It sounds like a routing issue. I have had this happen to me as well, and it turned out to be address spoofing on our firewall. The 10.10.xxx.xx address is our managment address / quarantine, 10.11.xxx.xxx is our incomming / outgoing smtp subnet and the 172.xxx.xxx.xxx was our userbase subnets. The default route was 10.11.xxx.254. What was happening was the packets would come into the device on the 10.10.xxx.xxx address then when returning it would come back via the default route of 10.11.xxx.xxx. This would cause an address spoofing condition on our firewall. I needed to create another address on the 10.11.xxx.xxx subnet for the quarantine so that it would then route out the default route without address spoofing. For the management address's I just created host routes for the Admins who needed access to the GUI of the Ironport. It may not be the cleanest way of doing it, however it has worked for me in this situation.
I hope this makes sense and helps someway in getting you a resolution.
Regards,
David