03-15-2012 05:37 AM - edited 03-11-2019 03:42 PM
Hello,
I am getting more and more of these logs, the message itself does not say much,
"reason - inspector disconnected" is not a reason in my opinion.
Looking at the output of "sh service-policy inspect esmtp"
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: esmtp _default_esmtp_map, packet 54698280, drop 2676, reset-drop 0
mask-banner, count 278499
match cmd line length gt 512
drop-connection log, packet 0
match cmd RCPT count gt 100
drop-connection log, packet 760
match body line length gt 998
log, packet 4954
match header line length gt 998
drop-connection log, packet 380
match sender-address length gt 320
drop-connection log, packet 0
match MIME filename length gt 255
drop-connection log, packet 0
match ehlo-reply-parameter others
mask, packet 144526
I am trying to find out why they get dropped.
I was wondering if someone can help me understand the meaning of each vlaue ?
I assume packet is the total number inspected and drop are the dropped ones.
but the addition of the values from the match commands does not add up to the top line.
Cheers,
Sami
Solved! Go to Solution.
03-23-2012 07:57 AM
Hi Sam,
The counters from the match lines aren't expected to add up to the aggregate count for the inspection. The match lines list the number of packets that have matched each of those criteria, while the top line is an aggregate count of the number of TCP/25 packets that have passed through the inspection engine.
In addition to the items listed in the match lines, the inspection also does basic ESMTP protocol enforcement. This means that things like invalid verbs or messages that don't conform to RFC will break when being inspected.
For more information on why the connection is being closed by the inspection, you can look at the output of 'debug esmtp 255'. Also, feel free to open a TAC case if the debug output isn't self-explanatory.
-Mike
03-29-2012 06:14 AM
Here is a detailed explanation on the counters and also how the esmtp inspection works.
To determine if there are devices on the network sending traffic not RFC compliant we need a capture however issue didn't re-appear.
The ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA and by adding monitoring capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar in most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is
similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.
The inspect esmtp command includes the functionality previously provided by the fixup smtp command, and provides additional support for some extended SMTP commands. Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.
About the values you get on the service policy:
They are counters for all the features the ESMTP is inspecting for you:
Mask-banner: enforces banner obfuscation
Match cmd line length gt length: allows you to restrict the length of the command line.
Match cmd RCPT count gt count: allows you to restrict the number of recipient addresses.
Match body [line] length gt length: allows you to restrict the body length or body line length
Match header [line] length gt length: allows you to restrict the header length or header line length
Match sender-address length gt length: allows you to restrict the length of a sender's address
Match mime filename length gt length: allows you to restrict the MIME filename length
Match ehlo-reply-parameter extensions: allows you to set the ehlo-reply-parameters
All of them are taking different aspects of the traffic on port 25 and inspecting specific aspects of it.
Each of them will apply an action as below:
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet.
The log keyword, which you can use alone or with one of the other keywords, sends a system log message.
03-23-2012 07:57 AM
Hi Sam,
The counters from the match lines aren't expected to add up to the aggregate count for the inspection. The match lines list the number of packets that have matched each of those criteria, while the top line is an aggregate count of the number of TCP/25 packets that have passed through the inspection engine.
In addition to the items listed in the match lines, the inspection also does basic ESMTP protocol enforcement. This means that things like invalid verbs or messages that don't conform to RFC will break when being inspected.
For more information on why the connection is being closed by the inspection, you can look at the output of 'debug esmtp 255'. Also, feel free to open a TAC case if the debug output isn't self-explanatory.
-Mike
03-29-2012 06:14 AM
Here is a detailed explanation on the counters and also how the esmtp inspection works.
To determine if there are devices on the network sending traffic not RFC compliant we need a capture however issue didn't re-appear.
The ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA and by adding monitoring capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar in most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is
similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.
The inspect esmtp command includes the functionality previously provided by the fixup smtp command, and provides additional support for some extended SMTP commands. Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.
About the values you get on the service policy:
They are counters for all the features the ESMTP is inspecting for you:
Mask-banner: enforces banner obfuscation
Match cmd line length gt length: allows you to restrict the length of the command line.
Match cmd RCPT count gt count: allows you to restrict the number of recipient addresses.
Match body [line] length gt length: allows you to restrict the body length or body line length
Match header [line] length gt length: allows you to restrict the header length or header line length
Match sender-address length gt length: allows you to restrict the length of a sender's address
Match mime filename length gt length: allows you to restrict the MIME filename length
Match ehlo-reply-parameter extensions: allows you to set the ehlo-reply-parameters
All of them are taking different aspects of the traffic on port 25 and inspecting specific aspects of it.
Each of them will apply an action as below:
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet.
The log keyword, which you can use alone or with one of the other keywords, sends a system log message.
03-29-2012 10:49 AM
Thanks for the clarification Jorge, I will keep monitoring the logs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide