cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5106
Views
0
Helpful
13
Replies

ASA-5510 dropping outbound SMTP traffic

SamMooreIT
Level 1
Level 1

Good morning.

A recently added outbound rule has left my SMTP communications broken. I have since removed the rule, and had Cisco do some damage control, but it's still dropping some of the SMTP traffic. I get a number of NDR messages each day like the one below:

Your message did not reach some or all of the intended recipients. Subject: RE: Christopher, Curt Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:

  

JWillar@email.com

on 8/21/2011 9:49 AM

  Could not deliver the message in the time limit specified. Please retry or contact your administrator.

  <630.SM.Local #4.4.7>

Your message did not reach some or all of the intended recipients. Subject: RE: Christopher Curd Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:

 
JWillar@email.com on 8/21/2011 9:49 AM
  Could not deliver the message in the time limit specified. Please retry or contact your administrator.
  <630.SM.Local #4.4.7>

I've attached an image of my configuration (ASDM GUI). The part of the image highlighted in green are the SMTP rules. The part highlighted in yellow is another rule that I added about a month ago to block a SYN attack. This rule may be part of the problem because of the order it is in the list. Not sure, though.

I have had two Cisco techs Putty into my ASA to check things out. I think they've done all they can. I wonder at this point if it be wise to just reload the last good running-config I have prior to the Outbound rule being added. Thoughts and opinions on this are most welcome.

Thanks in advance.

Best regards,

Josh Dunbar

13 Replies 13

varrao
Level 10
Level 10

Just try removing "inspect esmtp" and try again. If it is disbled, try enabling it and check.

Thanks,

Varun

Thanks,
Varun Rao

Varun,

Inspect ESMTP was enabled; I disabled it yesterday, but am still receiving multiple NDR e-mails. Any other thoughts or fixes we can try?

Thanks Varun.

Best regards,

Josh Dunbar

if you disabled esmtp inspection and still seeing some issues then it worth to check on the path for devices other than the ASA , may be the client itself .

when inspection is disabled then the ASA will not read any layer 7 information from the packet it will act on layer 3 and four only .

do you see any drops on the ASA for the Esmtp session ?

cheers.

SamMooreIT
Level 1
Level 1

Mohammed,

We have almost 100 people emailing from the inside of this firewall, and all have reported dropped emails. It's certainly not a client issue.

To answer your question, one thing I am seeing in the ASA syslog are numerous "scanning: drop rate exceeded" messages. Could those point to the root cause?

Sent from Cisco Technical Support iPhone App

It can be an issue, would you please take the output of show shun? And also show service-policy?

Mike

Mike

Mike,

Could you provide the exact command line(s) to provide you the output you're inquiring about?

Thank you,

Josh Dunbar

Those are the lines that I need,

ciscoasa# show service-policy

ciscoasa#show shun

Cheers,

Mike

Mike

Maykol,

See the attached two images for command output. Thanks for your help.

Best regards,

Josh

Show service-policy (below):

show shun came back with a blank prompt...

Are all of the otubound mails failing? Or just for specific domains?

Mike

Mike

Not all outbound are failing, but most are. I'd say 80% or better are coming back with a timeout error. Mostly, they look like this:

####################################################################

# THIS IS A WARNING ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. # ####################################################################

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

                   The mail system

You said that you work with some cisco techs, are they from Cisco TAC?  Do you have a tac case number? Have captures being made?

Mike

Mike

Yes, they are from Cisco TAC: SR 618668809

Hi Josh .

focus on one client and obtain the following captures :

captures on the inside interface .

captrue on the outside interface .

asp drop captures :

cap asp-drop type asp-drop all

compare the capture , and see if there is any packet belongs to this session and that appears in the asp drop captures , which mean this packet has been dropped by the ASA.

back to the outbound Rule you have added ? what is this Rule .

take captureres on the client interface using wireshark . and check for any errors .

cheers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: