Message aborted

damien.williot_ironport · ‎04-27-2007

Hi all,
we have a question, I can see on my ironport log mail these mesages :
Wed Apr 11 22:33:25 2007 Info: ICID 26686889 lost
Wed Apr 11 22:33:25 2007 Info: Message aborted MID 18005698 Receiving aborted

the MID 18005698 is linked to ICID 26686889.

What is the possible origin of these messages ?

Thanks in advance for your answer.

Regards

Poesjkin_ironport · ‎04-27-2007

We had a similar problem. Disabling the smtp fixup in our PIX config solved the problem.

damien.williot_ironport · ‎04-27-2007

Thanks for your answer.
I don't have a pix but a checkpoint firewall.
Have you any idea ?

Thanks in advance.

dioxido_ironport · ‎04-27-2007

have ytou tried make a grep to 26686889 into the mail logs?
grep
12 (mail logs)
26686889 and see the route of the email?

si_ironport · ‎05-01-2007

Have you checked your firewall logs at the time the traffic was dropped. It could be related to out-of-state traffic, we see this every now and again and we also operate Checkpoint firewalls.

Mark [CSE]_ironport · ‎05-02-2007

There is a number of issues that can be related to this.

The out-of-stat thing is an MTU problem.
The firewall is most likely dropping ICMP path discover packages.

Another issuse could be that the message transaction was closed before the message was relayed: http://tinyurl.com/ypxom8

The Fixup funktion and someother inline SMTP scanning firewalls are known to cause those issus from time to time. If you think this is the issue at TCPDUMP on the IronPort will show that the connection was closed with a RST ACK while the timestamp is just millseconds away. The FLAGs RST/ACK should normally be only shown when you talk to a closed port. The firewall will send the RST/ACK in both directions as it thinks the connecion is wrong/dangerous.

The last issue know to cause those abouted messages is a bad network. (haha) If the network reaches a retransmission rate for TCP of 10% and above conneciton will have trouble being stable. If the whole network is fine and just the IronPort is having problems like that, please check
CLI->etherconfig->media if the media speed is set correct.

steven_geerts · ‎05-22-2007

Hello,

If you have this problem with a specific sender, like we did, you can set up a connection debug log (or domain debug log) to your log subscriptions.
All connection activity for that specific sending IP address (or domain) is logged into a log file so you can easily analyze what is happening on the SMTP traffic layer.

My experience with this has learned that there are a lot badly patched MS-SBS servers around that stop responding after Ironport relies "Go ahead" to the DATA command.

With such detailed report on the connection activity it is easy to prove the problem is @ the sending mail server :lol:

Take a little care when you create those logs, the whole content of a message (including the complete body and attachments) are logged to the debug log.

notesadministration.paris_ironport · ‎05-20-2009

Hi Steven,

What do you mean by MS-SBS servers?

Thank you so much.
We are experiencing the exact same problems.

Knuto0815 · ‎05-27-2009

MS-SBS = Microsoft Small Business Server

This is a variant that claims to be a all in one solution for small businesses. It includes a directory service, a mail server, etc with some limitations compared to the (more or less ;)) grown up products.

To share my experience with Smart Defense I have to say that I started to switch the Smart Defense stuff to "monitor only" because it interferred with a lot of applications we are running.