Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6794
Views
0
Helpful
6
Replies

Incoming email connection dropped unexpectedly with log

joetam
Level 1
Level 1

‎10-14-2009 07:15 AM

Dear all,

     Our customer has found a problem for sender email bounced back unexpectedly, he has found the error logged from blocker.

14 Oct 2009 08:02:06 (GMT +0800)
Protocol SMTP interface Data 2 (IP 192.168.1.202) on incoming connection (ICID 185273) from sender IP address: w.x.y.z. Reverse DNS host 124x34x77x73.ap124.ftth.ucom.ne.jp verified 1.
14 Oct 2009 08:02:06 (GMT +0800)
(ICID 185273) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS -0.1
14 Oct 2009 08:02:06 (GMT +0800)
Start message 56176 on incoming connection (ICID 185273).
14 Oct 2009 08:02:06 (GMT +0800)
Message 56176 enqueued on incoming connection (ICID 185273) from sanderling@senderdomain.com
14 Oct 2009 08:02:06 (GMT +0800)
Message 56176 on incoming connection (ICID 185273) added recipient (user1@targetdomain.com)
14 Oct 2009 08:02:06 (GMT +0800)
Message 56176 on incoming connection (ICID 185273) added recipient (user2@targetdomain.com).
14 Oct 2009 08:02:08 (GMT +0800)
Incoming connection (ICID 185273) lost.
14 Oct 2009 08:02:08 (GMT +0800)
Message 56176 aborted: Receiving aborted


Do anyone know why it will suddenly lost connection?

Regards,

Joe Tam

0 Helpful
6 Replies 6

dzavasni
Level 1
Level 1

‎10-15-2009 08:54 AM


>>Incoming connection (ICID 185273) lost. <<

This refers to the sending MTA closing/losing the connection. This indicates a problem on the sender's side. Is the issue constant when receiving mail from 124x34x77x73.ap124.ftth.ucom.ne.jp  ? Or is it an intermittant issue?

0 Helpful

edgar.reinke
Level 1
Level 1

‎10-27-2009 03:12 AM

You can enable the injection logs using Log Subscription. Than go to the command line and type tail ... select the number for the injection logs. This are real time logs which will give you the information if the sender of the message really quite the connection.

KR,

Edgar

0 Helpful

AANDOconsultants
Level 1
Level 1
In response to edgar.reinke

‎11-06-2009 06:57 AM

I am receiving the same error message as above. I appear to only be getting the message when the sender is sending me an attachment. Any ideas on how to correct this?

Thanks,

Nic

0 Helpful

dzavasni
Level 1
Level 1
In response to AANDOconsultants

‎11-06-2009 08:05 AM

If the Blocker is the one terminating the connection there should be a log as to why it decided to do so. Hopefully finding the transaction in your logs regarding the connection that's being dropped would give you a good starting point. If it is attachment related, I would look into the antivirus logs to see if it is being rejected by the Sophos scan due to potential virus payload. Otherwise, if the sender is receiving a bounce message, the contents of the bounce may give us some insight as to what may be going on.

0 Helpful

AANDOconsultants
Level 1
Level 1
In response to dzavasni

‎11-10-2009 08:51 AM

Is there a place in the blocker that limits the size of attachments? The bounceback said something about the message being to big or the receivers mailbox being full. Both of these are set correctly on the server. Any ideas?

Thanks,

Nic

0 Helpful

edgar.reinke
Level 1
Level 1
In response to AANDOconsultants

‎11-10-2009 12:09 PM

You can limit the size of incoming mails in the Mail Flow Policy. The MFP is attached to a Sender Group (SG) in the Host Access Table (HAT). Therefore, you have to find out in which SG the sender will have a match (mail_logs will give you a helping hand doing this). The SGs are first match out: the match is based on the SBRS or the Sender address.

Cheers,

Edgar

0 Helpful
Customers Also Viewed These Support Documents