Руководство По Устранению Ошибки для Cisco Cisco Email Security Appliance X1050
How can I verify that my TCPREFUSE or REJECT
access rule is working?
access rule is working?
Document ID: 118214
Contributed by Jai Gill and Enrico Werner, Cisco TAC Engineers.
Aug 12, 2014
Aug 12, 2014
Contents
How can I verify that my TCPREFUSE or REJECT access rule is working?
How can I verify that my TCPREFUSE or REJECT access
rule is working?
rule is working?
Environment: Cisco Email Security Appliance (ESA), all versions of AsyncOS
TCPREFUSE and REJECT are the two connection behaviors that are normally associated with the
BLOCKED Mail Flow Policy. These access rules allow you to choose whether to block messages from a
remote host with a notification (hard bounce) or to simply drop the connection. See What is the difference
between REJECT and TCPREFUSE?
BLOCKED Mail Flow Policy. These access rules allow you to choose whether to block messages from a
remote host with a notification (hard bounce) or to simply drop the connection. See What is the difference
between REJECT and TCPREFUSE?
If you would like to determine whether a remote host is being dropped due to TCPREFUSE or REJECT, you
can view entries in the mail logs. Mail logs will only contain entries for TCPREFUSE if verbose connection
logging is enabled. Additionally you can use a protocol analyzer, such as tcpdump, to monitor the
conversations at the packet level. When using a protocol analyzer, you will notice different conversations for
TCPREFUSE vs REJECT.
can view entries in the mail logs. Mail logs will only contain entries for TCPREFUSE if verbose connection
logging is enabled. Additionally you can use a protocol analyzer, such as tcpdump, to monitor the
conversations at the packet level. When using a protocol analyzer, you will notice different conversations for
TCPREFUSE vs REJECT.
The TCP connection flow between the ESA and the remote Message Transfer Agent (MTA) for the Reject
connection is like this:
connection is like this:
SYN
Remote MTA −−−−−−−−−−−> ESA
SYN, ACK
ESA −−−−−−−−−−−> Remote MTA
ACK
Remote MTA −−−−−−−−−−−> ESA
5XX Code
ESA −−−−−−−−−−−> Remote MTA
FIN, ACK
ESA −−−−−−−−−−−> Remote MTA
ACK
Remote MTA −−−−−−−−−−−> ESA
FIN, ACK
Remote MTA −−−−−−−−−−−> ESA
ACK
ESA −−−−−−−−−−−> Remote MTA
The TCP connection flow between the ESA and the remote MTA for the TCP Refuse connection is like this:
SYN
Remote MTA −−−−−−−−−−−> ESA
SYN, ACK
ESA −−−−−−−−−−−> Remote MTA