09-29-2010 03:33 AM - edited 03-04-2019 09:56 AM
We have a Cisco 2800 router that we are having problems getting e-mail messages through that are are above 4MB. Emails are fine coming in and I have checked the exchange 2003 settings and the report is that the connection was dropped by the remote host. Any mails below this limit to the same recipient go through fine. The router was configured by someone else and i want to know if anyone can point me in the right direction. The connection seems to get dropped and then it starts retransmitting the message again. This problem is driving me insane so If anyone out here can give me a few pointers I am no CCNE so am grateful for help on this.
Thanks in advance
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 20000
class-map type inspect http match-any sdm-app-nonascii
match req-resp header regex sdm-regex-nonascii
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-any https
match protocol https
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map https
match access-group name httpsin
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any smtp
match protocol http
match protocol smtp
match protocol https
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any email
match protocol smtp
match protocol imap
match protocol pop3
match protocol pop3s
class-map type inspect match-all sdm-cls-sdm-inspect-1
match class-map email
match access-group name email
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map smtp
match access-group name smtp
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect http match-any sdm-app-httpmethods
policy-map type inspect sdm-permit-icmpreply
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class class-default
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
reset
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-cls-sdm-inspect-1
pass
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
class type inspect sdm-protocol-smtp
inspect
service-policy smtp sdm-action-smtp
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-im
drop log
class type inspect sdm-insp-traffic
inspect
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-app-nonascii
log
reset
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
Solved! Go to Solution.
09-29-2010 04:09 AM
Hello Darren,
When you say this:
"Any mails below this limit to the same recipient go through fine"
What is the limit under 4MB which worked for you?
Now, if we analyze your config, we are interested in this part:
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 20000
This class-map will inspect smtp which has the data-lengh larger than 20000 bytes. This value is the maximum number of bytes (data) that can be transferred in a single SMTP session. After the maximum value is exceeded, the firewall logs an alert message and closes the session. The default is 20.
Next you have this here:
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
Which means, that if any packets are matched in the class sdm-app-smtp, this policy-map will send a "reset" to this connection.
That value, 20000 bytes, is aprox 20Kb, and is way less than your 4MB attachement, that's why I've asked which is the largest attachement that you can send in your e-mail, but to be under 4MB?
As a solution, to see if it works, I would recommend either a larger value than 20000 (try 10000000 which is aprox 10MB), either take out for testing the "reset" option from the policy-map.
Let me know if these make sense for you or if you need more details.
Cheers,
Calin
09-29-2010 04:09 AM
Hello Darren,
When you say this:
"Any mails below this limit to the same recipient go through fine"
What is the limit under 4MB which worked for you?
Now, if we analyze your config, we are interested in this part:
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 20000
This class-map will inspect smtp which has the data-lengh larger than 20000 bytes. This value is the maximum number of bytes (data) that can be transferred in a single SMTP session. After the maximum value is exceeded, the firewall logs an alert message and closes the session. The default is 20.
Next you have this here:
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
Which means, that if any packets are matched in the class sdm-app-smtp, this policy-map will send a "reset" to this connection.
That value, 20000 bytes, is aprox 20Kb, and is way less than your 4MB attachement, that's why I've asked which is the largest attachement that you can send in your e-mail, but to be under 4MB?
As a solution, to see if it works, I would recommend either a larger value than 20000 (try 10000000 which is aprox 10MB), either take out for testing the "reset" option from the policy-map.
Let me know if these make sense for you or if you need more details.
Cheers,
Calin
09-29-2010 06:58 AM
Hi chiorean,
Thanks for your help. I did reply but have found it didnt make its way to the forum. The value was set to 20000000 so this doesnt seem tom be the problem but I do think you're on the right track with the reset can you tell me how i switch off the resets. What would be the exact command for this as I have tried to switch off without success. My main concern is to get the mail being allowed to send >4MB files without dropping the connection. Any Help is massively appreciated.
Many thanks to anyone whom can help
class type inspect sdm-nat-smtp-1
inspect
class class-default
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
reset
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
reset
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide