Is there a simple way to see/log drops due to inspection?

ekobrinsky · ‎01-30-2013

ASA 5520 running 8.4.5:

We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.

It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big).

My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs? So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.

Is there a simpler solution? And if not, how can I submit a feature request to have that function? Seems like something that would be useful for a lot of customers, not just me.

Eugene

Julio Carvajal · ‎01-30-2013

Hello,

Can you share the logging configuration you have so far?

I would use an ASP capture to determine whether the ASA is the issue or not ( this capture will let you know all of the packets being dropped by the asa)

example

capture test type asp-drop all circular-buffer

Then you could look for the SMTP traffic

show cap test | include x.x.x.x ( Ip address of the SMTP server)

Why don't you send the logs messages to a syslog server ( dedicated one) and then you can filter based on the port,ip,etc,etc. If you do this you could enable debuggin level for the traps being send to the syslog server and analize all of the logs.

I have seen cases with this particular query, if you want to open an enhacement request you should contact your account manager,

If you do not have any other question please mark the question as answered

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ekobrinsky · ‎01-31-2013

Thanks for your response jcarvaja.

As you said, there are different ways to track down the issue, and that wasn't why I actually opened my case with TAC. My concern was that I wasted a ton of time diagnosing when it should have been easy to see the inspection drops happening in the log with a default setup on the ASA (just like you can see the ACL drops by default).

I'm glad to hear, and not surprised, that you have seen other users mention this issue. I buy my Smartnets and equipment through CDW, a large equipment seller, so I don't really have a partner relationship to go through to submit this feature requests. Is there an alternative route? Please help.

Eugene

david.tran · ‎01-31-2013

This will teach everyone a lesson to turn OFF smtp inspection on the ASA. There are so many issues with this feature on the ASA that it is not funny. Check the cisco bug toolkit. there must be at least 25 bugs related to inspect smpt on the ASA/FWSM. Work-around: disable smtp inspect

ekobrinsky · ‎01-31-2013

Agreed, that has always been my solution.

However, it makes me concerned about how effective other inspect rules are as well, and if they are subtly effecting my traffic performance. This is where a inspection drop logging would be really useful. It would tell you the effectiveness of the rules as well as hint at any possible obstructions inspections might be creating.

david.tran · ‎01-31-2013

If you want a firewall that will offer better troubleshooting technique on these kind of issues, you should look at other firewalls beside Cisco.

The other problem with ASA is the inspect sqlnet. I've run into numerous issues with sqlnet connection going across the

firewall that the only solution is to disable sqlnet inspection. If you look in the cisco bug toolkit, the work-around is always: "disable sqlnet inpsection"