Hi CISCO "mail fixup rule" is broken in the PIX!
CISCO guys says it has been fixed in a "newer" version, but I haven't seen it! Take it out in the PIX and everything should work! Hjorleifur Kristinson MCSE (NT3.5, 3.51, 4.0 and W2K) -----Original Message----- From: Matsuhiko Saito [mailto:[EMAIL PROTECTED]] Sent: 17. n�vember 2001 14:46 To: [EMAIL PROTECTED] Subject: PIX Mail problem (resend) I'm in trouble with incomplete SMTP session. out-smtp ---> PIX ---> my-smtp When out-smtp server send a mail to my-smtp via PIX, the SMTP connection occasionally closed incomplete. In this case, my-smtp server reply to 250 (message accepted for delivery ), but QUIT never retruns from out-smtp. Of couse, my-smtp server doesn't reply 221 ( closing transmission channel) In my-smtp side, Mail can be reached. But out-smtp server continues to resend the Mail until remove it from mail queue. This is the trouble. * 99.9% of SMTP session from out-smtp is normaly closed. ( I mean, my-SMTP server can received QUIT in most case. ) * Out-smtp servers resending a mail have nothing in common and are not fixed. * This trouble doesn't depend on the mail SIZE, traffic nor out-smtp serves. * PIX log shows that out-smtp continues to PUSH + ACK to my-smtp server. The following is the log, when the resending started. Can you tell me how to fix this troube ? ------------------------------------------------------------------------ -------- x.x.x.x (out-smtp server) z.z.z.z (Virtual IP of my-smtp server) y.y.y.10 (my-smtp server on dmz) y.y.y.1 (dmz interface of PIX) 08:15:54 y.y.y.1: %PIX-6-302001: Built inbound TCP connection 8684822 for faddr x.x.x.x/1643 gaddr z.z.z.z/25 laddr y.y.y.10/25 08:15:56 y.y.y.1: %PIX-6-302002: Teardown TCP connection 8684822 faddr x.x.x.x/1643 gaddr z.z.z.z/25 laddr y.y.y.10/25 duration 0:00:02 bytes 46429 (D eny) 08:15:57 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags RST ACK on interface dmz1 08:15:58 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:16:00 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:16:04 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:16:12 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:16:28 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:17:00 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:18:04 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:19:08 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:20:12 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:21:16 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:22:20 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:23:24 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags PSH ACK on interface outside 08:24:28 y.y.y.1: %PIX-6-106015: Deny TCP (no connection) from x.x.x.x/1643 to y.y.y.10/25 flags RST ACK on interface outside 08:24:28 y.y.y.1: %PIX-6-302001: Built inbound TCP connection 8685674 for faddr x.x.x.x/2178 gaddr z.z.z.z/25 laddr y.y.y.10/25 08:24:28 y.y.y.1: %PIX-6-302002: Teardown TCP connection 8685674 faddr x.x.x.x/2178 gaddr z.z.z.z/25 laddr y.y.y.10/25 duration 0:00:01 bytes 219 (TCP FINs) _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
