跳到主要內容

Cisco ASA 擋我寄出去的信

上星期五從公司Server寄出一封信到Gmail被退信,本來不以為意,今天發現Mail Server Queue住了一堆要寄到Gmail的信件

查了一下Mail Server的Log (我們公司是用Notes)

==================================================================

2012/03/19 上午 08:40:16  Router: No messages transferred to GMAIL.COM (host GMAIL.COM) via SMTP: The server is not responding. The server may be down or you may be experiencing network problems. Contact your system administrator if this problem persists.

2012/03/19 上午 08:40:21  Router: Failed to connect to SMTP host GMAIL.COM because The server is not responding. The server may be down or you may be experiencing network problems. Contact your system administrator if this problem persists.

==================================================================

Mail Server的主機上 Tracert Route Gmail的IP也沒問題,所以就懷疑Firewall在作怪

在Cisco ASA的Log中發現有一些奇怪的Log,而這些Source IP是Google的IP,Port是80或443
==================================================================
2 Mar 19 2012 10:50:04 106001 74.125.31.121 80 IP_xxxxxx 4990 Inbound TCP connection denied from 74.125.31.121/80 to  IP_xxxxxx /4990 flags FIN ACK  on interface outside

2 Mar 19 2012 13:07:28 106001 74.125.31.193 443 IP_xxxxxx   2336 Inbound TCP connection denied from 74.125.31.193/443 to  IP_xxxxxx  /2336 flags PSH ACK  on interface outside
==================================================================

查了Cisco的Log 訊息說明
Cisco System Log message


106001

Error Message    %PIX|ASA-2-106001: Inbound TCP connection denied from IP_address/port 
to IP_address/port flags tcp_flags on interface interface_name

Explanation    This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:

ACK—The acknowledgment number was received.

FIN—Data was sent.

PSH—The receiver passed data to the application.

RST—The connection was reset.

SYN—Sequence numbers were synchronized to start a connection.

URG—The urgent pointer was declared valid.

Recommended Action    None required.


要怎麼解呢?


後記:
晚上把Mail Server重開就解決了....無言!!
而Cisco ASA上的Log還是持續發生....


留言

這個網誌中的熱門文章

HP A5120 Switch 基本設定

沒用過HP的Switch,指令跟Cisco完全不同,花了一些時間熟悉~ 1.啟動Spanning-Tree,預設沒有開啟 (黑色粗體是我敲的指令) <HP> system-view System View: return to User View with Ctrl+Z. [HP] stp enable [HP] %Apr 26 12:03:59:826 2000 HP MSTP/6/MSTP_ENABLE: STP is now enabled on the device. %Apr 26 12:03:59:918 2000 HP MSTP/6/MSTP_FORWARDING: Instance 0's GigabitEthernet1/0/17 has been set to forwarding state. %Apr 26 12:04:00:068 2000 HP MSTP/6/MSTP_DETECTED_TC: Instance 0's GigabitEthernet1/0/17 detected a topology change. #Apr 26 12:04:00:208 2000 HP MSTP/1/PFWD: hwPortMstiStateForwarding: Instance 0's Port 0.9437200 has been set to forwarding state! 2.DHCP Snooping   (黑色粗體是我敲的指令) 假設我的DHCP Server接在24 Port,其他Port不允許有DHCP Server <HP> system-view System View: return to User View with Ctrl+Z. [HP] dhcp-snooping  DHCP Snooping is enabled. [HP] interface GigabitEthernet 1/0/24 [HP-GigabitEthernet1/0/24 ]dhcp-snooping trust 若是沒有Port 設成dhcp-snooping trust,那麼這台Switch就沒有Client可以從DHCP Serv...

2台 Vigor 2920建立 LAN To LAN VPN (IPsec)

我有兩台Vigor 2920,環境如下: Vigor B 撥出 LAN:192.168.1.0/24 Vigor A 撥入 LAN:172.16.1.0/24 設定如下: Vigor B設定 Vigor A設定 詳細設定請參考官網 http://www.draytek.com/index.php?option=com_k2&view=item&id=2666&Itemid=264&lang=tw

Cisco Switch 發生Loopback

User告知網路無法使用,看了Switch的狀況後,發現那個Port的狀態是Error Disable,接著又看了Switch的log Feb  8 12:14:14 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:15:49 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:18:00 TW: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/10. Feb  8 12:18:00 TW: %PM-4-ERR_DISABLE: loopback error detected on Fa0/10, putting Fa0/10 in err-disable state Feb  8 12:18:01 TW: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down Feb  8 12:18:02 TW: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to down 應該是User私接設備,除了造成Loopback之外,又在隨便發放IP....... 不過因為那個User比較特殊,先教育了一下之後,再把那個Port shutdown , no shutdown,接著把Recovery設了上去,下次如果再遇到相同狀況,10分鐘後會自動恢復 xxx...