Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1096
Views
0
Helpful
3
Replies

ASA 5506 Outbound SMTP over TLS failing

Steve Krantzman
Level 1
Level 1

‎05-11-2017 04:26 PM - edited ‎03-12-2019 02:21 AM

Just upgraded my 5505 to a new 5506. The network topography has not changed in any way and all objects, NATs and ACLs on the 5506 match exactly to those on the 5505. Everything is working as it should except that I can not scan to email from a Xerox copier on the inside to an outside Office365 smtp server, as it fails with the following error:  "Error (017-714) : Smtp over ssl failed"  If I swap devices back to the 5505, it works without a problem which leads me to believe the problem lies with the 5506,

Attempted fixes that I have tried:

  • changing from port 25 to 587 on the device
  • configuring esmtp inspection to allow headers and allow-tls
  • turning off esmtp totally
  • stopping traffic from flowing through FirePOWER services

Using packet tracer from device to outside smtp server shows success and even if traffic flows through FirePOWER all event entries show Allowed


Not sure what to try next.  Any help would be greatly appreciated.

Steve

Labels:
0 Helpful
3 Replies 3

Ajay Saini
Level 7
Level 7

‎05-12-2017 12:59 PM

Hi Steve,

The best way to troubleshoot this would be to take bidirectional captures on ASA and see where this is failing. If you have tried disallowing this traffic going to firepower, then we need to focus on ASA. I would suggest you to continue with firepower not in picture and take captures.

Syslogs can also help on ASA. Could you please provide following info:

- which port would be used for smtp over ssl?

-does it not connect or it disconnects after sometime?

-attach syslogs(level 6) for a start and then you can take captures.

-AJ

0 Helpful

Steve Krantzman
Level 1
Level 1
In response to Ajay Saini

‎05-15-2017 11:01 AM

AJ,

I have tried both port 25 and 587 based on Microsoft's documentation on connecting an MFC to Office 365. The process fails using either port.

I set up packet capture between the Xerox and the Office 365 mail server. Turns out the ASA is allowing the packets through to the mail server. The client establishes its connection and initiates the STARTTLS followed by the Client Hello supplying 8 supported cipher suites.  The server responds with the Server Hello and using TLS 1.0 it chooses the first cipher suite in the client list (TLS_RSA_WITH_AES_256_CBS_SHA) and provides 2 certificates to the client. It is at this point that the client responds with:

Alert Message

Level: Fatal (2)

Description: Handshake Failure (40)

The process repeats itself several times before timing out with the error message above.

At this point I would start to think that the problem resides with the Xerox copier not being able to work with the certificates provided, except for the fact that the client and server have no problem completing the handshake when passing traffic through the ASA 5505. To me, this makes the problem even stranger.

Steve

0 Helpful

Steve Krantzman
Level 1
Level 1
In response to Steve Krantzman

‎05-25-2017 10:47 AM

bump - anyone?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card