[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwtk-users
Subject:    Re: smap problems
From:       Joseph S D Yao <jsdy () cospo ! osis ! gov>
Date:       2000-03-23 17:47:54
[Download RAW message or body]

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Apologies for late response ...

On Wed, Feb 23, 2000 at 10:09:18AM +1000, Ken Blinco wrote:
> We've been experiencing intermittant problems with smap.  When a client
> makes a connection to smap and begins sending data, at some stage smap
> decides that the client has gone away and sends the client a 
> "550 you could say goodbye" error and then closes the connection.
> 
> smap logs a "SMTP QUIT with no message" to syslog.
> 
> This seems to happen more often when the client is sending large emails
> > 2Meg. (we do not have a limit on size)
> 
> We are presuming that we are looking at intermittent network problems
> here and that data is simply not arriving at the socket correctly (we
> put in some debug statements in smap.c and found that we were getting
> read errors periodically).
> 
> This machine on which smap is running is quite busy which may be another
> factor.
> 
> I'm posting this just to see if anyone else out there has had similar
> problems, and if so, what did they do to fix the problem.

We had a similar problem inside the firewall, with a different piece of
equipment.  Details are perhaps not relevant, except that the receiving
mail servers that timed out were usually MSW-NT/MS Exchange machines.

The basic problem was only with larger messages.  It turned out that
one piece of equipment on one side was ignoring all ICMP, and in
particular ICMP "fragment" messages.  Larger messages went into packets
that didn't fit through tunnels ["virtual circuits"] between places.
Enabling ICMP fixed this.  This has been a problem in several parts of
our network configuration.

There is a myth out there that ICMP is evil and must be blocked.  ICMP
is a crucial part of IP.  If IP is going from one place to another,
then ICMP must be allowed to go through the same way - or, at least,
those parts of ICMP that are used to keep the IP flowing.

Note that this does not apply to access THROUGH the FWTK.  IP stops
dead at FWTK proxies, and never goes through - unless someone has
damaged it by adding an IP packet filter of some sort.  ;-)

-- 
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

[prev in list] [next in list] [prev in thread] [next in thread]