Screen OS

I can not get my head wrapped around this one.

Our branch office it trying to connect to our mailsever (untrust to dmz) using SMTP.

I can see a few packets going throu, but suddenly the dbuf says session not found ????

Reading the packet flow is kinda new to me, and this time I just dont get.

Can anyone explain this dbuf stream to me please :

(the last 2 'entries' show 'dropped packet' but the entries before seem similar and do get through.

(I suspect the 'session not found' is the culprit. but why is it not found anymore ?)

beovpfw1-> get dbuf stream
****** 591236.0: <Untrust/ethernet0/2> packet received [48]******
  ipid = 16735(415f), @0d665914
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/2:125.88.18.50/1712->81.246.110.67/25,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  flow_first_routing: in <ethernet0/2>, out <N/A>
  search route to (ethernet0/2, 125.88.18.50->81.246.110.67) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 11 for 81.246.110.67
  [ Dest] 11.route 81.246.110.67->81.246.110.67, to ethernet0/9
  routed (x_dst_ip 81.246.110.67) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/9
  policy search from zone 1-> zone 3
 policy_flow_search  policy search nat_crt from zone 1-> zone 3
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 81.246.110.67, port 25, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 175/3/0x9
  Permitted by policy 175
  No src xlate   choose interface ethernet0/9 as outgoing phy if
  no loop on ifp ethernet0/9.
  session application type 7, name SMTP, nas_id 0, timeout 1800sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/2>, out <ethernet0/9>
  existing vector list 3-67866e4.
  Session (id:47478) created for first pak 3
  flow_first_install_session======>
  route to 81.246.110.67
  cached arp entry with MAC 005056a522a2 for 81.246.110.67
  arp entry found for 81.246.110.67
  ifp2 ethernet0/9, out_ifp ethernet0/9, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/9, 81.246.110.67->125.88.18.50) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
  cached route 0 for 125.88.18.50
  add route 13 for 125.88.18.50 to route cache table
  [ Dest] 13.route 125.88.18.50->81.246.123.177, to ethernet0/2
  route to 81.246.123.177
  cached arp entry with MAC 000000000000 for 81.246.123.177
  add arp entry with MAC 001a6d642f26 for 81.246.123.177 to cache table
  arp entry found for 81.246.123.177
  ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 47478
  flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/9
  flow vector index 0x3, vector addr 0x20769b8, orig vector 0x20769b8
  adjust tcp mss.
  Got syn, 125.88.18.50(1712)->81.246.110.67(25), nspflag 0x801801, 0x800800
  post addr xlation: 125.88.18.50->81.246.110.67.
  send packet to traffic shaping queue.
  flow_ip_send: 415f:125.88.18.50->81.246.110.67,6 => ethernet0/9(48) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet0/9 (62)
****** 591236.0: <DMZ/ethernet0/9> packet received [48]******
  ipid = 0(0000), @0d6ac914
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/9:81.246.110.67/25->125.88.18.50/1712,6<Root>
  existing session found. sess token 13
  flow got session.
  flow session id 47478
  flow_main_body_vector in ifp ethernet0/9 out ifp N/A
  flow vector index 0x3, vector addr 0x20769b8, orig vector 0x20769b8
  adjust tcp mss.
  Got syn_ack, 81.246.110.67(25)->125.88.18.50(1712), nspflag 0x801800, 0x801801
  post addr xlation: 81.246.110.67->125.88.18.50.
  send packet to traffic shaping queue.
  flow_ip_send: 0000:81.246.110.67->125.88.18.50,6 => ethernet0/2(48) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet0/2 (62)
****** 591239.0: <Untrust/ethernet0/2> packet received [48]******
  ipid = 20282(4f3a), @0d60a914
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/2:125.88.18.50/1712->81.246.110.67/25,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 47478
  flow_main_body_vector in ifp ethernet0/2 out ifp N/A
  flow vector index 0x3, vector addr 0x20769b8, orig vector 0x20769b8
  adjust tcp mss.
  Got syn, 125.88.18.50(1712)->81.246.110.67(25), nspflag 0x801801, 0x801800
  post addr xlation: 125.88.18.50->81.246.110.67.
  send packet to traffic shaping queue.
  flow_ip_send: 4f3a:125.88.18.50->81.246.110.67,6 => ethernet0/9(48) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet0/9 (62)
****** 591239.0: <DMZ/ethernet0/9> packet received [48]******
  ipid = 0(0000), @0d637914
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/9:81.246.110.67/25->125.88.18.50/1712,6<Root>
  existing session found. sess token 13
  flow got session.
  flow session id 47478
  flow_main_body_vector in ifp ethernet0/9 out ifp N/A
  flow vector index 0x3, vector addr 0x20769b8, orig vector 0x20769b8
  adjust tcp mss.
  Got syn_ack, 81.246.110.67(25)->125.88.18.50(1712), nspflag 0x801800, 0x801801
  post addr xlation: 81.246.110.67->125.88.18.50.
  send packet to traffic shaping queue.
  flow_ip_send: 0000:81.246.110.67->125.88.18.50,6 => ethernet0/2(48) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet0/2 (62)
****** 591239.0: <DMZ/ethernet0/9> packet received [48]******
  ipid = 0(0000), @0d6a0114
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/9:81.246.110.67/25->125.88.18.50/1712,6<Root>
  existing session found. sess token 13
  flow got session.
  flow session id 47478
  flow_main_body_vector in ifp ethernet0/9 out ifp N/A
  flow vector index 0x3, vector addr 0x20769b8, orig vector 0x20769b8
  adjust tcp mss.
  Got syn_ack, 81.246.110.67(25)->125.88.18.50(1712), nspflag 0x801800, 0x801801
  post addr xlation: 81.246.110.67->125.88.18.50.
  send packet to traffic shaping queue.
****** 591245.0: <Untrust/ethernet0/2> packet received [48]******
  ipid = 25444(6364), @0d615914
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/2:125.88.18.50/1712->81.246.110.67/25,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 47478
  flow_main_body_vector in ifp ethernet0/2 out ifp N/A
  flow vector index 0x3, vector addr 0x20769b8, orig vector 0x20769b8
  adjust tcp mss.
  Got syn, 125.88.18.50(1712)->81.246.110.67(25), nspflag 0x801801, 0x801800
  post addr xlation: 125.88.18.50->81.246.110.67.
  send packet to traffic shaping queue.
****** 591245.0: <DMZ/ethernet0/9> packet received [48]******
  ipid = 0(0000), @0d6ff914
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/9:81.246.110.67/25->125.88.18.50/1712,6<Root>
  existing session found. sess token 13
  flow got session.
  flow session id 47478
  flow_main_body_vector in ifp ethernet0/9 out ifp N/A
  flow vector index 0x3, vector addr 0x20769b8, orig vector 0x20769b8
  adjust tcp mss.
  Got syn_ack, 81.246.110.67(25)->125.88.18.50(1712), nspflag 0x801800, 0x801801
  post addr xlation: 81.246.110.67->125.88.18.50.
  send packet to traffic shaping queue.
****** 591246.0: <DMZ/ethernet0/9> packet received [48]******
  ipid = 0(0000), @0d64e914
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/9:81.246.110.67/25->125.88.18.50/1712,6<Root>
  existing session found. sess token 13
  flow got session.
  flow session id 47478
  flow_main_body_vector in ifp ethernet0/9 out ifp N/A
  flow vector index 0x3, vector addr 0x20769b8, orig vector 0x20769b8
  adjust tcp mss.
  Got syn_ack, 81.246.110.67(25)->125.88.18.50(1712), nspflag 0x801800, 0x801801
  post addr xlation: 81.246.110.67->125.88.18.50.
  send packet to traffic shaping queue.
  flow_ip_send: 0000:81.246.110.67->125.88.18.50,6 => ethernet0/2(48) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet0/2 (62)
****** 591259.0: <DMZ/ethernet0/9> packet received [48]******
  ipid = 0(0000), @0d6f2914
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/9:81.246.110.67/25->125.88.18.50/1712,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/9>, out <N/A>
  chose interface ethernet0/9 as incoming nat if.
  flow_first_routing: in <ethernet0/9>, out <N/A>
  search route to (ethernet0/9, 81.246.110.67->125.88.18.50) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 0 for 125.88.18.50
  add route 13 for 125.88.18.50 to route cache table
  [ Dest] 13.route 125.88.18.50->81.246.123.177, to ethernet0/2
  routed (x_dst_ip 125.88.18.50) from ethernet0/9 (ethernet0/9 in 0) to ethernet0/2
  policy search from zone 3-> zone 1
 policy_flow_search  policy search nat_crt from zone 3-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 125.88.18.50, port 1712, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0
****** 591264.0: <DMZ/ethernet0/9> packet received [48]******
  ipid = 0(0000), @0d655114
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/9:81.246.110.67/25->125.88.18.50/1232,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/9>, out <N/A>
  chose interface ethernet0/9 as incoming nat if.
  flow_first_routing: in <ethernet0/9>, out <N/A>
  search route to (ethernet0/9, 81.246.110.67->125.88.18.50) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 13 for 125.88.18.50
  [ Dest] 13.route 125.88.18.50->81.246.123.177, to ethernet0/2
  routed (x_dst_ip 125.88.18.50) from ethernet0/9 (ethernet0/9 in 0) to ethernet0/2
  policy search from zone 3-> zone 1
 policy_flow_search  policy search nat_crt from zone 3-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 125.88.18.50, port 1232, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0
beovpfw1->

Hi,

Based on what I can see, it appears your mail server is creating new sessions back to the destination and you lack a policy from dmz to untrust.  What's odd is that I would expect this type of behavior for traffic sourcing from mail with a destination port of 25.  Since it's hitting the global policy, I would check your DMZ to Untrust Policy.

Both replies much apreciated !

I will provide some more info on the situation.

The firewall is a SSG-140 running screenOS 6.3.0r10 and the snippet was taken with debug flow basic.

I set to ffilter rules to only capture between the mail server and the public ip for the branch office.

I should not have to set a return policy do I ? the session table should take care of that.

Other branch offices can connect without problems just this one perticular one has a problem.

(its located in China, rtt is about 300ms, perhaps thats a problem ?)

I did check the incomming policies log and found the session ends with AGE-OUT where others end with TCP-RST

Hi,

You have a reverse routing issue. Check routing to 125.88.18.50 starting from the router 81.246.123.177.

The response packets do not reach the client and handshaking cannot complete. That's why the session is removed from the session state table after the server has sent two unresponded syn_ack packets and/or the handshaking timeout has expired.

I checked the route, it seems ok to me :

beovpfw1-> get route ip 125.88.18.50
 Dest for 125.88.18.50
--------------------------------------------------------------------------------------
trust-vr       : => 0.0.0.0/0 (id=13) via 81.246.123.177 (vr: trust-vr)
                    Interface ethernet0/2 , metric 1

potential routes in other vrouters:

VR-public      : => 0.0.0.0/0 (id=3) via 192.168.1.1 (vr: trust-vr)
                    Interface ethernet0/4.7 , metric 1

beovpfw1-> trace-route 125.88.18.50
Type escape sequence to escape

Send ICMP echos to 125.88.18.50, timeout is 2 seconds,  maximum hops are 32,
1    2ms    0ms    1ms    81.246.123.177
2    9ms    9ms    10ms    81.247.253.2
3    9ms    12ms    12ms    194.78.0.41
4    8ms    14ms    15ms    80.84.21.106
5    20ms    17ms    18ms    80.84.18.113
6    17ms    18ms    17ms    94.102.162.206
7    *    *    *    
8    19ms    18ms    20ms    195.66.225.54
9    230ms    232ms    230ms    202.97.52.89
10    267ms    268ms    265ms    202.97.60.154
11    270ms    269ms    269ms    202.97.60.198
12    269ms    272ms    269ms    202.97.34.201
13    277ms    270ms    272ms    183.59.0.245
14    278ms    278ms    274ms    183.59.0.145
15    284ms    284ms    285ms    59.38.16.22
16    298ms    296ms    289ms    61.145.226.237
17    276ms    277ms    279ms    125.88.18.50
Trace complete

To supply you with more info I did a get flow :

beovpfw1-> get flow
flow action flag: 1457
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets = 1300
flow change tcp mss option for outbound vpn packets = 1300
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Log auth dropped packet disabled
Allow dns reply pkt without matched request : NO
Check TCP SYN bit before create session & refresh session only after tcp 3 way handshake : NO
Check TCP SYN bit before create session : NO
Check TCP SYN bit before create session for tunneled packets : NO
Enable the strict SYN check: NO
Allow naked tcp reset pass through firewall: NO
Use Hub-and-Spoke policies for Untrust MIP traffic that loops on same interface
Check  unknown mac flooding : YES
Skip sequence number check in stateful inspection : YES
Drop embedded ICMP : NO
ICMP path mtu discovery : YES
ICMP time exceeded : NO
TCP RST invalidates session immediately : NO
Force packet fragment reassembly : NO
flow log info: 0.0.0.0/0->0.0.0.0/0,0
flow initial session timeout: 20 seconds
flow session cleanup time: 2 seconds
early ageout setting:
    high watermark = 100 (48064 sessions)
    low watermark  = 100 (48064 sessions)
    early ageout   = 10
    RST seq. chk OFF
MAC cache for management traffic: OFF
Fix tunnel outgoing interface: OFF
session timeout on route change is not set
reverse route setting:
    clear-text or first packet going into tunnel: prefer reverse route (default)
    first packet from tunnel: always reverse route (default)
Close session when receive ICMP error packet: YES
Passing through only one ICMP error packet: NO
Flow caches route and arp: YES, miss rate 13%
beovpfw1->

Hi,

Routing seems to be correct.

I have tried this: ping -f -l 1472 125.88.18.50 -t. This is to check if there are MTU/fragmentation issues

There are lost packets but the echo-requests are generally responded. So, we can assume that we do not have a fragmentation problem here. But there may be the misconfigured devices on this long distance which have a negative impact on TCP.

An investigation of the problem without any support from the providers may be fully ineffective.

Is it possible to configure an ipsec VPN between your FW and the client site?

P.S. I noted that TCP syn check is disabled on your FW. I would not recommend to use this setting because it reduces the security significantly. Use "set flow tcp-syn-check" instead.

The other side (In China) is a SSG-5 running screenOS 6.1.0r3.0

dbuf flow only shows outgoing attempts, ffilter should capture incomming to :

cnzhufw1-> get dbuf stream
****** 2376548.0: <Trust/ethernet0/0> packet received [48]******
  ipid = 32486(7ee6), @032089b0
  packet passed sanity check.
  ethernet0/0:10.19.20.169/1700->81.246.110.67/25,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 10.19.20.169->81.246.110.67) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 7.route 81.246.110.67->125.88.18.49, to ethernet0/6
  routed (x_dst_ip 81.246.110.67) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/6
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 81.246.110.67, port 25, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 14/6/0x9
  Permitted by policy 14
  dip id = 2, 10.19.20.169/1700->125.88.18.50/1301
  choose interface ethernet0/6 as outgoing phy if
  no loop on ifp ethernet0/6.
  session application type 7, name SMTP, nas_id 0, timeout 1800sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/0>, out <ethernet0/6>
  existing vector list 3-3cc1094.
  Session (id:7496) created for first pak 3
  flow_first_install_session======>
  route to 125.88.18.49
  arp entry found for 125.88.18.49
  ifp2 ethernet0/6, out_ifp ethernet0/6, flag 10800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/6, 81.246.110.67->10.19.20.169) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
  [ Dest] 1.route 10.19.20.169->10.19.20.169, to ethernet0/0
  route to 10.19.20.169
  arp entry found for 10.19.20.169
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 7496
  adjust tcp mss.
  Got syn, 10.19.20.169(1700)->81.246.110.67(25), nspflag 0x801801, 0x10800800
  post addr xlation: 125.88.18.50->81.246.110.67.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2376551.0: <Trust/ethernet0/0> packet received [48]******
  ipid = 3672(0e58), @032391b0
  packet passed sanity check.
  ethernet0/0:10.19.20.169/1700->81.246.110.67/25,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 7496
  adjust tcp mss.
  Got syn, 10.19.20.169(1700)->81.246.110.67(25), nspflag 0x801801, 0x10800800
  post addr xlation: 125.88.18.50->81.246.110.67.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2376557.0: <Trust/ethernet0/0> packet received [48]******
  ipid = 8250(203a), @032679b0
  packet passed sanity check.
  ethernet0/0:10.19.20.169/1700->81.246.110.67/25,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 7496
  adjust tcp mss.
  Got syn, 10.19.20.169(1700)->81.246.110.67(25), nspflag 0x801801, 0x10800800
  post addr xlation: 125.88.18.50->81.246.110.67.
 flow_send_vector_, vid = 0, is_layer2_if=0
cnzhufw1->

Checking routing :

cnzhufw1-> get route ip 81.246.110.67
 Dest for 81.246.110.67
--------------------------------------------------------------------------------------
trust-vr       : => 0.0.0.0/0 (id=7) via 125.88.18.49 (vr: trust-vr)
                    Interface ethernet0/6 , metric 2


cnzhufw1-> trace-route 81.246.110.67
Type escape sequence to escape

Send ICMP echos to 81.246.110.67, timeout is 2 seconds,  maximum hops are 32,
1    3ms    3ms    3ms    125.88.18.49
2    4ms    5ms    26ms    61.145.226.238
3    3ms    4ms    3ms    59.38.16.45
4    24ms    7ms    8ms    183.59.1.162
5    11ms    11ms    11ms    183.59.1.2
6    11ms    11ms    11ms    202.97.35.242
7    10ms    9ms    9ms    202.97.60.78
8    177ms    179ms    177ms    202.97.51.210
9    221ms    *    170ms    4.71.114.101
10    *    *    174ms    4.69.152.254
11    179ms    *    *    
12    *    253ms    253ms    4.69.135.186
13    244ms    248ms    244ms    4.69.148.46
14    *    240ms    240ms    4.69.134.77
15    310ms    309ms    310ms    4.69.137.65
16    309ms    320ms    310ms    4.69.143.93
17    321ms    320ms    321ms    4.69.148.181
18    271ms    273ms    272ms    212.3.238.66
19    272ms    272ms    272ms    194.78.0.38
20    286ms    283ms    282ms    81.247.253.111
21    281ms    279ms    279ms    81.246.123.178
22    279ms    279ms    280ms    81.246.110.67
Trace complete
cnzhufw1->

Policy log :

Echidov asked :

Is it possible to configure an ipsec VPN between your FW and the client site?

That is possible but not desired.

However as a trouble solving tool I rerouted the troublesome data stream through a separte backup line, hosted by Interoute. (SDSL 2mbit based and terminated on both firewalls via a Interoute managed VPN)

What do you know, my SMTP connection started working,,,,,,,,

So, could it be that a third party somewere in between is interfering with my flow ?

If so, I will ask management if they will accept routing our SMTP traffic over the backupline as a solution, my mandarin is no good

Maybe someone's having trouble with just SMTP traffic in particular. See if you can shift it to a non-standard port and see if it would work.

Hi,

Sure, this is a provider(s) problem.

Are you sending the internal corporate traffic unencrypted over Internet? Hmm... I would never do this. The route based VPN can be easely configured once and left unchanged for years. The rest are the simple routing and policy changes.

I have passed your concerns to our mail specialist, he tells me that although we are using TCP port 25, the actual data is encrypted.

A route based VPN is in place, but we decided not to route access to our mailserver through it to avoid the IPsec overhead (since the stream is already encrypted, they tell me), and to make sure that the people in China are able to access our mail system even if the VPN tunnel is down.

For now, we will have them use the seperate backup line, whilst I try and contact our local ISP to see if they can explain why my traffic is not getting through.

Thanks for all your input in this thread !

On the mail server you can use TLS to encrypt connections between similarly configured servers.  This also transits on the standard smtp port.  The process uses certificates.

You can further tell the mail sever software to either require TLS or fall back to normal smtp if the receiver does not support the protocol.  The mail administrator configures the requirement by domain.  You can also have the system try TLS first every time just to see if the other system supports it before falling back to standard smtp.

I'm assuming the debug snippet you provided is from a non-ASIC-based firewall. (What model is it?) I'm also assuming the snippet shows contiguous traffic with no omissions in between.

Notice: Client->Server TCP SYN

Then: Server->Client TCP SYN,ACK

Then Server->Client TCP SYN,ACK (retransmission)

MIssing: Client->Server ACK

Repeat x2

So, it doesn't look like you have a completed TCP handshake. That's something the firewall pays attention to and I belive that's why further traffic from the Server to the Client gets dropped.

If you have the opportunity, try to do a packet capture at the client to see whether traffic really gets back to it, and if does, whether it looks ok. If traffic is not getting there, then perhaps you can play around a bit with the TCP MSS setting on the firewall (something like set flow tcp-mss) and see if that would help.