What does "ICID lost" or "ICID close" mean?

Available Languages

Updated:October 14, 2014
Document ID:118579

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Question

What does "ICID lost" or "ICID close" mean?

Answer

In relation to mail processing on the Cisco Email Security Appliance (ESA), some clients disconnect after they get shown the EHLO size limit. Those clients do not send a QUIT, but end the connection perfectly normal on a TCP-base level. In this instance, the ESA will log ICID lost.

This typically happens when either the ESA loses the connection, or the sending client prematurely ends the connection without sending us the entire message. This would mean that the remote host connected but did not send any data.

If you know the sending domain, host name, or IP address, you can take a closer look at this occurrence by enabling Injection Debug logs. This will give you more detailed information during the SMTP conversation. Debug logging can be turned on from the CLI by using logconfig > new, or from the GUI by enabling a new Log Subscription.
 

Related Information

Revision History

Revision Publish Date Comments
1.0
14-Oct-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products