11-16-2012 12:56 AM
I've got problems with mail from one specific domain on our IronPort. All messages from that domain got lost. And I even can't understand which side's fault it is.
Mail log:
Fri Nov 16 12:06:07 2012 Info: New SMTP ICID 31142753 interface Data 2 (172.16.0.2) address 123.10.5.8 reverse dns host forward20.mail.problem.net verified yes
Fri Nov 16 12:06:07 2012 Info: ICID 31142753 ACCEPT SG WHITELIST match .problem.net SBRS 5.6
Fri Nov 16 12:06:07 2012 Info: Start MID 4717161 ICID 31142753
Fri Nov 16 12:06:07 2012 Info: MID 4717161 ICID 31142753 From: <user@problem.net>
Fri Nov 16 12:06:07 2012 Info: MID 4717161 ICID 31142753 RID 0 To: <user@myhost.com>
Fri Nov 16 12:06:08 2012 Info: ICID 31142753 lost
Fri Nov 16 12:06:08 2012 Info: Message aborted MID 4717161 Receiving aborted
Fri Nov 16 12:06:08 2012 Info: Message finished MID 4717161 aborted
Fri Nov 16 12:06:08 2012 Info: ICID 31142753 close
Injection Debug Log:
Fri Nov 16 12:06:07 2012 Info: 31142753 Sent to '123.10.5.8': '220 mx.myhost.com ESMTP\r\n'
Fri Nov 16 12:06:07 2012 Info: 31142753 Rcvd from '123.10.5.8': 'EHLO forward20.mail.problem.net\r\n'
Fri Nov 16 12:06:07 2012 Info: 31142753 Sent to '123.10.5.8': '250-mx.myhost.com\r\n250-8BITMIME\r\n250 SIZE 104857600\r\n'
Fri Nov 16 12:06:07 2012 Info: 31142753 Rcvd from '123.10.5.8': 'MAIL FROM:<user@problem.net> SIZE=3045067 BODY=8BITMIME\r\n'
Fri Nov 16 12:06:07 2012 Info: 31142753 Sent to '123.10.5.8': '250 sender <user@problem.net> ok\r\n'
Fri Nov 16 12:06:07 2012 Info: 31142753 Rcvd from '123.10.5.8': 'RCPT TO:<user@myhost.com>\r\n'
Fri Nov 16 12:06:07 2012 Info: 31142753 Sent to '123.10.5.8': '250 recipient <user@myhost.com> ok\r\n'
Fri Nov 16 12:06:07 2012 Info: 31142753 Rcvd from '123.10.5.8': 'DATA\r\n'
Fri Nov 16 12:06:07 2012 Info: 31142753 Sent to '123.10.5.8': '354 go ahead\r\n'
Solved! Go to Solution.
11-19-2012 12:36 AM
Hi,
the appliance would drop a conection only if there is no data received within 5 minutes. From the
Injection Debug Log it seems that there is either an issue on the client site as Don mentioned, or somewhere in the network/firewall. I'd suggest running a packet capture too from the GUI in the right top corner Help and Support - Packet Capture. This should show you more details, especially if a RST package is sent and from what device it origiantes from.
Best regards,
Enrico
11-17-2012 07:57 AM
Looks like the connection is getting dropped after the client says "DATA" and the IronPort says "go ahead". I wouldn't expect the IronPort to drop the connection immediately after saying "go ahead" (and besides, why would it do so only for this client?), so my money is on the client. No way to know why without the logs from that end.
++Don
11-18-2012 09:31 PM
I might add that when I temporary switched to FreeBSD-based mail server everything worked fine and all mail got through.
11-19-2012 12:36 AM
Hi,
the appliance would drop a conection only if there is no data received within 5 minutes. From the
Injection Debug Log it seems that there is either an issue on the client site as Don mentioned, or somewhere in the network/firewall. I'd suggest running a packet capture too from the GUI in the right top corner Help and Support - Packet Capture. This should show you more details, especially if a RST package is sent and from what device it origiantes from.
Best regards,
Enrico
11-19-2012 04:04 AM
Thanks for the tip. RST is sent by remote host after ironport's '354 go ahead' and three consecutive TCP Retransmission requests all in just one second. I don't get why. Will dig further.
11-22-2012 11:15 PM
Well, it seems the problem was on remote end and now everything works fine. Though the root of this problem remains undiscovered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide