Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Emails are being deferred on Barracuda Spam firewall, which is upstream of a Juniper firewall

0

0

Article ID: KB11153 KB Last Updated: 17 Jun 2010Version: 3.0
Summary:
Emails are not reaching the destination with Anti Virus enabled on the Juniper firewall.  Emails are seen in deferred queue of Barracuda Spam firewall which is upstream from the Juniper firewall. Juniper firewall and Barracuda may have compatibility issues under some circumstances.
Symptoms:
The setup is as below:

Untrust------SSG350------DMZ--------Barracuda Anti Spam FW

Emails are not reaching the destination with Anti Virus enabled on the Juniper firewall. Emails are seen in deferred queue of Barracuda Spam firewall which is upstream from the Juniper firewall.

The maximum SMTP timeout that can be safely set on the Barracuda firewall is 120 secs. Increasing this timeout increases the number of sessions on the Barracuda firewall causing processing problems on their firewall. Depending on the traffic load and size of emails, it may take more than 120 secs for the Juniper firewall to scan the emails for viruses. If the time goes beyond 120 secs, the Barracuda will send the Juniper firewall a FIN packet and clear the session. Later when the Juniper firewall is done processing and forwards the email to the Barracuda firewall, it does not find an existing session on itself and defers the email.

Scan Manager notifications are not reported in the event log.

Solution:
This is a compatibility problem between the Juniper firewall and the Barracuda Anti Spam firewall.

Work-arounds:
  • Change the design so that email is forwarded to an email Exchange Server from the Juniper firewall.  Exchange Servers usually have a larger timeout.  Then forward the email to the Barracuda for  Anti-Spam.
  • On the Juniper firewall, reduce the the max-content-size of the emails to be scanned for viruses. The default is 10 Mb. Emails larger than the configured content size will not be queued and scanned for viruses.  The ScreenOS command to do this is set av max-content-size <size>.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search