10-17-2017 05:29 AM - edited 02-21-2020 06:30 AM
Hello all,
Was wondering if I can get some insight/help on this.
Having some odd email issues.
From most email servers, we receive email fine.
But here recently we have been experiencing issues with Proof Point servers. Sometimes email being sent through them works fine, other times it doesn't. The sender will get an NDR From them stating the Connection (to our mail server) was denied. When I check the logs on the PIX, I see no connection attempt at the time the NDR states it was attempted.
When I look at the log I see a
Connection Built
Connection Teardown,
Then a whole bunch of Deny TCP (no connection) flags RST on interface outside. (when watching the log it will fire off a bunch of these at once)
This is what I see (I have not included some of the entries, cause they are the same thing)
6 Oct 17 2017 08:12:52 302013 67.231.154.164 Exchange Built inbound TCP connection 8948738 for outside:67.231.154.164/58054 (67.231.154.164/58054) to DMZ4:Exchange/25 (216.54.104.225/25)
6 Oct 17 2017 08:12:52 302014 67.231.154.164 Exchange Teardown TCP connection 8948738 for outside:67.231.154.164/58054 to DMZ4:Exchange/25 duration 0:00:00 bytes 205913 TCP Reset-O
6 Oct 17 2017 08:12:52 106015 67.231.154.164 216.54.104.225 Deny TCP (no connection) from 67.231.154.164/58054 to 216.54.104.225/25 flags RST on interface outside
6 Oct 17 2017 08:12:52 106015 67.231.154.164 216.54.104.225 Deny TCP (no connection) from 67.231.154.164/58054 to 216.54.104.225/25 flags RST on interface outside
6 Oct 17 2017 08:12:52 106015 Exchange 67.231.154.164 Deny TCP (no connection) from Exchange/25 to 67.231.154.164/58054 flags ACK on interface DMZ4
6 Oct 17 2017 08:12:52 106015 67.231.154.164 216.54.104.225 Deny TCP (no connection) from 67.231.154.164/57524 to 216.54.104.225/25 flags ACK on interface outside
6 Oct 17 2017 08:12:52 106015 67.231.154.164 216.54.104.225 Deny TCP (no connection) from 67.231.154.164/58054 to 216.54.104.225/25 flags RST on interface outside
There are a lot of the Deny tcp (no connection) entries I didn't include.
So is this normal? Or is there something on my PIX that is dropping the communication?
Solved! Go to Solution.
10-17-2017 01:43 PM
Figured it out.
The IPs somehow got grouped into a Network Object group I had set up for exemption...
Removed that and things seem to be working as they should be.
10-17-2017 05:36 AM
I have removed the ESMTP inspect from the class map.
So that should allow for Inspection bypass of SMTP traffic, correct?
I know with it enabled it messes up communication to mail servers behind the firewall.
10-17-2017 07:47 AM
Could the "Randomize Sequence Number" setting be causing these problems.
Cause the traffic flow from these particular set of SMTP servers show very odd behavior with communication when I watch the log....
I just see a constant stream of Deny tcp....lines in the log
All coming from one IP address, but different source ports directed at my mail servers port 25.
10-17-2017 01:43 PM
Figured it out.
The IPs somehow got grouped into a Network Object group I had set up for exemption...
Removed that and things seem to be working as they should be.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide