Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP Reset-I in PIX Log

Since switching ISPs and having to upgrade my PIX 515 from 7.0.2 to 7.2.4 for PPPOE support, I'm having issues receiving e-mails with attachments from a particular domain. All I see in the PIX log is the following message: Teardown TCP connection 1479120 for outside:193.246.239.75/34098 to inside:10.1.255.48/25 duration 0:16:14 bytes 87079 TCP Reset-I. I'm not sure what is causing the reset.

10 REPLIES
Cisco Employee

Re: TCP Reset-I in PIX Log

tcp reser-i suggest a reset came from your email server.You would need to look into email server to see why it is generating the reset.

Also,you can try disabling the inspect esmtp on asa,if that's enabled.

Do rate if helpful.

Regards,

Sushil

New Member

Re: TCP Reset-I in PIX Log

I'm going to disable esmtp to see if that will help. We use an IronPort device as our SMTP server. There have been no configuration changes on it that I'm aware of.

New Member

Re: TCP Reset-I in PIX Log

Disabling esmtp resolved the issue. Was this a new feature of 7.0.4? Should I leave this turned off globally or is there a way to tweak the setting to not check for certain IP addresses or email domains?

Cisco Employee

Re: TCP Reset-I in PIX Log

Here you go :

considering 4.2.2.2 is the ip address of email domain to which you are facing issues sending email :

ASA5510-Single(config)# policy-map global_policy

ASA5510-Single(config-pmap)# class inspection_default

ASA5510-Single(config-pmap-c)# no inspect esmtp

ASA5510-Single(config)# access-l 101 deny ip any host 4.2.2.2

ASA5510-Single(config)# access-l 101 permit ip any any

ASA5510-Single(config)# clas

ASA5510-Single(config)# class-map myesmtp

ASA5510-Single(config-cmap)# mat

ASA5510-Single(config-cmap)# match ac

ASA5510-Single(config-cmap)# match access-list 101

ASA5510-Single(config-cmap)# exit

ASA5510-Single(config)# poli

ASA5510-Single(config)# policy-map glo

ASA5510-Single(config)# policy-map globa

ASA5510-Single(config)# policy-map global_policy

ASA5510-Single(config-pmap)# clas

ASA5510-Single(config-pmap)# class myesmtp

ASA5510-Single(config-pmap-c)# ins

ASA5510-Single(config-pmap-c)# inspect esmtp

ASA5510-Single(config-pmap-c)#

Pretty much you specify an access rule which define what traffic should be inspected by esmtp inspect.If there is a " deny " in access list,that traffic would be bypasses from inspection engine.

Do rate if helpful.

Regards,

Sushil

New Member

Re: TCP Reset-I in PIX Log

Thanks for the example Sushil. I am having problems receiving e-mails FROM a domain. In your example above you said it was for an issue with sending e-mails TO a domain. Would the commands be the same?

Cisco Employee

Re: TCP Reset-I in PIX Log

Just replace :

access-l 101 deny ip any host 4.2.2.2

with

access-l 101 deny ip host 4.2.2.2 any

4.2.2.2 -> ip of the domain.

Do rate helpful posts.

Regards.

Sushil

New Member

Re: TCP Reset-I in PIX Log

Not sure if there is something wrong with the configuration commands you sent or I'm doing something wrong. As soon as I enter the inspect esmtp command toward the bottom, all access to the internet seems to be blocked.

Cisco Employee

Re: TCP Reset-I in PIX Log

the suggested commands in no way can block internet traffic.

Is access-l 101 already defined somewhere in your configuration ?

Not sure what is wrong.Can u post " sh run " command output ?

Regards,

Sushil

New Member

Re: TCP Reset-I in PIX Log

I attached the commands I entered (modified per my naming conventions) plus the output from sh run. I faked some of the IP addresses.

New Member

Re: TCP Reset-I in PIX Log

Cisco tech support suggested the below changes and that resolved the issue.

access-list esmtp_acl extended deny tcp host 193.246.239.72 any eq 25

access-list esmtp_acl extended deny tcp host 193.246.239.73 any eq 25

access-list esmtp_acl extended deny tcp host 193.246.239.74 any eq 25

access-list esmtp_acl extended deny tcp host 193.246.239.75 any eq 25

access-list esmtp_acl extended permit tcp any any eq 25

743
Views
13
Helpful
10
Replies