04-27-2007 02:32 PM
Hi all,
we have a question, I can see on my ironport log mail these mesages :
Wed Apr 11 22:33:25 2007 Info: ICID 26686889 lost
Wed Apr 11 22:33:25 2007 Info: Message aborted MID 18005698 Receiving aborted
the MID 18005698 is linked to ICID 26686889.
What is the possible origin of these messages ?
Thanks in advance for your answer.
Regards
04-27-2007 02:58 PM
We had a similar problem. Disabling the smtp fixup in our PIX config solved the problem.
04-27-2007 03:42 PM
Thanks for your answer.
I don't have a pix but a checkpoint firewall.
Have you any idea ?
Thanks in advance.
04-27-2007 06:26 PM
have ytou tried make a grep to 26686889 into the mail logs?
grep
12 (mail logs)
26686889 and see the route of the email?
05-01-2007 11:08 PM
Have you checked your firewall logs at the time the traffic was dropped. It could be related to out-of-state traffic, we see this every now and again and we also operate Checkpoint firewalls.
05-02-2007 12:39 PM
There is a number of issues that can be related to this.
The out-of-stat thing is an MTU problem.
The firewall is most likely dropping ICMP path discover packages.
Another issuse could be that the message transaction was closed before the message was relayed: http://tinyurl.com/ypxom8
The Fixup funktion and someother inline SMTP scanning firewalls are known to cause those issus from time to time. If you think this is the issue at TCPDUMP on the IronPort will show that the connection was closed with a RST ACK while the timestamp is just millseconds away. The FLAGs RST/ACK should normally be only shown when you talk to a closed port. The firewall will send the RST/ACK in both directions as it thinks the connecion is wrong/dangerous.
The last issue know to cause those abouted messages is a bad network. (haha) If the network reaches a retransmission rate for TCP of 10% and above conneciton will have trouble being stable. If the whole network is fine and just the IronPort is having problems like that, please check
CLI->etherconfig->media if the media speed is set correct.
05-22-2007 08:03 AM
Hello,
If you have this problem with a specific sender, like we did, you can set up a connection debug log (or domain debug log) to your log subscriptions.
All connection activity for that specific sending IP address (or domain) is logged into a log file so you can easily analyze what is happening on the SMTP traffic layer.
My experience with this has learned that there are a lot badly patched MS-SBS servers around that stop responding after Ironport relies "Go ahead" to the DATA command.
With such detailed report on the connection activity it is easy to prove the problem is @ the sending mail server :lol:
Take a little care when you create those logs, the whole content of a message (including the complete body and attachments) are logged to the debug log.
05-20-2009 09:22 AM
Hi Steven,
What do you mean by MS-SBS servers?
Thank you so much.
We are experiencing the exact same problems.
05-27-2009 03:45 PM
MS-SBS = Microsoft Small Business Server
This is a variant that claims to be a all in one solution for small businesses. It includes a directory service, a mail server, etc with some limitations compared to the (more or less ;)) grown up products.
To share my experience with Smart Defense I have to say that I started to switch the Smart Defense stuff to "monitor only" because it interferred with a lot of applications we are running.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: