Packet Capture email around firewall
Posted on 2013-11-27
I'm having trouble with a Juniper SRX240 firewall that is occasionally blocking email - I believe only on receive.
- email comes from an outside server
- It appears that the blocking can be client specific. Some clients can get mail while others cannot. I won't guarantee 100% that this is correct but I believe it is.
- Usually, email just works. But, every few weeks we get this blocking behavior. It lasts for a day or so and then, due to one thing or another (including my interventions) it heals itself.
- Rebooting the SRX doesn't seem to be a fix.
- The SRX is doing AV scanning on the email traffic and is supposed to be well-capable of handling that load.
- So far we have not been able to determine what's causing the blocking.
- Juniper Networks has not been able to instrument and see anything untoward during periods that blocking is occurring.
Here is my plan of attack now:
- I'm going to capture packets on both sides of the SRX. This is up and running now using switch mirror ports.
- I'm going to set capture filters on the LAN side to focus on a failing client IP address AND the server public IP address. This works fine.
- I would like to set up capture or display filters on the public side of the SRX but, with NAT involved, I'm not sure how to limit the capture to the particular client. Obviously one can't see the LAN IP addresses on the public side. I guess the port number would be an idea but I don't know if port numbers tend to change by email session or....?
- In the end I want to analyze the packets on both sides of the SRX to see what might be getting blocked. So, having a minimum of packets would be good.
- I would like to merge the two capture files and sort by time of day. Presumably this would be possible but I've not done it before. Perhaps simply appending one file to the other and sorting, eh?
Any thoughts, comments, approaches would be appreciated.