope Sender: MicrosoftOffice365@messaging.microsoft.com
Envelope Recipients: doug.watt@farmersinsurance.com
Message ID Header: <59a31fa0-f2a5-4796-b720-492a229e0bc1@CY4PR15MB1157.namprd15.prod.outlook.com>
Cisco IronPort Host: resmail01 (10.149.65.15)
SMTP Auth User ID: N/A
Attachments N/A
Sending Host Summary
Reverse DNS Hostname: mail-sn1nam02on0055.outbound.protection.outlook.com (verified)
IP Address: 104.47.36.55
SBRS Score: unable to retrieve
Processing Details
MAIL POLICY "AttachmentScanningFarmersDomains" MATCHED THESE RECIPIENTS: doug.watt@farmersinsurance.com
22 Mar 2017 10:10:43 (GMT -05:00) Protocol SMTP interface public (IP 10.149.64.12) on incoming connection (ICID 960126699) from sender IP
104.47.36.55. Reverse DNS host mail-sn1nam02on0055.outbound.protection.outlook.com verified yes.
22 Mar 2017 10:10:43 (GMT -05:00) (ICID 960126699) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS unable to retrieve
22 Mar 2017 10:10:44 (GMT -05:00) Incoming connection (ICID 960126699) successfully accepted TLS protocol TLSv1.2 cipher AES256-SHA256.
22 Mar 2017 10:10:44 (GMT -05:00) Start message 405127569 on incoming connection (ICID 960126699).
22 Mar 2017 10:10:44 (GMT -05:00) Message 405127569 enqueued on incoming connection (ICID 960126699) from
MicrosoftOffice365@messaging.microsoft.com.
22 Mar 2017 10:10:44 (GMT -05:00) Message 405127569 on incoming connection (ICID 960126699) added recipient (doug.watt@farmersinsurance.com).
22 Mar 2017 10:10:44 (GMT -05:00) Message 405127569 contains message ID header
'&lt;59a31fa0-f2a5-4796-b720-492a229e0bc1@CY4PR15MB1157.namprd15.prod.outlook.com&gt;'.
22 Mar 2017 10:10:44 (GMT -05:00) Message 405127569 original subject on injection: Your one-time passcode to view the message
22 Mar 2017 10:10:45 (GMT -05:00) Message 405127569 (17808 bytes) from MicrosoftOffice365@messaging.microsoft.com ready.
22 Mar 2017 10:10:45 (GMT -05:00) Incoming connection (ICID 960126699) lost.
22 Mar 2017 10:21:21 (GMT -05:00) SMTP delivery connection (DCID 78012394) opened from Cisco IronPort interface 10.149.65.15 to IP address
10.149.37.120 on port 25.
22 Mar 2017 10:21:21 (GMT -05:00) Message 405127569 matched per-recipient policy AttachmentScanningFarmersDomains for inbound mail policies.
22 Mar 2017 10:21:22 (GMT -05:00) Message 405127569 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
22 Mar 2017 10:21:22 (GMT -05:00) Message 405127569 scanned by Anti-Spam engine: CASE. Final verdict: Negative
22 Mar 2017 10:21:25 (GMT -05:00) Message 405127569 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
22 Mar 2017 10:21:25 (GMT -05:00) Message 405127569 scanned by Anti-Virus engine. Final verdict: Negative
22 Mar 2017 10:21:25 (GMT -05:00) Message 405127569 scanned by Outbreak Filters. Verdict: Negative
22 Mar 2017 10:21:25 (GMT -05:00) Message 405127569 queued for delivery.
22 Mar 2017 10:21:25 (GMT -05:00) (DCID 78012394) Delivery started for message 405127569 to doug.watt@farmersinsurance.com.
22 Mar 2017 10:21:25 (GMT -05:00) (DCID 78012394) Delivery details: Message 405127569 sent to doug.watt@farmersinsurance.com [('from', 'Microsoft
Office 365 Message Encryption\\r\\n\\t&lt;MicrosoftOffice365@messaging.microsoft.com&gt;')]
22 Mar 2017 10:21:25 (GMT -05:00) Message 405127569 to doug.watt@farmersinsurance.com received remote SMTP response 'Message accepted for
delivery'.
zurmgwcdc003.amer.zurich.corp - 23 Mar 2017 10:56 (GMT -05:00)
Copyright © 2003-2015 Cisco Systems, Inc. All rights reserved. 2
Key: Last Event  

Labels:
0 Helpful
1 Reply 1

Libin Varghese
Cisco Employee
Cisco Employee

‎03-23-2017 09:45 AM

Hi,

In relation to mail processing on the Cisco Email Security Appliance (ESA), some clients disconnect after they get shown the EHLO size limit. Those clients do not send a QUIT, but end the connection perfectly normal on a TCP-base level. In this instance, the ESA will log ICID lost.

 

This typically happens when either the ESA loses the connection, or the sending client prematurely ends the connection without sending us the entire message. This would mean that the remote host connected but did not send any data.

 

If you know the sending domain, host name, or IP address, you can take a closer look at this occurrence by enabling Injection Debug logs. This will give you more detailed information during the SMTP conversation. Debug logging can be turned on from the CLI by using logconfig > new, or from the GUI by enabling a new Log Subscription.
 

You could also set up a packet capture on the appliance for the sender IP to capture details of how the connection is processed.

Thank You!

Libin Varghese

0 Helpful
Customers Also Viewed These Support Documents