Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
89
Views
0
Helpful
1
Replies

Abnormal behavior of ASA when adding policy-map type inspect esmtp

kz-support
Level 1
Level 1

‎12-24-2024 08:13 AM

Hello

two cisco asa (FTD 2130 in appliance mode) work in failover pair

I tried to add a new smtp traffic inspection policy via ssh console

policy-map type inspect esmtp quik_no_ehlo_mask
description do not mask ehlo for quik servers
parameters
mask-banner
no mail-relay
no special-character
allow-tls
exi
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log

After entering the last command, my ssh console stops responding (access was restored after a few minutes) and alerts of the following type start pouring in from standby asa every 15 seconds

Nov 12, 2024 @ 12:25:04.000 ASA %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface mex
Nov 12, 2024 @ 12:25:04.000 ASA %ASA-1-105008: (Secondary) Testing Interface mex
Nov 12, 2024 @ 12:25:04.000 ASA %ASA-1-105009: (Secondary) Testing on interface mex Passed

Such messages come about all interfaces on failover monitoring

I logged into asa via the console port, tried to delete the policy
no policy-map type inspect esmtp quik_no_ehlo_mask
ERROR: policy-map quik_no_ehlo_mask is being configured and hence cannot be removed.

At the same time, there were no problems with passing traffic through the primary ASA and failover did not work either. Only messages from the standby ASA monitoring were constantly coming as above.

There was also no increased CPU or memory load.

At 13:18, the problem resolved itself. Alerts stopped coming. I logged in via ssh and deleted the policy without spaces.

I did not find any other errors in the log during this time, except for the fact that ACS dropped the ssh session immediately after the problem began.

Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725007: SSL session with client inside:10.0.0.148/51723 to 172.16.0.10/443 terminated
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725001: Starting SSL handshake with client inside:10.0.0.148/51724 to 172.16.0.10/443 for TLS session
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725016: Device selects trust-point ASA-self-signed for client inside:10.0.0.148/51724 to 1172.16.0.10/443
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725002: Device completed SSL handshake with client inside:10.0.0.148/51724 to 172.16.0.10/443 for TLSv1.2 session
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725007: SSL session with client inside:10.0.0.148/51724 to 172.16.0.10/443 terminated
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725001: Starting SSL handshake with client inside:10.0.0.148/51725 to 172.16.0.10/443 for TLS session
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725016: Device selects trust-point ASA-self-signed for client inside:10.0.0.148/51725 to 172.16.0.10/443
Nov 12, 2024 @ 12:25:05.000 ASA %ASA-6-725002: Device completed SSL handshake with client inside:10.0.0.148/51725 to 172.16.0.10/443 for TLSv1.2 session

Please help with diagnostics of this behavior.

Cisco Adaptive Security Appliance Software Version 9.14(4)17
SSP Operating System Version 2.8(1.191)
Device Manager Version 7.19(1)95

Compiled on Wed 19-Oct-22 06:12 GMT by builders
System image file is "disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.8.1.191.SPA"
Config file at boot was "startup-config"

ASA up 1 year 64 days
failover cluster up 2 years 115 days

Hardware: FPR-2130, 13703 MB RAM, CPU MIPS 1200 MHz, 1 CPU (12 cores)

 

Could you help me to troubleshoot it?

Tthank you in advance

0 Helpful
1 Reply 1

faruk74summy
Community Member

‎12-26-2024 12:53 AM

Hello,

your issue with the ASA might be related to resource contention or configuration conflicts triggered by the policy-map. The recurring failover communication loss messages suggest instability, possibly due to a problem with the failover interface or the complex policy.

Check the failover interface and verify physical connectivity.
Run debug logs to capture more detailed information about what happens when the policy is added.
Simplify or remove the policy-map temporarily to see if it resolves the issue.
Ensure ASA software is up to date and check for any known bugs.
If this doesn’t help, consider opening a case with Cisco TAC for more targeted troubleshooting.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card