TCP Reset-I in PIX Log

Unanswered Question

Since switching ISPs and having to upgrade my PIX 515 from 7.0.2 to 7.2.4 for PPPOE support, I'm having issues receiving e-mails with attachments from a particular domain. All I see in the PIX log is the following message: Teardown TCP connection 1479120 for outside:193.246.239.75/34098 to inside:10.1.255.48/25 duration 0:16:14 bytes 87079 TCP Reset-I. I'm not sure what is causing the reset.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.2 (4 ratings)
Loading.
suschoud Fri, 10/10/2008 - 13:50

tcp reser-i suggest a reset came from your email server.You would need to look into email server to see why it is generating the reset.

Also,you can try disabling the inspect esmtp on asa,if that's enabled.

Do rate if helpful.

Regards,

Sushil

suschoud Fri, 10/10/2008 - 14:53

Here you go :

considering 4.2.2.2 is the ip address of email domain to which you are facing issues sending email :

ASA5510-Single(config)# policy-map global_policy

ASA5510-Single(config-pmap)# class inspection_default

ASA5510-Single(config-pmap-c)# no inspect esmtp

ASA5510-Single(config)# access-l 101 deny ip any host 4.2.2.2

ASA5510-Single(config)# access-l 101 permit ip any any

ASA5510-Single(config)# clas

ASA5510-Single(config)# class-map myesmtp

ASA5510-Single(config-cmap)# mat

ASA5510-Single(config-cmap)# match ac

ASA5510-Single(config-cmap)# match access-list 101

ASA5510-Single(config-cmap)# exit

ASA5510-Single(config)# poli

ASA5510-Single(config)# policy-map glo

ASA5510-Single(config)# policy-map globa

ASA5510-Single(config)# policy-map global_policy

ASA5510-Single(config-pmap)# clas

ASA5510-Single(config-pmap)# class myesmtp

ASA5510-Single(config-pmap-c)# ins

ASA5510-Single(config-pmap-c)# inspect esmtp

ASA5510-Single(config-pmap-c)#

Pretty much you specify an access rule which define what traffic should be inspected by esmtp inspect.If there is a " deny " in access list,that traffic would be bypasses from inspection engine.

Do rate if helpful.

Regards,

Sushil

suschoud Mon, 10/13/2008 - 07:07

Just replace :

access-l 101 deny ip any host 4.2.2.2

with

access-l 101 deny ip host 4.2.2.2 any

4.2.2.2 -> ip of the domain.

Do rate helpful posts.

Regards.

Sushil

suschoud Mon, 10/13/2008 - 13:03

the suggested commands in no way can block internet traffic.

Is access-l 101 already defined somewhere in your configuration ?

Not sure what is wrong.Can u post " sh run " command output ?

Regards,

Sushil

Cisco tech support suggested the below changes and that resolved the issue.

access-list esmtp_acl extended deny tcp host 193.246.239.72 any eq 25

access-list esmtp_acl extended deny tcp host 193.246.239.73 any eq 25

access-list esmtp_acl extended deny tcp host 193.246.239.74 any eq 25

access-list esmtp_acl extended deny tcp host 193.246.239.75 any eq 25

access-list esmtp_acl extended permit tcp any any eq 25

Actions

This Discussion