Examine the rest of the logs for those IP pairs. - was there ever a valid SMTP session between them? It's very common to use "broken TCP" to ascertain if a host is listening on a protocol/port. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Mark Morgan [mailto:mmorgan@xxxxxxxxxxxxxxxxxxxxx] Sent: Friday, September 30, 2005 11:13 To: [ISAserver.org Discussion List] Subject: [isalist] port 25 traffic denied http://www.ISAserver.org Hello, I am having an error 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED on trafic sent to my external interface on port 25, and some mail is not getting through to some of my clients. Does anyone have any idea what could be going on? Here is the log of one of the denials all are the same. Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 209.123.16.38 - HIPPOCRATES - TCP - - No - 63.***.***.*** 45 00 00 28 00 00 40 00 2e 06 16 ec d1 7b 10 26 3f c1 14 82 00 19 37 b9 58 5a 75 2f 00 00 00 00 50 04 00 00 74 a0 00 00 25 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0 Firewall 9/29/2005 4:24:40 PM 63.***.***.*** 14265 Unidentified IP Traffic Denied Connection - 209.123.16.38 - External Local Host 209.123.16.38 - HIPPOCRATES - TCP - - No - 63.***.***.*** 45 00 00 28 00 00 40 00 2e 06 16 ec d1 7b 10 26 3f c1 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.