Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1425
Views
0
Helpful
3
Replies

PIX 515E and RST flags

Go to solution
SethDunn
Level 1
Level 1

‎10-17-2017 05:29 AM - edited ‎02-21-2020 06:30 AM

Hello all,
Was wondering if I can get some insight/help on this.
Having some odd email issues.
From most email servers, we receive email fine.
But here recently we have been experiencing issues with Proof Point servers.  Sometimes email being sent through them works fine, other times it doesn't.  The sender will get an NDR From them stating the Connection (to our mail server) was denied.  When I check the logs on the PIX, I see no connection attempt at the time the NDR states it was attempted.

When I look at the log I see a
Connection Built
Connection Teardown,
Then a whole bunch of Deny TCP (no connection) flags RST on interface outside.  (when watching the log it will fire off a bunch of these at once)

This is what I see (I have not included some of the entries, cause they are the same thing)

 

6    Oct 17 2017    08:12:52    302013    67.231.154.164    Exchange     Built inbound TCP connection 8948738 for outside:67.231.154.164/58054 (67.231.154.164/58054) to DMZ4:Exchange/25 (216.54.104.225/25)
6    Oct 17 2017    08:12:52    302014    67.231.154.164    Exchange     Teardown TCP connection 8948738 for outside:67.231.154.164/58054 to DMZ4:Exchange/25 duration 0:00:00 bytes 205913 TCP Reset-O
6    Oct 17 2017    08:12:52    106015    67.231.154.164    216.54.104.225     Deny TCP (no connection) from 67.231.154.164/58054 to 216.54.104.225/25 flags RST  on interface outside
6    Oct 17 2017    08:12:52    106015    67.231.154.164    216.54.104.225     Deny TCP (no connection) from 67.231.154.164/58054 to 216.54.104.225/25 flags RST  on interface outside
6    Oct 17 2017    08:12:52    106015    Exchange    67.231.154.164     Deny TCP (no connection) from Exchange/25 to 67.231.154.164/58054 flags ACK  on interface DMZ4
6    Oct 17 2017    08:12:52    106015    67.231.154.164    216.54.104.225     Deny TCP (no connection) from 67.231.154.164/57524 to 216.54.104.225/25 flags ACK  on interface outside
6    Oct 17 2017    08:12:52    106015    67.231.154.164    216.54.104.225     Deny TCP (no connection) from 67.231.154.164/58054 to 216.54.104.225/25 flags RST  on interface outside


There are a lot of the Deny tcp (no connection) entries I didn't include.
So is this normal?  Or is there something on my PIX that is dropping the communication?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
SethDunn
Level 1
Level 1

‎10-17-2017 01:43 PM

Figured it out.
The IPs somehow got grouped into a Network Object group I had set up for exemption...
Removed that and things seem to be working as they should be.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
SethDunn
Level 1
Level 1

‎10-17-2017 05:36 AM

I have removed the ESMTP inspect from the class map.
So that should allow for Inspection bypass of SMTP traffic, correct?
I know with it enabled it messes up communication to mail servers behind the firewall.

0 Helpful

Go to solution
SethDunn
Level 1
Level 1

‎10-17-2017 07:47 AM

Could the "Randomize Sequence Number" setting be causing these problems.
Cause the traffic flow from these particular set of SMTP servers show very odd behavior with communication when I watch the log....
I just see a constant stream of Deny tcp....lines in the log
All coming from one IP address, but different source ports directed at my mail servers port 25.

0 Helpful

Go to solution
SethDunn
Level 1
Level 1

‎10-17-2017 01:43 PM

Figured it out.
The IPs somehow got grouped into a Network Object group I had set up for exemption...
Removed that and things seem to be working as they should be.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card