Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1930
Views
0
Helpful
10
Replies

Can't receive emails from Cisco.com

loser4fun
Level 1
Level 1

‎03-15-2017 07:16 AM

Dears,

I'm using ASA FW with Firepower module 5516, in addition to Email gateway IronPort C190.

Actually i'm facing a challenge of receiving emails from 3 domains, one of them is Cisco.com, however i've checked tracking message in email gateway but found nothing.

Also checked Firewall logs (ASA and FP connection logs/Security logs) but found no records at all.

Also have simulate an email from a friend in Cisco.com domain and took a packet capture through ASA outside interface, but didn't receive any logs.

Would you advise what this could be ?

Note: I'm receiving emails from all domains normally except these 3 domains, and all records (MX, reverse) shows it's ok in MXtoolbox (for example)

1 person had this problem
Labels:
0 Helpful
10 Replies 10

Libin Varghese
Cisco Employee
Cisco Employee

‎03-16-2017 04:53 AM

Hi,

It would be difficult to comment on the cause without looking at actual logs.

If the email are being bounced back or rejected for any reasons then the sender domain should receive a bounce back notification for the same.

You can try reviewing the mail_logs on the ESA for the affected domains to see if there are any connections that are coming through to the device.

grep "New SMTP ICID.*cisco.com" mail_logs

Thank You!

Libin Varghese

0 Helpful

loser4fun
Level 1
Level 1
In response to Libin Varghese

‎03-16-2017 05:00 AM

Hi Libin,

below is the grep output, actually i was able to receive emails till 3rd of March 2017 then everything stopped without any interaction from my side.

Tue Jan 17 12:12:52 2017 Info: New SMTP ICID 303915 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.147.247 reverse dns host alln-asp-2.cisco.com verified yes
Wed Jan 18 21:50:30 2017 Info: New SMTP ICID 312300 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.93 reverse dns host alln-iport-6.cisco.com verified yes
Tue Jan 24 12:21:12 2017 Info: New SMTP ICID 342265 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.147.247 reverse dns host alln-asp-2.cisco.com verified yes
Tue Jan 24 22:17:33 2017 Info: New SMTP ICID 346814 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.88 reverse dns host alln-iport-1.cisco.com verified yes
Wed Jan 25 17:44:26 2017 Info: New SMTP ICID 350828 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.73 reverse dns host rcdn-iport-2.cisco.com verified yes
Wed Jan 25 20:10:17 2017 Info: New SMTP ICID 351271 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.72 reverse dns host rcdn-iport-1.cisco.com verified yes
Wed Jan 25 22:14:38 2017 Info: New SMTP ICID 351761 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.95 reverse dns host alln-iport-8.cisco.com verified yes
Thu Jan 26 13:37:18 2017 Info: New SMTP ICID 355863 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.75 reverse dns host rcdn-iport-4.cisco.com verified yes
Thu Jan 26 16:12:30 2017 Info: New SMTP ICID 356851 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.78 reverse dns host rcdn-iport-7.cisco.com verified yes
Thu Jan 26 16:13:52 2017 Info: New SMTP ICID 356862 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.89 reverse dns host alln-iport-2.cisco.com verified yes
Thu Jan 26 16:15:17 2017 Info: New SMTP ICID 356868 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.72 reverse dns host rcdn-iport-1.cisco.com verified yes
Thu Jan 26 16:16:55 2017 Info: New SMTP ICID 356877 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.95 reverse dns host alln-iport-8.cisco.com verified yes
Thu Jan 26 23:19:50 2017 Info: New SMTP ICID 358570 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.88 reverse dns host alln-iport-1.cisco.com verified yes
Fri Jan 27 06:36:23 2017 Info: New SMTP ICID 362264 interface mail1.scctportsaid .com (192.168.4.7) address 72.163.7.180 reverse dns host rcdn-asp-2.cisco.com ve rified yes
Mon Jan 30 19:29:27 2017 Info: New SMTP ICID 378142 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.78 reverse dns host rcdn-iport-7.cisco.com verified yes
Tue Jan 31 19:00:44 2017 Info: New SMTP ICID 385457 interface mail1.scctportsaid .com (192.168.4.7) address 142.0.166.150 reverse dns host mail01.b2me.cisco.com verified yes
Tue Jan 31 19:26:08 2017 Info: New SMTP ICID 385563 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.80 reverse dns host rcdn-iport-9.cisco.com verified yes
Tue Jan 31 19:29:41 2017 Info: New SMTP ICID 385579 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.79 reverse dns host rcdn-iport-8.cisco.com verified yes
Wed Feb 1 18:01:58 2017 Info: New SMTP ICID 390625 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.73 reverse dns host rcdn-iport-2.cisco.com verified yes
Wed Feb 1 18:02:16 2017 Info: New SMTP ICID 390629 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.79 reverse dns host rcdn-iport-8.cisco.com verified yes
Wed Feb 1 21:31:38 2017 Info: New SMTP ICID 391404 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.72 reverse dns host rcdn-iport-1.cisco.com verified yes
Thu Feb 2 13:25:45 2017 Info: New SMTP ICID 394618 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.79 reverse dns host rcdn-iport-8.cisco.com verified yes
Thu Feb 2 13:52:47 2017 Info: New SMTP ICID 394786 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.74 reverse dns host rcdn-iport-3.cisco.com verified yes
Thu Feb 2 14:06:34 2017 Info: New SMTP ICID 394863 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.92 reverse dns host alln-iport-5.cisco.com verified yes
Thu Feb 2 14:08:32 2017 Info: New SMTP ICID 394874 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.89 reverse dns host alln-iport-2.cisco.com verified yes
Thu Feb 2 16:31:24 2017 Info: New SMTP ICID 395643 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.72 reverse dns host rcdn-iport-1.cisco.com verified yes
Thu Feb 2 16:37:53 2017 Info: New SMTP ICID 395675 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.89 reverse dns host alln-iport-2.cisco.com verified yes
Fri Feb 3 00:43:22 2017 Info: New SMTP ICID 397231 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.88 reverse dns host alln-iport-1.cisco.com verified yes
Sun Feb 5 14:44:30 2017 Info: New SMTP ICID 408184 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.147.246 reverse dns host alln-asp-1.cisco.com verified yes
Thu Feb 9 17:31:16 2017 Info: New SMTP ICID 437810 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.73 reverse dns host rcdn-iport-2.cisco.com verified yes
Thu Feb 9 19:11:22 2017 Info: New SMTP ICID 438723 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.94 reverse dns host alln-iport-7.cisco.com verified yes
Thu Feb 9 19:26:06 2017 Info: New SMTP ICID 438851 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.77 reverse dns host rcdn-iport-6.cisco.com verified yes
Thu Feb 9 21:16:17 2017 Info: New SMTP ICID 439838 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.88 reverse dns host alln-iport-1.cisco.com verified yes
Fri Feb 10 00:14:32 2017 Info: New SMTP ICID 440783 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.79 reverse dns host rcdn-iport-8.cisco.com verified yes
Sun Feb 12 15:33:20 2017 Info: New SMTP ICID 459858 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.77 reverse dns host rcdn-iport-6.cisco.com verified yes
Mon Feb 13 12:42:47 2017 Info: New SMTP ICID 465916 interface mail1.scctportsaid .com (192.168.4.7) address 72.163.7.179 reverse dns host rcdn-asp-1.cisco.com ve rified yes
Tue Feb 14 01:46:59 2017 Info: New SMTP ICID 471348 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.92 reverse dns host alln-iport-5.cisco.com verified yes
Tue Feb 14 03:07:30 2017 Info: New SMTP ICID 471678 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.75 reverse dns host rcdn-iport-4.cisco.com verified yes
Wed Feb 15 09:33:45 2017 Info: New SMTP ICID 478999 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.91 reverse dns host alln-iport-4.cisco.com verified yes
Wed Feb 15 09:33:46 2017 Info: New SMTP ICID 479000 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.94 reverse dns host alln-iport-7.cisco.com verified yes
Thu Feb 16 13:12:25 2017 Info: New SMTP ICID 488292 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.73 reverse dns host rcdn-iport-2.cisco.com verified yes
Thu Feb 16 14:37:00 2017 Info: New SMTP ICID 488829 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.74 reverse dns host rcdn-iport-3.cisco.com verified yes
Fri Feb 17 02:16:26 2017 Info: New SMTP ICID 492084 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.73 reverse dns host rcdn-iport-2.cisco.com verified yes
Fri Feb 17 02:30:51 2017 Info: New SMTP ICID 492146 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.87 reverse dns host alln-app-2.cisco.com v erified yes
Fri Feb 17 10:42:02 2017 Info: New SMTP ICID 493666 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.73 reverse dns host rcdn-iport-2.cisco.com verified yes
Wed Mar 1 12:29:20 2017 Info: New SMTP ICID 609688 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.80 reverse dns host rcdn-iport-9.cisco.com verified yes
Wed Mar 1 12:29:57 2017 Info: New SMTP ICID 609694 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.93 reverse dns host alln-iport-6.cisco.com verified yes
Fri Mar 3 12:19:17 2017 Info: New SMTP ICID 628455 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.92 reverse dns host alln-iport-5.cisco.com verified yes
Fri Mar 3 12:20:57 2017 Info: New SMTP ICID 628481 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.78 reverse dns host rcdn-iport-7.cisco.com verified yes
Fri Mar 3 12:32:50 2017 Info: New SMTP ICID 628589 interface mail1.scctportsaid .com (192.168.4.7) address 72.163.7.180 reverse dns host rcdn-asp-2.cisco.com ve rified yes
Fri Mar 3 12:34:12 2017 Info: New SMTP ICID 628606 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.86.73 reverse dns host rcdn-iport-2.cisco.com verified yes
Fri Mar 3 12:52:14 2017 Info: New SMTP ICID 628757 interface mail1.scctportsaid .com (192.168.4.7) address 173.37.142.91 reverse dns host alln-iport-4.cisco.com verified yes

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to loser4fun

‎03-16-2017 05:05 AM

Hi,

The output confirms that there were no successful connections established with the ESA after March 3.

In the output you also have a list of public IP addresses you received emails from, you could set up captures on your edge network appliance for these IP's to see if there were any recent connections.

- Libin V

0 Helpful

loser4fun
Level 1
Level 1
In response to Libin Varghese

‎03-16-2017 05:13 AM

Hi,

Actually i've tried to get packet capture from ASA, but these IPs didn't show.

Would you assist if i could take the capture by wrong type.

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to loser4fun

‎03-16-2017 05:25 AM

I do not have much experience with ASA and it would be recommended you post your queries with the ASA on their support page or open a TAC case with that team if you require troubleshooting assistance.

For the ESA you can set up a packet capture from the GUI Help and Support -> Packet Capture of from the CLI using command "packetcapture".

- Libin V

0 Helpful

loser4fun
Level 1
Level 1
In response to Libin Varghese

‎03-16-2017 06:38 AM

Hi,

Actually from ESA and ASA packet capture i can't see any packet received from Cisco IPs except the IPs of website (DNS) not (SMTP) in ASA only.

Is there's anyway to trace our domain from Cisco side to define where is the challenge ?

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to loser4fun

‎03-16-2017 06:45 AM

I do not think that is an option.

If the person sending you an email gets a bounce back you can review information available in that bounce back email for more information.

Apart from that you would need to investigate with your ISP if there are no connections on the edge device.

- Libin V

0 Helpful

loser4fun
Level 1
Level 1
In response to Libin Varghese

‎03-17-2017 12:33 AM

Hi Libin,

Here is the NDR which returns to sender:

> Subject: Delivery Status Notification (Failure)

>

>

>

>

>

> The following message to

> <xxx@xxx.com was undeliverable.

>

> The reason for the problem:

>

> 5.4.7 - Delivery expired (message too old) 'timeout'

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to loser4fun

‎03-17-2017 06:51 AM

Hi,

The NDR suggests that they were unable to connect to the destination server on your side after multiple re-attempts.

This could be due to multiple reasons such as DNS, firewall interruptions, TLS, etc.

The sender can set up a packet capture for the destination IP to confirm why they are unable to create a delivery connection with you.

- Libin V

0 Helpful

loser4fun
Level 1
Level 1
In response to Libin Varghese

‎03-18-2017 11:50 PM

That's why i was asking to trace the issue from Cisco side.

I'll try to find out a friend in Cisco to test the issue

Appreciated

0 Helpful
Customers Also Viewed These Support Documents