|Email Plug-in (Reporting):||1.1.0-114|
|Email Plug-in (Encryption):||1.2.1-118|
We upgraded our esa's from 11.0-128 towards 12.5-066
Immediately after the upgrade we started to see TLS error ( for mails which come in from internet and gets routed over ESA towards our O365 tenant )
The errors are :
Tue Sep 17 09:08:25 2019 Info: ICID 43627580 TLS error: [Errno 54] Connection reset by peer
Tue Sep 17 09:08:31 2019 Info: ICID 43627587 TLS error: [Errno 32] Broken pipe
Tue Sep 17 09:08:35 2019 Info: ICID 43627596 TLS error: [Errno 32] Broken pipe
Tue Sep 17 09:08:41 2019 Info: ICID 43627607 TLS error: [Errno 54] Connection reset by peer
Tue Sep 17 09:08:42 2019 Info: ICID 43627609 TLS error: [Errno 32] Broken pipe
Tue Sep 17 09:08:47 2019 Info: ICID 43627618 TLS error: [Errno 32] Broken pipe
So almost for every message coming in from the internet.... If we look deeper in the mail traces, the mail is received & transferred fine within the same session. So no queueing at all.
It might seems cosmetic, sure..but we didn't have those errors in 11.0-128.. Must be something changed in 12.5-066 .
We also have a case open with Ciso TAC, but seems to be stuck... ( result : I cannot confirm the source of the reset packet since it doesn't generate from the ESA ) --> they see a RST comming from O365 ( but the issue occurs with accepting the incomming connection :-) ) so imho the result has nothing to to with it ...
smtp conv logs show the error also :
Tue Sep 17 09:27:24 2019 Info: ICID 43630119 >> 250 ok: Message 50409463 accepted
Tue Sep 17 09:27:24 2019 Info: ICID 43630119 - Connection unexpectedly closed by peer.
Tue Sep 17 09:27:24 2019 Info: ICID 43630119 close
Anybody else having the same issues ?
Please try to enable a packet capture in the ESA using the sending host IP address and port 25 as filter. Then attempt the SMTP conversation. That will help gather captures and know if the TLS issue occurs due to cipher negotiations or TLS versions in use.
If the sender expects only high end ciphers to be negotiated with ESA, you may add to existing Inbound SMTP Ciphers
MEDIUM:HIGH:@STRENGTH along with the existing ciphers.
I did a packet trace , but no TLS negotiations are going wrong... It seems and that's very strange .. the errors only occurs from mails that come from an O365 environment on the internet towards our ESA's
For every mail that gives that error ( and connection lost ) we are seeing this in the trace :
SOURCE DESTINATION PROTOCOL INFO
O365 IP OUR ESA IP TCP PORT X-> 25 [ RST, ACK]
O365IP OUR ESA IP TCP PORT X-> 25 [ RST, ACK ]
So two RST's in a row and then the connection is lost
..… Any idea ?
you are not alone. The issue started to happen after the upgrade to 12.5 and seems to mainly impact communication to and from MS domains.
Please open a ticket with TAC
This is happening to our environment as well for emails from O365 eversince we upgraded to 12.5.x. Cisco points to O365 but I doubt it.