July 24, 2008 07:20pm pdt

1. keith_ala... 392,496
2. MrMander... 115,560
3. Nyah247 31,040
4. nfmartins 26,452
5. RobWill 15,258
6. EricTViking 15,250
7. TechSoEasy 12,650
8. Sembee 12,528
9. kieran_b 11,500
10. Redwulf... 11,450
11. arnold 10,340
12. plug1 10,200
13. merowinger 9,900
14. SteveH_UK 9,614
15. dan_blagut 9,500
15. v-greggo 9,500

1. keith_ala... 1,214,009
2. MrMander... 125,485
3. TechSoEasy 87,160
4. What90 71,897
5. Nyah247 50,970
6. Sembee 44,430
7. lrmoore 32,311
8. RobWill 27,558
9. nfmartins 26,452
10. vico1 23,125
11. Bembi 20,968
12. SteveH_UK 20,564
13. dvt_local... 18,925
14. dan_blagut 18,750
15. merowinger 16,300

02.13.2008 at 07:53PM PST, ID: 23161987

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.4

SMTP server rule breaks incoming connections then rejects packets

Zone: MS Internet Security & Accel

Tags: Microsoft, ISA Server, 2006, smtp server firewall rule

I have a simple network set-up:

Internal network 192.168.1.0/24.
Perimeter network 10.1.1.0/24
ISA 2006 standard server as back firewall with internal address 192.168.1.221, external address 10.1.1.220
Front Cisco firewall forwarding port 25 to 10.1.1.220
Internal Exchange 2003 mail server at 192.168.1.204
Standard ISA SMTP publishing rule set up to publish SMTP Server.

When I use the SMTP tester at http://www.zoneedit.com/smtp.html I receive the test email and all is well.

When a server tries to send mail (presumeably that's more than a few lines of text), it's not received. The firewall log (an excerpt focusing on the problem) says:

Original Client IP
Transport
Source Network
Destination Network
GMT Log Time
Source Port
Processing Time
Bytes Sent
Bytes Received
Log Record Type
Log Time
Client IP
Destination IP
Destination Port
Protocol
Action
Rule
Result Code

208.78.69.71
TCP
External
Internal
14/02/2008 0:27
59992
4849
5051
5253
Firewall
14/02/2008 11:27
208.78.69.71
192.168.1.204
6263
SMTP Server
Initiated Connection
Publish Exchange SMTP SMTP Server
0x0 ERROR_SUCCESS

208.78.69.71
TCP
External
Internal
14/02/2008 0:33
59992
385985
571
122
Firewall
14/02/2008 11:33
208.78.69.71
192.168.1.204
9899
SMTP Server
Closed Connection
Publish Exchange SMTP SMTP Server
0x80074e24 FWX_E_CONNECTION_KILLED

208.78.69.71
TCP
External
Local Host
14/02/2008 0:34
59992
120121
122123
124125
Firewall
14/02/2008 11:34
208.78.69.71
10.1.1.220
134135
SMTP
Denied Connection

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

208.78.69.71
TCP
External
Local Host
14/02/2008 0:34
59992
156157
158159
160161
Firewall
14/02/2008 11:34
208.78.69.71
10.1.1.220
170171
SMTP
Denied Connection

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

208.78.69.71
TCP
External
Local Host
14/02/2008 0:34
59992
192193
194195
196197
Firewall
14/02/2008 11:34
208.78.69.71
10.1.1.220
206207
SMTP
Denied Connection

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

208.78.69.71
TCP
External
Local Host
14/02/2008 0:34
59992
228229
230231
232233
Firewall
14/02/2008 11:34
208.78.69.71
10.1.1.220
242243
SMTP
Denied Connection

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

208.78.69.71
TCP
External
Local Host
14/02/2008 0:34
59992
264265
266267
268269
Firewall
14/02/2008 11:34
208.78.69.71
10.1.1.220
278279
SMTP
Denied Connection

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

208.78.69.71
TCP
External
Local Host
14/02/2008 0:34
59992
300301
302303
304305
Firewall
14/02/2008 11:34
208.78.69.71
10.1.1.220
314315
SMTP
Denied Connection

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

208.78.69.71
TCP
External
Local Host
14/02/2008 0:34
59992
336337
338339
340341
Firewall
14/02/2008 11:34
208.78.69.71
10.1.1.220
350351
SMTP
Denied Connection

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

208.78.69.71
TCP
External
Local Host
14/02/2008 0:34
59992
372373
374375
376377
Firewall
14/02/2008 11:34
208.78.69.71
10.1.1.220
386387
SMTP
Denied Connection

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

208.78.69.71
TCP
External
Local Host
14/02/2008 0:34
59992
408409
410411
412413
Firewall
14/02/2008 11:34
208.78.69.71
10.1.1.220
422423
SMTP
Denied Connection

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
and so on.

It appears that the ISA Server kills the connection before the data packets arrive and then rejects the data packets. I don't know why. I also don't understand why the destination address changes in the firewall from 192.168.1.204 to 10.1.1.220.

Unbinding the SMTP application filter from the SMTP server firewall rule changes the "connection killed" message to "abortive shutdown", but the behaviour seems otherwise the same.

Start your free trial to view this solution

Question Stats

Zone: Microsoft

Question Asked By: apc180967

Solution Provided By: apc180967

Participating Experts: 0

Solution Grade: A

Translate:

Loading Advertisement...

20080236-EE-VQP-29 / EE_QW_2_20070628