Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Mail server listener not catching all traffic
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Mail server listener not catching all traffic - 15.Dec.2005 10:21:18 PM
|
|
|
cracky
Posts: 3
Joined: 15.Dec.2005
Status: offline
|
I'm having some trouble with our mail server.
We did a server publishing rule to catch traffic coming in on an external IP and using a listener, send it to an internal IP. Well, this works most of the time, but people intermitently have trouble checking their mail.
When I was looking in the logs, I found that traffic going to the public IP of our mail server from External to Internal routed and was allowed access. However, some people were going to the same public IP address, but the route was from External to Localhost. This traffic was denied. Any clue on why it would sometimes go to localhost instead of the internal network?
Thanks
Chris
|
|
|
|
|
RE: Mail server listener not catching all traffic - 16.Dec.2005 12:59:28 AM
|
|
|
cracky
Posts: 3
Joined: 15.Dec.2005
Status: offline
|
Sure. Thanks for the quick reply.
Here's what I have. I hope it doesn't look too messed up...
If you notice, the listener will forward the client to the 10.1.1.60 (internal) address most of the time. However, every once in awhile, it will just go through on 69.44.230.10 (public). It's like the listener didn't pick it up for some reason. I assume this has something to do with the Destination network being local host instead of internal.
Log Time Destination IP Destination Port Protocol Action Rule Client IP Source Network Destination Network Result Code
12/15/2005 17:01 69.44.230.10 110 POP3 Denied Connection 66.202.46.95 External Local Host 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
12/15/2005 17:04 10.1.1.60 110 POP3 Server Initiated Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x0
12/15/2005 17:04 10.1.1.60 110 POP3 Server Closed Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x80074e24
12/15/2005 17:04 10.1.1.60 110 POP3 Server Initiated Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x0
12/15/2005 17:04 10.1.1.60 110 POP3 Server Closed Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x80074e24
12/15/2005 17:09 10.1.1.60 110 POP3 Server Initiated Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x0
12/15/2005 17:09 10.1.1.60 110 POP3 Server Closed Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x80074e24
12/15/2005 17:09 10.1.1.60 110 POP3 Server Initiated Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x0
12/15/2005 17:09 10.1.1.60 110 POP3 Server Closed Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x80074e24
12/15/2005 17:10 69.44.230.10 110 POP3 Denied Connection 66.202.46.95 External Local Host 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
12/15/2005 17:14 10.1.1.60 110 POP3 Server Initiated Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x0
12/15/2005 17:14 10.1.1.60 110 POP3 Server Closed Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x80074e24
12/15/2005 17:14 10.1.1.60 110 POP3 Server Initiated Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x0
12/15/2005 17:14 10.1.1.60 110 POP3 Server Closed Connection [Primary Mail Server] mail.* POP3 Server 66.202.46.95 External Internal 0x80074e24
|
|
|
|
|
RE: Mail server listener not catching all traffic - 18.Dec.2005 9:52:32 PM
|
|
|
cracky
Posts: 3
Joined: 15.Dec.2005
Status: offline
|
Thanks Thomas,
Much appreciated. Let me know if you need anything else from our logs. This isn't limited to just this one IP, it seems like most people randomly come in this Extranet -> Localhost every once in awhile.
Thanks
Chris
|
|
|
|
|
RE: Mail server listener not catching all traffic - 3.Jan.2006 11:17:12 PM
|
|
|
ealdridge
Posts: 84
Joined: 15.Nov.2005
Status: offline
|
<bump>
any ideas Tom?
thanks!
|
|
|
|
|
RE: Mail server listener not catching all traffic - 4.Jan.2006 4:56:59 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi EA,
Sorry about that! I took a breather for most of DEC, but am getting my sea legs again.
I'll check this out this week.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Mail server listener not catching all traffic - 10.Jan.2006 2:19:56 AM
|
|
|
networkdude
Posts: 10
Joined: 31.Oct.2003
From: Seattle
Status: offline
|
Hello Tom,
I’m experiencing this issue also. Happens randomly. Roughly about 8% of SMTP packets get denied with this error:
“0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED”
As cracky described, the destination IP for these denieds is the external IP of ISA. As expected, the destination of the normal packets for the mail server rule is the IP of the Exchange Server.
Seems like some kind of abnormal session build or teardown or something weird. The fact that there are so many of these is disconcerting. 8% of packets in a busy day is a lot of denied SMTP traffic.
Some previous posts in other forums allude that this is ISA protecting form hacker attempts. This is definitely not the case here. The source of all these packets is a limited set of known and trusted SMTP hosts, not the public at large.
I’ve also seen this on other ISA installs and on different protocols, HTTP for one. Not sure what the impact is. In the SMTP case, it seems to slow down message delivery but there are no complaints about missing emails.
I wonder what would be a good troubleshooting approach. The hope is that someone has figured it out already or perhaps Microsoft can shed some light…
John
|
|
|
|
|
RE: Mail server listener not catching all traffic - 10.Jan.2006 5:34:25 PM
|
|
|
ealdridge
Posts: 84
Joined: 15.Nov.2005
Status: offline
|
quote:
ORIGINAL: networkdude
Hello Tom,
I'm experiencing this issue also. Happens randomly. Roughly about 8% of SMTP packets get denied with this error:
"0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED”
As cracky described, the destination IP for these denieds is the external IP of ISA. As expected, the destination of the normal packets for the mail server rule is the IP of the Exchange Server.
Seems like some kind of abnormal session build or teardown or something weird. The fact that there are so many of these is disconcerting. 8% of packets in a busy day is a lot of denied SMTP traffic.
Some previous posts in other forums allude that this is ISA protecting form hacker attempts. This is definitely not the case here. The source of all these packets is a limited set of known and trusted SMTP hosts, not the public at large.
I've also seen this on other ISA installs and on different protocols, HTTP for one. Not sure what the impact is. In the SMTP case, it seems to slow down message delivery but there are no complaints about missing emails.
I wonder what would be a good troubleshooting approach. The hope is that someone has figured it out already or perhaps Microsoft can shed some light…
John
doenst look like it's been fixed.. i too thought the error was the one your having... but after monitoring the logs, i found that the "Failed connection attempt" is my issue... happens very randomly...
http://forums.isaserver.org/grrrrrrr%25%25help/m_2002002320/tm.htm
im currently waiting to speak with a "Senior Level Engineer" at Microsoft - scheduled to speak with him/her tomrrow 9am CST, the support tech i was working with said he wasnt sure what was going on... read the thread i posted above....
it looks like people had similar issues on ISA 2000, and theres a great article on this site with a fix, (too bad it doesnt work on 2k4)...
-Edward
< Message edited by ealdridge -- 10.Jan.2006 5:35:40 PM >
|
|
|
|
|
RE: Mail server listener not catching all traffic - 11.Jan.2006 4:19:19 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: networkdude
Hello Tom,
I'm experiencing this issue also. Happens randomly. Roughly about 8% of SMTP packets get denied with this error:
"0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED”
As cracky described, the destination IP for these denieds is the external IP of ISA. As expected, the destination of the normal packets for the mail server rule is the IP of the Exchange Server.
Seems like some kind of abnormal session build or teardown or something weird. The fact that there are so many of these is disconcerting. 8% of packets in a busy day is a lot of denied SMTP traffic.
Some previous posts in other forums allude that this is ISA protecting form hacker attempts. This is definitely not the case here. The source of all these packets is a limited set of known and trusted SMTP hosts, not the public at large.
I've also seen this on other ISA installs and on different protocols, HTTP for one. Not sure what the impact is. In the SMTP case, it seems to slow down message delivery but there are no complaints about missing emails.
I wonder what would be a good troubleshooting approach. The hope is that someone has figured it out already or perhaps Microsoft can shed some light…
John
Hi John,
You could be running into a connection limits issue. Create an exception for the SMTP server and see if that helps.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Mail server listener not catching all traffic - 11.Jan.2006 4:20:54 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: networkdude
Hello Tom,
I'm experiencing this issue also. Happens randomly. Roughly about 8% of SMTP packets get denied with this error:
"0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED”
As cracky described, the destination IP for these denieds is the external IP of ISA. As expected, the destination of the normal packets for the mail server rule is the IP of the Exchange Server.
Seems like some kind of abnormal session build or teardown or something weird. The fact that there are so many of these is disconcerting. 8% of packets in a busy day is a lot of denied SMTP traffic.
Some previous posts in other forums allude that this is ISA protecting form hacker attempts. This is definitely not the case here. The source of all these packets is a limited set of known and trusted SMTP hosts, not the public at large.
I've also seen this on other ISA installs and on different protocols, HTTP for one. Not sure what the impact is. In the SMTP case, it seems to slow down message delivery but there are no complaints about missing emails.
I wonder what would be a good troubleshooting approach. The hope is that someone has figured it out already or perhaps Microsoft can shed some light…
John
Hi John,
Just a quick note here -- this thread is was discussing POP3, not SMTP. I think your problem is quite different.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Mail server listener not catching all traffic - 11.Jan.2006 4:21:34 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: ealdridge
quote:
ORIGINAL: networkdude
Hello Tom,
I'm experiencing this issue also. Happens randomly. Roughly about 8% of SMTP packets get denied with this error:
"0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED”
As cracky described, the destination IP for these denieds is the external IP of ISA. As expected, the destination of the normal packets for the mail server rule is the IP of the Exchange Server.
Seems like some kind of abnormal session build or teardown or something weird. The fact that there are so many of these is disconcerting. 8% of packets in a busy day is a lot of denied SMTP traffic.
Some previous posts in other forums allude that this is ISA protecting form hacker attempts. This is definitely not the case here. The source of all these packets is a limited set of known and trusted SMTP hosts, not the public at large.
I've also seen this on other ISA installs and on different protocols, HTTP for one. Not sure what the impact is. In the SMTP case, it seems to slow down message delivery but there are no complaints about missing emails.
I wonder what would be a good troubleshooting approach. The hope is that someone has figured it out already or perhaps Microsoft can shed some light…
John
doenst look like it's been fixed.. i too thought the error was the one your having... but after monitoring the logs, i found that the "Failed connection attempt" is my issue... happens very randomly...
http://forums.isaserver.org/grrrrrrr%25%25help/m_2002002320/tm.htm
im currently waiting to speak with a "Senior Level Engineer" at Microsoft - scheduled to speak with him/her tomrrow 9am CST, the support tech i was working with said he wasnt sure what was going on... read the thread i posted above....
it looks like people had similar issues on ISA 2000, and theres a great article on this site with a fix, (too bad it doesnt work on 2k4)...
-Edward
Hi Edward,
Let us know what you find out after your discussion with PSS.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Mail server listener not catching all traffic - 11.Jan.2006 5:14:07 PM
|
|
|
ealdridge
Posts: 84
Joined: 15.Nov.2005
Status: offline
|
so the update i got today from MS was after they reviewed the MPS reports off my ISA server. my network drivers were a few months out of date... i cant reboot the server or update the drivers until tonight so we will see if thats really the issue ....
i'll let you guys know..
-Edward
|
|
|
|
|
RE: Mail server listener not catching all traffic - 13.Jan.2006 3:33:56 PM
|
|
|
ealdridge
Posts: 84
Joined: 15.Nov.2005
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Edward,
This will be really cool if it turns out that the NIC drivers are the cause of a selective POP3 issue!
Thanks!
Tom
just updated the other thread about this issue, but ill post here as well
--------
wasnt the issue.. but.. .it cant help but to update the network drivers.. i think i have FINALLY solved the issue..(no help from Microsoft though)....
in my POP3 / SMTP rules.. i changed the setting....
on the "TO" tab of the rule......
changed the setting FROM -> requests appear to come from the original CLIENT... TO -> requests appear to come from the ISA server
this has seemed to fix my problem.. i changed the rules yesterday at 9AM and so far (24 hours later) i havent had a SINGLE failure...
this should be a darned sticky for people having this issue :)
-thanks for the help guys!
|
|
|
|
|
RE: Mail server listener not catching all traffic - 27.Jan.2006 4:38:33 PM
|
|
|
dgunner
Posts: 27
Joined: 1.Dec.2005
Status: offline
|
I'm having a similar issue (I think)
I have maybe 30/40% of all incoming SMTp connections getting as far as the adapter for the anonymouse access DMZ and reporting "access is denied". Sometimes the connections are made to the actual SMTP server and sometimes not.
This is the error from the logs for the denied connections:
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
Some mail does get through but some - such as lycos always seemt to fail with this error.
Any ideas?
Thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
