Ironport not accepting mails from some domains

tharunraj22 · ‎11-23-2012

Hi,

We have an Ironport ESA C-100 with software version of 5.x. We are facing some issue in receiving mails from 3 or 4 domains.

I checked in the incoming mail for the domain from the GUI. There it is not showing any count. But when I check the mail logs I am seeing entries for this domains. If I again drill down with the ICID number. I am getting the below error message.

CID 59329250 interface Data 2 (Y.Y.Y.Y) address X.X.X.X reverse dns host somedomain.com verified yes
Fri Nov 23 11:21:46 2012 Info: ICID 59329250 ACCEPT SG WHITELIST match .somedomain.com SBRS 5.3
Fri Nov 23 11:21:48 2012 Info: Status: CPULd 0 DskIO 1 RAMUtil 6 QKUsd 6545 QKFre 8382063 CrtMID 11806590 CrtICID 59329250 CrtDCID 9142855 InjMsg 8924462 InjRcp 10306276 GenBncRcp 43070 RejRcp 453650 DrpMsg 205728 SftBncEvnt 665403 CmpRcp 10075599 HrdBncRcp 90972 DnsHrdBnc 18701 5XXHrdBnc 53914 FltrHrdBnc 0 ExpHrdBnc 18315 OtrHrdBnc 42 DlvRcp 9984552 DelRcp 75 GlbUnsbHt 0 ActvRcp 28 UnatmptRcp 25 AtmptRcp 3 CrtCncIn 18 CrtCncOut 3 DnsReq 135357614 NetReq 29471861 CchHit 135467085 CchMis 25108459 CchEct 45138274 CchExp 7675898 CPUTTm 1101 CPUETm 136372 MaxIO 568 RAMUsd 66989888 MMLen 30 DstInMem 135 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 9 AVLd 0 BMLd 0 CASELd 0 TotalLd 0 LogAvail 45G EuQ 0 EuqRls 0 SwIn 3386 SwOut 2893 SwPgIn 6340 SwPgOut 9196
Fri Nov 23 11:26:46 2012 Info: ICID 59329250 disconnected address X.X.X.X, no messages injected within timeout period
Fri Nov 23 11:26:46 2012 Info: ICID 59329250 close

Could you please tell me why this is happening?

Many Thanks,

Tharun

CID 59329250 interface Data 2 (10.2.1.3) address 196.201.56.181 reverse dns host smtp.mtn-weca.com verified yes
Fri Nov 23 11:21:46 2012 Info: ICID 59329250 ACCEPT SG WHITELIST match .mtn-weca.com SBRS 5.3
Fri Nov 23 11:21:48 2012 Info: Status: CPULd 0 DskIO 1 RAMUtil 6 QKUsd 6545 QKFre 8382063 CrtMID 11806590 CrtICID 59329250 CrtDCID 9142855 InjMsg 8924462 InjRcp 10306276 GenBncRcp 43070 RejRcp 453650 DrpMsg 205728 SftBncEvnt 665403 CmpRcp 10075599 HrdBncRcp 90972 DnsHrdBnc 18701 5XXHrdBnc 53914 FltrHrdBnc 0 ExpHrdBnc 18315 OtrHrdBnc 42 DlvRcp 9984552 DelRcp 75 GlbUnsbHt 0 ActvRcp 28 UnatmptRcp 25 AtmptRcp 3 CrtCncIn 18 CrtCncOut 3 DnsReq 135357614 NetReq 29471861 CchHit 135467085 CchMis 25108459 CchEct 45138274 CchExp 7675898 CPUTTm 1101 CPUETm 136372 MaxIO 568 RAMUsd 66989888 MMLen 30 DstInMem 135 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 9 AVLd 0 BMLd 0 CASELd 0 TotalLd 0 LogAvail 45G EuQ 0 EuqRls 0 SwIn 3386 SwOut 2893 SwPgIn 6340 SwPgOut 9196
Fri Nov 23 11:26:46 2012 Info: ICID 59329250 disconnected address 196.201.56.181, no messages injected within timeout period
Fri Nov 23 11:26:46 2012 Info: ICID 59329250 closeCID 59329250 interface Data 2 (10.2.1.3) address 196.201.56.181 reverse dns host smtp.mtn-weca.com verified yes
Fri Nov 23 11:21:46 2012 Info: ICID 59329250 ACCEPT SG WHITELIST match .mtn-weca.com SBRS 5.3
Fri Nov 23 11:21:48 2012 Info: Status: CPULd 0 DskIO 1 RAMUtil 6 QKUsd 6545 QKFre 8382063 CrtMID 11806590 CrtICID 59329250 CrtDCID 9142855 InjMsg 8924462 InjRcp 10306276 GenBncRcp 43070 RejRcp 453650 DrpMsg 205728 SftBncEvnt 665403 CmpRcp 10075599 HrdBncRcp 90972 DnsHrdBnc 18701 5XXHrdBnc 53914 FltrHrdBnc 0 ExpHrdBnc 18315 OtrHrdBnc 42 DlvRcp 9984552 DelRcp 75 GlbUnsbHt 0 ActvRcp 28 UnatmptRcp 25 AtmptRcp 3 CrtCncIn 18 CrtCncOut 3 DnsReq 135357614 NetReq 29471861 CchHit 135467085 CchMis 25108459 CchEct 45138274 CchExp 7675898 CPUTTm 1101 CPUETm 136372 MaxIO 568 RAMUsd 66989888 MMLen 30 DstInMem 135 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 9 AVLd 0 BMLd 0 CASELd 0 TotalLd 0 LogAvail 45G EuQ 0 EuqRls 0 SwIn 3386 SwOut 2893 SwPgIn 6340 SwPgOut 9196
Fri Nov 23 11:26:46 2012 Info: ICID 59329250 disconnected address 196.201.56.181, no messages injected within timeout period
Fri Nov 23 11:26:46 2012 Info: ICID 59329250 close

Enrico Werner · ‎11-27-2012

Hi Tharun,

the mail log file shows that the connection was closed by the appliance after 5 minutes of NOT receiving any data:

Fri Nov 23 11:21:46 2012 Info: ICID 59329250 ACCEPT

Fri Nov 23 11:26:46 2012 Info: ICID 59329250 disconnected

The message 'no messages injected within timeout period' points to the configured "Timeout for Unsuccessful Inbound Connections" which is set to 5 minutes (recommended). You can verify the same on the GUI under Network - Listeners - Global Settings.

I suggest running an injection debug log for analyzing the SMTP traffic from these three to four senders. Check out this article for more information:

Article #728: How do I analyze mail delivered to the Email Security Appliance (ESA)? Link: http://tools.cisco.com/squish/4c559

Alternatively run a tcpdump on the command line. Running it from the GUI is no option for you as you are running on old version 5.x where you can start a packet capture only from the CLI:

Article #1191: How to capture data packets on the Email Security Appliance Link: http://tools.cisco.com/squish/d16D2

If possible check if the sender is seeing any errors on their end when they send messages to you. Using the injection debug log file and/or packet capture should show you where in the SMTP conversation data is stopped from being received and if it is related to the sender itself or firewall/network. It's good advice to also review your firewall logs in this matter.

There are a couple of things that can be causing this issue.

1. A firewall, IPS or other is interfering with the traffic

2. A firewall is blocking ICMP packets, and as so preventing Path MTU Discovery to resolve MTU mismatch issues.

I would suggest first you check your firewall, and ensure that it is NOT blocking incoming "ICMP destination unreachable, fragmentation needed" packets. If it is please consider turning this blocking off as it is breaking the intended functionality of PMTUD and as so breaking RFC.

I hope this helps.

Best regards,

Enrico