What does "Receiving aborted" and "Receiving aborted by sender" in the mail logs mean?

Available Languages

Updated:August 14, 2015
Document ID:118295

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes the difference between "Receiving aborted" and "Receiving aborted by sender" as seen in the mail logs and message tracking associated with the Cisco Email Security Appliance (ESA) and the Cisco Security Management Appliance (SMA).

What does "Receiving aborted" in the mail logs mean?

"MID XXX Receiving aborted" indicates that the connection from the receiving side has been ended by a network problem, or the sender just closed the connection abruptly. "MID XXX" is the message ID of the message that could not be successfully injected. In many cases of seeing "Receiving aborted" it is a Firewall or SMTP-aware security device that is interrupting the traffic.

The following example illustrates a remote client establishing a SMTP connection to the ESA followed by the connection closing below the application layer, typically seen when the appliance receives a premature TCP [FIN] flag or a connection reset:

Thu Aug 14 11:04:31 2014 Info: New SMTP ICID 10293 interface Management
(192.168.0.199) address 192.168.0.200 reverse dns host ns.example.com verified no
Thu Aug 14 11:04:31 2014 Info: ICID 10293 RELAY SG RELAY_SG match 192.168.0.200 
SBRS not enabled
Thu Aug 14 11:04:51 2014 Info: Start MID 1404 ICID 10293
Thu Aug 14 11:04:51 2014 Info: MID 1404 ICID 10293 From: <user@domain.com>
Thu Aug 14 11:05:00 2014 Info: MID 1404 ICID 10293 RID 0 To: <end_user@example.com>
Thu Aug 14 11:05:36 2014 Info: ICID 10293 lost
Thu Aug 14 11:05:36 2014 Info: Message aborted MID 1404 Receiving aborted
Thu Aug 14 11:05:36 2014 Info: Message finished MID 1404 aborted
Thu Aug 14 11:05:36 2014 Info: ICID 10293 close

It may also simply mean that the "Timeout for Unsuccessful Inbound Connections" has been reached, which is five minutes by default, configured on the Listener. This occurs when no data has been sent before the timeout is reached:

Wed Aug 20 22:20:07 2014 Info: Start MID 1558778 ICID 3875465
Wed Aug 20 22:20:07 2014 Info: MID 1558778 ICID 3875465 From: <sndr@xyz.com>
Wed Aug 20 22:20:07 2014 Info: MID 1558778 ICID 3875465 RID 0 To: <recip@abc.com>
Wed Aug 20 22:25:07 2014 Info: Message aborted MID 1558778 Receiving aborted
Wed Aug 20 22:25:07 2014 Info: Message finished MID 1558778 aborted

What does "Receiving aborted by sender" in the mail logs mean?

"MID XXX Receiving aborted by sender" indicates that it is the sender side that sent a "quit" before "data" to end a SMTP conversation. "MID XXX" is the message ID of the message that could not be successfully injected.

The following example illustrates a remote client establishing a SMTP connection to the ESA followed by the client side closing the connection at the application layer with the SMTP command "quit":

Thu Aug 14 13:08:49 2014 Info: New SMTP ICID 10318 interface Management
(192.168.0.199) address 192.168.0.200 reverse dns host ns.example.com verified no
Thu Aug 14 13:08:49 2014 Info: ICID 10318 RELAY SG RELAY_SG match 192.168.0.200 
SBRS not enabled
Thu Aug 14 13:08:56 2014 Info: Start MID 1412 ICID 10318
Thu Aug 14 13:08:56 2014 Info: MID 1412 ICID 10318 From: <user@domain.com>
Thu Aug 14 13:09:03 2014 Info: MID 1412 ICID 10318 RID 0 To: <end_user@example.com>
Thu Aug 14 13:09:06 2014 Info: Message aborted MID 1412 Receiving aborted by sender
Thu Aug 14 13:09:06 2014 Info: Message finished MID 1412 aborted
Thu Aug 14 13:09:06 2014 Info: ICID 10318 close

Troubleshoot

  • To investigate further, set up injection debug logs for the mail server of the partner domain in question. Injection debug logs will show you exactly what you get from that host to the appliance.

    Note: You may need to configure injection debug logs for each mail host listed in the partner's DNS MX records.



  • You may also find it benefical to run a packet capture on the appliance during communication to show the complete connection and handshake, and associated issues that may be causing the connection to be inturrupted. 

Related Information

Revision History

Revision Publish Date Comments
1.0
15-Aug-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Jai Gill and Robert Sherwin
    Cisco TAC Engineers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products