cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1215
Views
13
Helpful
10
Replies

TCP Reset-I in PIX Log

doug.dockter
Level 1
Level 1

Since switching ISPs and having to upgrade my PIX 515 from 7.0.2 to 7.2.4 for PPPOE support, I'm having issues receiving e-mails with attachments from a particular domain. All I see in the PIX log is the following message: Teardown TCP connection 1479120 for outside:193.246.239.75/34098 to inside:10.1.255.48/25 duration 0:16:14 bytes 87079 TCP Reset-I. I'm not sure what is causing the reset.

10 Replies 10

suschoud
Cisco Employee
Cisco Employee

tcp reser-i suggest a reset came from your email server.You would need to look into email server to see why it is generating the reset.

Also,you can try disabling the inspect esmtp on asa,if that's enabled.

Do rate if helpful.

Regards,

Sushil

I'm going to disable esmtp to see if that will help. We use an IronPort device as our SMTP server. There have been no configuration changes on it that I'm aware of.

Disabling esmtp resolved the issue. Was this a new feature of 7.0.4? Should I leave this turned off globally or is there a way to tweak the setting to not check for certain IP addresses or email domains?

Here you go :

considering 4.2.2.2 is the ip address of email domain to which you are facing issues sending email :

ASA5510-Single(config)# policy-map global_policy

ASA5510-Single(config-pmap)# class inspection_default

ASA5510-Single(config-pmap-c)# no inspect esmtp

ASA5510-Single(config)# access-l 101 deny ip any host 4.2.2.2

ASA5510-Single(config)# access-l 101 permit ip any any

ASA5510-Single(config)# clas

ASA5510-Single(config)# class-map myesmtp

ASA5510-Single(config-cmap)# mat

ASA5510-Single(config-cmap)# match ac

ASA5510-Single(config-cmap)# match access-list 101

ASA5510-Single(config-cmap)# exit

ASA5510-Single(config)# poli

ASA5510-Single(config)# policy-map glo

ASA5510-Single(config)# policy-map globa

ASA5510-Single(config)# policy-map global_policy

ASA5510-Single(config-pmap)# clas

ASA5510-Single(config-pmap)# class myesmtp

ASA5510-Single(config-pmap-c)# ins

ASA5510-Single(config-pmap-c)# inspect esmtp

ASA5510-Single(config-pmap-c)#

Pretty much you specify an access rule which define what traffic should be inspected by esmtp inspect.If there is a " deny " in access list,that traffic would be bypasses from inspection engine.

Do rate if helpful.

Regards,

Sushil

Thanks for the example Sushil. I am having problems receiving e-mails FROM a domain. In your example above you said it was for an issue with sending e-mails TO a domain. Would the commands be the same?

Just replace :

access-l 101 deny ip any host 4.2.2.2

with

access-l 101 deny ip host 4.2.2.2 any

4.2.2.2 -> ip of the domain.

Do rate helpful posts.

Regards.

Sushil

Not sure if there is something wrong with the configuration commands you sent or I'm doing something wrong. As soon as I enter the inspect esmtp command toward the bottom, all access to the internet seems to be blocked.

the suggested commands in no way can block internet traffic.

Is access-l 101 already defined somewhere in your configuration ?

Not sure what is wrong.Can u post " sh run " command output ?

Regards,

Sushil

I attached the commands I entered (modified per my naming conventions) plus the output from sh run. I faked some of the IP addresses.

Cisco tech support suggested the below changes and that resolved the issue.

access-list esmtp_acl extended deny tcp host 193.246.239.72 any eq 25

access-list esmtp_acl extended deny tcp host 193.246.239.73 any eq 25

access-list esmtp_acl extended deny tcp host 193.246.239.74 any eq 25

access-list esmtp_acl extended deny tcp host 193.246.239.75 any eq 25

access-list esmtp_acl extended permit tcp any any eq 25

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: