I have a iron port email security gateway placed behind a firewall.
Recently i had some latency issue on my firewall because of high traffic going through it, on further investigation i found a large number of drops from iron port going to global ip addresses .The cause for drops was "tcp out of state ack" .
I guess this is happening probably because of slow response from iron port. i have checked the latency in the network and cpu utilization is also normal.
I need to understand how iron port is handling tcp connections and what are the other possibilities for slow response?
Will the mail que effect the iron port response time at lower layers ?
in general a busy/full mail queue won't be a reason for delayed responces on TCP level, there is also a protection mechanism in place (resource conservation) that kicks in when the system runs out of resources due high traffic. Of course, on higher levels than TCP delays may occur because i.e. the appliance is waiting for a response from Senderbase, DNS, or LDAP. But back to your problem, those errors often indicate problems on routing, quoting a submission from another forum here:
"The most common cause of the problem? Asymmetric routing or using firewall pairs and not sharing TCP state information between them.
When you have asymmetric routing the data might be going via the path sender -> router 1 -> router 2 -> receiver in one way but the return path is receiver -> firewall -> router 1 -> sender. In this scenario the firewall is not seeing the TCP session establish properly as its missing all the traffic from the sender to the receiver so it will always drop it as "out of state". "
Are you using a Checkpoint firewall BTW? Because it seems most of these errors reported relate to stateful inspection.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :