TCP_NOT_SYN_PACKET_DROPPED (Full Version)

All Forums >> [ISA 2006 Firewall] >> General



Message


paulo.oliveira -> TCP_NOT_SYN_PACKET_DROPPED (12.Jun.2008 2:30:02 PM)

Hello all,

I have the following scenario: my internal users need to access an pop3/smtp server to send and receive e-mails. I have a rule allowing pop3/smtp from internal to external. Sometimes they canīt send e-mail and ISA logs the following message: 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED.
I was capturing those packets and some of them appears the following message: This frame is a (suspected) retransmission.

Anybody have any ideas what it could be?
Is there anyway to disable this ISA functionallity?

Thanks in advance.




tshinder -> RE: TCP_NOT_SYN_PACKET_DROPPED (17.Jun.2008 7:55:39 AM)

Hi Paulo,

Sending mail is SMTP. Is that where the problem is?

Tom




paulo.oliveira -> RE: TCP_NOT_SYN_PACKET_DROPPED (17.Jun.2008 10:09:29 AM)

Hi Tom,

I know that. But, like I said, they need to send and receive e-mails, thatīs why I need to allow pop and smtp.

The problem usally happens when they are sending e-mails (SMTP). Do have any idea whatīs going on, based on the log messages?

Do you want more info? Just ask.

Thanks for help.
Paulo Oliveira.




tshinder -> RE: TCP_NOT_SYN_PACKET_DROPPED (18.Jun.2008 10:58:01 AM)

Hi Paulo,

It could those users have an email worm, and hitting your connection limits.

HTH,
Tom




paulo.oliveira -> RE: TCP_NOT_SYN_PACKET_DROPPED (18.Jun.2008 11:46:28 AM)

Hi Tom,

I think this is not the problem. Cause we tried with a clean machine and we still got the problem.

One more detail (donīt know if it matters), our bandwidth usage is 97% the most of the time. Is this maybe have some influence? [8|]

Regards,
Paulo Oliveira.




tshinder -> RE: TCP_NOT_SYN_PACKET_DROPPED (18.Jun.2008 12:16:55 PM)

Hi Paulo,

Yes! That certainly could be the problem. If it's hanging around 97% most of the time, there are going to be a good percentage of times that it's at 100% and some connections are going to be dropped.

HTH,
Tom




paulo.oliveira -> RE: TCP_NOT_SYN_PACKET_DROPPED (18.Jun.2008 2:13:03 PM)

Hi Tom,

I was thinking about that too. And only for test I disabled the anti-spoofing feature for a couple of days and even with the link at 97% most of the time, we could experience a good improvement in sending e-mail. [&o]
What do you think about that?

Regards,
Paulo Oliveira.




jmilito -> RE: TCP_NOT_SYN_PACKET_DROPPED (18.Jun.2008 4:29:40 PM)

Just a little note...  I would also try to see if you can figure out what that traffic is to see if there is anything you can get rid of...expecially if it is malicious.  GFI Webmonitor would help with controlling malicious traffic as well as some of the liesure sites during business hours.  You might try FairShare for ISA or a third-party packet-shaping appliance as well.  Just thoughts of course.




tshinder -> RE: TCP_NOT_SYN_PACKET_DROPPED (22.Jun.2008 11:01:37 AM)

Hi J,

Good ideas!

Thanks!
Tom




Page: [1]