Cisco Cisco Email Security Appliance X1070 Guia De Resolução De Problemas

Contributed by Jai Gill and Enrico Werner, Cisco TAC Engineers.
Aug 12, 2014

Environment: Cisco Email Security Appliance (ESA), all versions of AsyncOS

TCPREFUSE and REJECT are the two connection behaviors that are normally associated with the
BLOCKED Mail Flow Policy. These access rules allow you to choose whether to block messages from a
remote host with a notification (hard bounce) or to simply drop the connection. See What is the difference
between REJECT and TCPREFUSE?

If you would like to determine whether a remote host is being dropped due to TCPREFUSE or REJECT, you
can view entries in the mail logs. Mail logs will only contain entries for TCPREFUSE if verbose connection
logging is enabled. Additionally you can use a protocol analyzer, such as tcpdump, to monitor the
conversations at the packet level. When using a protocol analyzer, you will notice different conversations for
TCPREFUSE vs REJECT.

The TCP connection flow between the ESA and the remote Message Transfer Agent (MTA) for the Reject
connection is like this:

                          SYN

 Remote MTA −−−−−−−−−−−> ESA

                       SYN, ACK

 ESA −−−−−−−−−−−> Remote MTA

                          ACK

 Remote MTA −−−−−−−−−−−> ESA

                       5XX Code

 ESA −−−−−−−−−−−> Remote MTA

                        FIN, ACK

 ESA −−−−−−−−−−−> Remote MTA

                           ACK

 Remote MTA −−−−−−−−−−−> ESA

                       FIN, ACK

 Remote MTA −−−−−−−−−−−> ESA

                           ACK

 ESA −−−−−−−−−−−> Remote MTA

The TCP connection flow between the ESA and the remote MTA for the TCP Refuse connection is like this:

                           SYN

 Remote MTA −−−−−−−−−−−> ESA

                        SYN, ACK

 ESA −−−−−−−−−−−> Remote MTA