RE: FWX_E_TCP_NO_SYN_PACKET_DROPPED on SMTP Connections & HTTP
From: GRhys (GRhys_at_discussions.microsoft.com)
Date: 01/23/05
- Next message: GRhys: "RE: ISA 2004 with Exchange 2003 and Existing Firewall"
- Previous message: CC: "RE: Need to restart ISA every morning"
- In reply to: Chris: "RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED on SMTP Connections"
- Next in thread: Chris: "RE: FWX_E_TCP_NO_SYN_PACKET_DROPPED on SMTP Connections & HTTP"
- Reply: Chris: "RE: FWX_E_TCP_NO_SYN_PACKET_DROPPED on SMTP Connections & HTTP"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 22 Jan 2005 23:07:02 -0800
Chris,
I built a second ISA identical to the first, but with no W2K or ISA patches
added. I also didn't install the SurfControl for Web on ISA and McAfee AV for
SurfControl which is running on the live server - I'd already switched them
off but wanted to check the problem against code level. When I swapped it
inline instead of the live server, I still got the error messages on the
replacement baseline build ISA Server, o conculded it's not down to the
additions.
The only reduction in errors occurred when I stopped the AV scan on the
external SGS 5400 Appliance Firewall, and then the majority of emails got
through, BUT I still got the errors. I have support calls raised wih MS &
Symantec, and will report here. This is crushing the customer's email
dependancy and I need to resolve ASAP.
I had thought there might be problems on the internal network (it's running
sluggish) that were delaying the response packets, as the NO_SYN_DROPPED is
mostly on the internal interface (reponse packets to inbound email sessions).
I have a Network Monitor trace taken on the ISA (internal & external I/F) to
plough through today.
Gareth
PS. Is your product Symantec for ISA, standalone Symantec G/W, or an
appliance ?
"Chris" wrote:
> I am having a similiar problem. Many emails are not getting through to my
> Symantec for SMTP gateway. Looking at the ISA logs, it is dropping random
> smtp packets for some reason. I am running W2K3 and ISA 2004 with all updates
> also. This is really a big problem.
>
> "GRhys" wrote:
>
> > The above has started occurring on our ISA Server 2004 with latest updates on
> > SMTP and HTTP packets. SMTP email is being corrupted and is not getting
> > through reliably to the internal MS Exchange server (NOT published by ISA,
> > Static NAT is on external Symantec SGS5400 E3 Firewall)
> >
> > MSX Cluster --- PIX --- ISA -- SGS --- ISP Router --- The Internet
> >
> > ISA is acting as inline proxy for HTTP, and pass through without NAT for SMTP.
> > E3 SGS 5400 is outer firewall.
> > E3 PIX 515 is innner firewall (had to previously switch off SMTP fixup).
> >
> > I get the session Denied message in the log, and after adding columns and
> > expanding the display on ISA Management saw the
> > FWX_E_TCP_NOT_SYN_PACKET_DROPPED on the end of the line. I understand that
> > ISA doesn't see the SYN in the TCP packet it thinks is starting a connection,
> > but this is an anomoly - SYN will be sent when connections established. I
> > have NETMON on the ISA Server, and will be taking a trace. I suspect ISA may
> > be dropping current session state information, and thus sees follow on
> > packets (both inbound and outbound) has SYN problems. Is this a bug !! ?
> >
> > Any comments on similar experiences appreciated - is it caused by the
> > addition of a new W2K3 / ISA patch, or recently we added SurfControl for Web
> > with McAfee AV. Undoing would be major embaressment - ITS SUPPOSED TO WORK.
> >
> > Thanks
> > GRhys (UK)
> > --
> > Gareth Rhys MCSE RSACE NSA
- Next message: GRhys: "RE: ISA 2004 with Exchange 2003 and Existing Firewall"
- Previous message: CC: "RE: Need to restart ISA every morning"
- In reply to: Chris: "RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED on SMTP Connections"
- Next in thread: Chris: "RE: FWX_E_TCP_NO_SYN_PACKET_DROPPED on SMTP Connections & HTTP"
- Reply: Chris: "RE: FWX_E_TCP_NO_SYN_PACKET_DROPPED on SMTP Connections & HTTP"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
