topic Re: Abnormal behavior of ASA when adding policy-map type inspect esmtp in Network Security

Abnormal behavior of ASA when adding policy-map type inspect esmtp

kz-support — Tue, 24 Dec 2024 16:13:06 GMT

Hello

two cisco asa (FTD 2130 in appliance mode) work in failover pair

I tried to add a new smtp traffic inspection policy via ssh console

policy-map type inspect esmtp quik_no_ehlo_mask
description do not mask ehlo for quik servers
parameters
mask-banner
no mail-relay
no special-character
allow-tls
exi
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log

After entering the last command, my ssh console stops responding (access was restored after a few minutes) and alerts of the following type start pouring in from standby asa every 15 seconds

Nov 12, 2024 @ 12:25:04.000 ASA %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface mex
Nov 12, 2024 @ 12:25:04.000 ASA %ASA-1-105008: (Secondary) Testing Interface mex
Nov 12, 2024 @ 12:25:04.000 ASA %ASA-1-105009: (Secondary) Testing on interface mex Passed

Such messages come about all interfaces on failover monitoring

I logged into asa via the console port, tried to delete the policy
no policy-map type inspect esmtp quik_no_ehlo_mask
ERROR: policy-map quik_no_ehlo_mask is being configured and hence cannot be removed.

At the same time, there were no problems with passing traffic through the primary ASA and failover did not work either. Only messages from the standby ASA monitoring were constantly coming as above.

There was also no increased CPU or memory load.

At 13:18, the problem resolved itself. Alerts stopped coming. I logged in via ssh and deleted the policy without spaces.

I did not find any other errors in the log during this time, except for the fact that ACS dropped the ssh session immediately after the problem began.

Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725007: SSL session with client inside:10.0.0.148/51723 to 172.16.0.10/443 terminated
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725001: Starting SSL handshake with client inside:10.0.0.148/51724 to 172.16.0.10/443 for TLS session
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725016: Device selects trust-point ASA-self-signed for client inside:10.0.0.148/51724 to 1172.16.0.10/443
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725002: Device completed SSL handshake with client inside:10.0.0.148/51724 to 172.16.0.10/443 for TLSv1.2 session
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725007: SSL session with client inside:10.0.0.148/51724 to 172.16.0.10/443 terminated
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725001: Starting SSL handshake with client inside:10.0.0.148/51725 to 172.16.0.10/443 for TLS session
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725016: Device selects trust-point ASA-self-signed for client inside:10.0.0.148/51725 to 172.16.0.10/443
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725002: Device completed SSL handshake with client inside:10.0.0.148/51725 to 172.16.0.10/443 for TLSv1.2 session

Please help with diagnostics of this behavior.

Cisco Adaptive Security Appliance Software Version 9.14(4)17
SSP Operating System Version 2.8(1.191)
Device Manager Version 7.19(1)95

Compiled on Wed 19-Oct-22 06:12 GMT by builders
System image file is "disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.8.1.191.SPA"
Config file at boot was "startup-config"

ASA up 1 year 64 days
failover cluster up 2 years 115 days

Hardware: FPR-2130, 13703 MB RAM, CPU MIPS 1200 MHz, 1 CPU (12 cores)

Could you help me to troubleshoot it?

Tthank you in advance

Re: Abnormal behavior of ASA when adding policy-map type inspect esmtp

faruk74summy — Fri, 27 Dec 2024 05:20:00 GMT

Hello,

Your issue with the ASA might be related to resource contention or configuration conflicts triggered by the policy-map. The recurring failover communication loss messages suggest instability, possibly due to a problem with the failover interface or the complex policy.

Check the failover interface and verify physical connectivity.
Run debug logs to capture more detailed information about what happens when the policy is added.
Simplify or remove the policy-map temporarily to see if it resolves the issue.
Ensure ASA software is up to date and check for any known bugs.
If this doesn’t help, consider opening a case with Cisco TAC for more targeted troubleshooting.

CashNetUSA loans

Re: Abnormal behavior of ASA when adding policy-map type inspect esmtp

Flavio Miranda — Thu, 26 Dec 2024 10:02:00 GMT

@kz-support

ESMTP is inspected by default in ASA. Did you tried to reaply the config to make sure It was really the problem?

Re: Abnormal behavior of ASA when adding policy-map type inspect esmtp

kz-support — Sat, 28 Dec 2024 10:46:49 GMT

I don't know if there were such policy or not, but I noticed many messages ' /opt/bootcli/cisco/cli/bin/fxos_ntpd_monitor.sh: line 87: echo: write error: No space left on device' in stdout_ntp_fxos.log file. And indeed I see the partition opt_cisco_platform_logs is full and must be cleared

firepower-2130 /fabric-interconnect # show storage

Storage on local flash drive of fabric interconnect:

Partition Size (MBytes) Used Percentage

---------------- ---------------- ---------------

mnt_boot 7500 21

opt_cisco_config 922 30

opt_cisco_csp 160142 2

opt_cisco_platfo 921 Full

usbdrive Nothing Empty

var_data_cores 28033 1

firepower-2130 /fabric-interconnect # show storage detail

Storage on local flash drive of fabric interconnect:

Partition: mnt_boot

Size (MBytes): 7500

Used Percentage: 21

Partition: opt_cisco_config

Size (MBytes): 922

Used Percentage: 30

Partition: opt_cisco_csp

Size (MBytes): 160142

Used Percentage: 2

Most likely this is the problem, in any case it needs to be solved first

Partition: opt_cisco_platform_logs

Size (MBytes): 921

Used Percentage: Full

Partition: usbdrive

Size (MBytes): Nothing

Used Percentage: Empty

Partition: var_data_cores

Size (MBytes): 28033

Used Percentage: 1

I suppose if we can't secure-login to linux shell without Cisco TAC to clear pertition, we can do that by formatting or reimaging like it described in this link https://www.cisco.com/c/en/us/td/docs/security/asa/fxos/troubleshoot/asa-fxos-troubleshoot/system_recovery.html#task_tfx_dtm_tgb ?

Re: Abnormal behavior of ASA when adding policy-map type inspect esmtp

kz-support — Thu, 20 Feb 2025 16:18:48 GMT

We formated disk during the Reformat procedure

The problem with free space in the opt_cisco_platform_logs folder has been solved.

We also configured policy-map after the work. There were no problems.

However, during the Reformat procedure we encountered with the next problem:

We format the disk on the standby node. It reboots and boots with an empty config

We configure the failover settings and enable it

The two devices Active and Standby correctly see each other and the active node begins synchronizing the config with the secondary one.

After synchronization is complete, the problem appear with the interfaces for which monitoring is configured not switching to the "Monitored" status but remaining in the "Waiting" status

There is spam in the logs
Testing Interface XXX
Testing on interface XXX Passed

Testing Interface XXX
Testing on interface XXX Passed

We solved the problem by sending the standby node to reboot again and after rebooting, failover was correctly assembled.

The failover switching procedure also worked correctly.

Could somebody tells me whats wrong?

Thank you in advance