Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: 3GB of traffic over 2 days - SMTP denied - is ISA causing a mail loop?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 12.Jul.2006 11:50:28 AM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
I didn't get any useful answer from them, but what symptoms are you seeing?
The main reason MS weren't interested in my case was that I was the only person reporting it... If there are a few people with the same problem It'll definately be worth calling them to re-open the case.
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 12.Jul.2006 12:29:14 PM
|
|
|
simonhill
Posts: 21
Joined: 1.Mar.2005
From: UK
Status: offline
|
Very similar to the symptoms you were getting, but instead of SMTP being affected it is traffic from internal domain controllers to clients located on a DMZ on the ISA . Network connectivity seems unaffected, (i.e. basic ping, even RDP sessions work accross the ISA, but traffic from the domain controllers to the client is occasionally denied with a TCP_NOT_SYN error message. (I think it's RPC traffic, because it consists of replies to the client PC on high-numbered ports from port 135 on the domain controller)
I have been working with ISA now for about 2 years, but this one has me baffled - perhaps from external servers you would occasionally get odd-looking traffic that would cause this error, but legitimate domain communications?!
Thanks for replying, I will let you know if I get anywhere with this,
Simon.
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 12.Jul.2006 12:35:11 PM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
Ok, what made you look into that, what symptoms were you seeing on the clients?
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 12.Jul.2006 12:56:15 PM
|
|
|
simonhill
Posts: 21
Joined: 1.Mar.2005
From: UK
Status: offline
|
Very slow connectivity to the domain, ~1 hour to log on... only occurred when we moved the clients into a DMZ on the ISA, previously they were connected directly to the LAN.
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 13.Jul.2006 10:22:26 AM
|
|
|
simonhill
Posts: 21
Joined: 1.Mar.2005
From: UK
Status: offline
|
Found the cause of the trouble. Not sure it is going to confirm or add confusion to your theory Ross, but I will post it anyway...
One of the routers connecting the clients to the DMZ on the ISA was malfunctioning, and causing the link between them to be throttled from the expected 2MB to a few KB. Small TCP packets, (such as ping), make it through but logon traffic (which would pull back group policies, logon scripts etc. and so generates much larger responses) was not, because the TCP sessions were timing out in the ISA's session state table. This of course was generating TCP_NOT_SYN errors in the logs, as clients continued to try to connect through a now closed session.
Simon.
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 13.Jul.2006 10:48:54 AM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
Very interesting, and quite possibly relevant since I suspect our problem was initially caused by a slow connection. I've got my own theory on this, but it's very much a guess and hard to prove:
I suspect in your case, as with ours, a slow connection caused a backlog of traffic going through the ISA. That could very well delay some packets, potentially for long enough to exceed the default session timeout (which I'm told is 60 seconds). Could you let us know whether it was inbound or outbound traffic that was failing? That would let us know whether it was ISA or the router that was creating this delay.
Personally, even on a slow connection I wouldn't expect any connection to go for 60 seconds with no packets passing through. I'd expect ISA or the router to be able to manage the multiple connections better than that. So if this is the root cause I guess it could be attributed ultimately to poor traffic managment by ISA or your router.
My theory however is that after ISA's blocked one session like this, it sees a lot of TCP_NOT_SYN errors (due to devices resending the failed packet, not knowing that ISA's blocking their traffic). I think the number of errors exceeds whatever threshold MS configured for detecting an attack, and that ISA then reduces the session timeout. I've found no way to check the timeout, nor have I found if there's any way for ISA to notify the administrator when this happens, but I can't think of any other reason for our problem to snowball from affecting mail traffic to one server, to blocking all our outbound mails.
Basically I can't see any way outbound mail traffic to 50 separate servers all exceeded a 60 second timeout, even with poor traffic management by ISA.
I'd be very interested if you can find that your logs show all the TCP_NOT_SYN's starting at the same time, or whether you see a long delay in response for one packet, triggering the first TCP_NOT_SYN, and then start to see TCP_NOT_SYN's coming from other sources.
Ross
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 13.Jul.2006 5:36:25 PM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
Well, we're having another repeat of this problem right now. I've got 86 messages taking up 193MB in my outbound mail queue and they're going nowhere.
Will see if I can trace the start in the firewall logs today, and will do my best to get the messages flowing without having to bypass ISA. If anyone's got any suggestions as to how I can troubleshoot this I'd love to hear them.
Ross
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 13.Jul.2006 5:45:59 PM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
Ok, the very first message that failed hit it's problems at 2:50pm today. The mail server is reporting the status as:
Deferred: Connection timed out with mailserver.webbesremovals.net
The logs to that address simply show the connection opening and closing, no errors are logged:
Firewall 13/07/2006 15:48 213.171.216.108 25 SMTP Closed Connection 0x80074e21 Exchange Server SMTP Out (ROB-026) 192.168.1.24
Firewall 13/07/2006 15:47 213.171.216.108 25 SMTP Initiated Connection 0x0 Exchange Server SMTP Out (ROB-026) 192.168.1.24
Firewall 13/07/2006 15:32 213.171.216.108 25 SMTP Closed Connection 0x80074e21 Exchange Server SMTP Out (ROB-026) 192.168.1.24
Firewall 13/07/2006 15:27 213.171.216.108 25 SMTP Initiated Connection 0x0 Exchange Server SMTP Out (ROB-026) 192.168.1.24
Firewall 13/07/2006 15:11 213.171.216.108 25 SMTP Closed Connection 0x80074e21 Exchange Server SMTP Out (ROB-026) 192.168.1.24
Firewall 13/07/2006 15:06 213.171.216.108 25 SMTP Connection Status 0x0 Exchange Server SMTP Out (ROB-026) 192.168.1.24
Firewall 13/07/2006 14:51 213.171.216.108 25 SMTP Initiated Connection 0x0 Exchange Server SMTP Out (ROB-026) 192.168.1.24
Looking at the logs in general, I've got a few FWX_NOT_SYN outbound errors before and after the problems start. There's no real change in the amount of errors seen. I don't think these are the problem.
Disabling SMTP filtering now to see if that makes any difference.
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 14.Jul.2006 9:18:37 AM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
Hmm.... found a solution last night. If I change the settings on the SMTP server to restrict it to just 5 outgoing connections it can deliver mail fine. The SMTP Filter was still disabled so it's possible that's a factor, but it's looking like this may be down to poor packet scheduling from ISA on slow links with a lot of traffic.
In our case I know we have a slow outbound connection and a lot of traffic (we've had a 10Mb line on order with BT for 7 months now but that's a whole new story). Simon's troubles were also due to a slow connection. I'll see if I can have a look at our logs today and see if I can find any more from there. Does anybody know if there are any tools to read Microsoft's .cap format for network traces?
Andre, I think yours is a slightly different problem. My original diagnosis was wrong, we don't get any more TCP_NOT_SYN errors here after this problem starts than we had before it, whereas you do. I would guess that you've found a definate bug in ISA with a clash between TLS and the SMTP filter and would advise you contact Microsoft. Since your problem is easily reproducable it should be easy for them to troubleshoot.
Ross
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 20.Aug.2006 6:42:29 PM
|
|
|
adenhaan
Posts: 35
Joined: 15.Jul.2005
Status: offline
|
Ross,
I'm glad you found a solution that works in your case, agree that our issues are slightly different.
As to the SMTP filter on ISA: I did find a reference here : http://www.isaserver.org/img/upl/exchangekit/2003securesmtpsmtps/2003securesmtpsmtps.htm that specifically states
quote:
The SMTP filter must be disabled on the ISA Server firewall. The reason is the SMTP filter does not allow TLS encrypted sessions to be created between the SMTP client and the published SMTP server .
So I do recommend you keep it disabled ;-)
Andre.
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 24.Nov.2006 11:49:31 AM
|
|
|
jdw
Posts: 5
Joined: 8.Sep.2006
Status: offline
|
I'm seeing this issue on a new install of ISA2004 and it's only on port 25 (no TLS). I have a theory that the SMTP Filter is killing connections where the SMTP verb exceeds the permitted length and this gives rise to the error.
I have this theory, because I was running ISA 2000 before and getting a lot of this activity filling-up the Event log (and the details were plain to see, with XAUTH messages and such-like that were way bigger than they should have been). Now I am not seeing any Event log activity of this nature and I have every reason to believe that this rubbish traffic is still incoming from the internet.
Instead I think it gets dropped by the SMTP Filter and a FWX_E_TCP_NOT_SYN_PACKET_DROPPED connection denied is logged in ISA instead.
Off to test my theory.
|
|
|
|
|
RE: 3GB of traffic over 2 days - SMTP denied - is ISA c... - 24.Nov.2006 12:11:43 PM
|
|
|
jdw
Posts: 5
Joined: 8.Sep.2006
Status: offline
|
By default, the alert for that is off (at least on my install) - hence I wasn't seeing it in the event logs. just turned it on and monitoring.
I still beleive that it is the SMTP filter dropping connections that gives rise to the _SYN_ connection denied message. It looks very similar to some of the HTTP filter activity when compression cannot be negotiated.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
