Guest

Cisco Email Security Appliance

ESA FAQ: How do you analyze intermittent mail delivery issues on the ESA?

Document ID: 117844

Updated: Jun 25, 2014

Contributed by Kevin Luu and Robert Sherwin, Cisco TAC Engineers.

   Print

Introduction

This document describes how to analyze intermittent mail delivery issues on the Cisco Email Security Appliance (ESA).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco ESA
  • AsyncOS

Components Used

The information in this document is based on all versions of AsyncOS.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

How do you analyze intermittent mail delivery issues on the ESA?

You can use the Injection Debug Logs in order to trace the entire Simple Mail Transfer Protocol (SMTP) conversation between the ESA and the inbound server connection. Each line within the Injection Debug Logs outlines the data that is sent and received during the SMTP conversation.

Complete these steps in order to enable the Injection Debug Logs with the GUI:

  1. Navigate to System Administration > Log Subscriptions on the GUI.

  2. Choose Add log subscription....

  3. In the Log Type field, select Injection Debug Logs and input the appropriate data.

Here are some important considerations when you input the Injection Debug Logs data:

  • The CIDR addresses, such as 10.1.1.0/24, are permitted.

  • The IP address ranges, such as 10.1.1.10-20, are permitted.

  • The IP subnets, such as 10.2.3, are permitted.

  • Hostnames and wildcards, such as crm.example.com, are permitted (but not example.com).

  • Wildcards should be expressed as .example.com (without an asterisk).

  • When you trace an inbound email, the host name should match the sender host.

  • When you trace an outbound email, the host name should match the internal host name(s).

  • The number of SMTP sessions should be between one and 25.

Complete these steps in order to enable the Injection Debug Logs with the CLI:

  1. Enter the logconfig > new command into the CLI.

  2. Choose Injection Debug Logs.

  3. Enter a name for the log, such as debugging_example.

  4. Enter the hostname, IP address, or block of IP addresses for which you want to record the injection debug information, such as mail1.example.com.

  5. Enter the number of SMTP sessions that you want to record for this domain. Ensure that the value is between one and 25.

  6. Enter the method that you want to use in order to retrieve the logs, such as FTP Poll.

  7. Enter the filename. You can use the default filename if you desire.

  8. Select the defaults that remain.

This example shows the Injection Debug Logs when the ESA accepts mail from a server.

Note: The Injection Debug Logs and the Domain Debug Logs are similar to the mail_logs, so you can use the grep and tail commands.

Sent to '10.251.21.203': '220 ironportappliance ESMTP\r\n'
Rcvd from '10.251.21.203': 'EHLO outgoing.example.com\r\n'
Sent to '10.251.21.203': '250-nibbles.run\r\n250-8BITMIME\r\n250
 SIZE 104857600\r\n'
Rcvd from '10.251.21.203': 'MAIL FROM:<jsmith@example.com>\r\n'
Sent to '10.251.21.203': '250 sender <jsmith@example.com> ok\r\n'
Rcvd from '10.251.21.203': 'RCPT TO:<test@example.org>\r\n'
Sent to '10.251.21.203': '250 recipient <test@example.org>ok\r\n'
Rcvd from '10.251.21.203': 'DATA\r\n'
Sent to '10.251.21.203': '354 go ahead\r\n'
Rcvd from '10.251.21.203': 'To: "test@example.org" <test@example.org>
 \r\nSubject: 12:14pm - test\r\nFrom: Hotel_Users <jsmith@example.com>
 \r\nContent-Type: text/plain; format=flowed; delsp=yes;
 charset=iso-8859-15\r\nMIME-Version: 1.0\r\nContent-Transfer-Encoding:
 7bit\r\nDate: Tue, 09 Jan 2007 12:14:35 -0800\r\nMessage-ID:
 <op.tlwk6lvgwomlp4@outgoing.example.com>\r\nUser-Agent: Opera Mail/9.10
 (Win32)\r\n\r\ntest\r\n'
Rcvd from '10.251.21.203': '\r\n.\r\n'
Sent to '10.251.21.203': '250 ok: Message 270 accepted\r\n'
Rcvd from '10.251.21.203': 'QUIT\r\n'
Sent to '10.251.21.203': '221 nibbles.run\r\n'
Updated: Jun 25, 2014
Document ID: 117844