Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

High blocks for ironport traffic.

Hi All,

I have a iron port email security gateway placed behind a firewall.

Recently i had some latency issue on my firewall because of high traffic going through it, on further investigation i found a large number of drops from iron port going to global ip addresses .The cause for drops was "tcp out of state ack" .

I guess this is happening probably because of slow response from iron port. i have checked the latency in the network and cpu utilization is also normal.

I need to understand how iron port is handling tcp connections and what are the other possibilities for slow response?

Will the mail que effect the iron port response time at lower layers ?

Everyone's tags (2)

High blocks for ironport traffic.


in general a busy/full mail queue won't be a reason for delayed responces on TCP level, there is also a protection mechanism in place (resource conservation) that kicks in when the system runs out of resources due high traffic. Of course, on higher levels than TCP delays may occur because i.e. the appliance is waiting for a response from Senderbase, DNS, or LDAP. But back to your problem, those errors often indicate problems on routing, quoting a submission from another forum here:

"The most common cause of the problem? Asymmetric routing or using  firewall pairs and not sharing TCP state information between them.

When you have asymmetric routing the data might be going via the path  sender -> router 1 -> router 2 -> receiver in one way but the  return path is receiver -> firewall -> router 1 -> sender. In  this scenario the firewall is not seeing the TCP session establish  properly as its missing all the traffic from the sender to the receiver  so it will always drop it as "out of state".  "

Are you using a Checkpoint firewall BTW? Because it seems most of these errors reported relate to stateful inspection.



New Member

High blocks for ironport traffic.

Hi Andreas,

Thanks for your reply. Yes i am using cpt cluster in unicast load sharing mode between. Can you suggest me a solution to reduce these number of drops ? As this is utilising a lot of firewall resource.



CreatePlease to create content