04-18-2013 08:41 AM - edited 03-12-2019 06:05 PM
Hello, i have ASA 5520 with Cisco Adaptive Security Appliance Software Version 8.2(5)41 (latest 8.2 interim)
I found what one smtp server (from customer side) can't send mail to our smtp server via ASA.
In logs i see following:
18 2013 19:27:29 asa5520 : %ASA-7-609001: Built local-host outside:80.66.94.202
18 2013 19:27:29 asa5520 : %ASA-6-302013: Built inbound TCP connection 183339271 for outside:80.66.94.202/25437 (80.66.94.202/25437) to inside:91.223.93.133/25 (91.223.93.133/25)
18 2013 19:27:30 asa5520 : %ASA-4-507003: tcp flow from outside:80.66.94.202/25437 to inside:91.223.93.133/25 terminated by inspection engine, reason - inspector disconnected, dropped packet.
18 2013 19:27:30 asa5520 : %ASA-6-302014: Teardown TCP connection 183339271 for outside:80.66.94.202/25437 to inside:91.223.93.133/25 duration 0:00:00 bytes 311 Flow closed by inspection
18 2013 19:27:30 asa5520 : %ASA-7-609002: Teardown local-host outside:80.66.94.202 duration 0:00:00
Apr 18 2013 19:27:30 asa5520 : %ASA-7-609001: Built local-host outside:80.66.94.202
Apr 18 2013 19:27:30 asa5520 : %ASA-6-106015: Deny TCP (no connection) from 80.66.94.202/25437 to 91.223.93.133/25 flags ACK on interface outside
No reason why inspection engine droped it. If i disable inspect esmtp all works fine.
I tried to capture asp-drops but there no information.
I tried debug esmtp 255 but without proper decoder it's useless
I tried capture traffic from interface but i can't say what exactly wrong and how tune ASA settings for this.
I looked over TAC bugs and no luck.
My policy map for esmtp:
policy-map type inspect esmtp custom_esmtp_map
parameters
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
Well, question is how to understand reason of drop? workaround is to disable inspect esmtp.
Please, help :-)
04-18-2013 09:54 AM
Hello Andrej,
Well you have play with your SMTP policy so any SMTP connection that does not conform with the policies you have set and the RFC ( as we do a reenforcement here)
So my recommendation is to :
do a debug esmtp 255
I know the debug ouput is not that clear so you can open a TAC with us for that,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide