ASA5505 is blocking outgoing SMTP

Discussion in 'Cisco' started by Steffen Mauch, Aug 4, 2009.

  1. Hello,

    I've got a problem with Ciscos ASA5505. We have several of them in use and
    all share the same problem. When the ASA is rebootet, we can only send
    several testmails (4 - 6 ) until the box blocks new outgoing
    SMTP-Connections. While the "good" connections show correctly the src- and
    dst ip-adress and also the port 25 (in ASDM) the blocked tries are missing
    this information (e. g.):

    3|Aug 03 2009|17:09:29|201008|||||Disallowing new connections.
    3|Aug 03 2009|17:09:23|201008|||||Disallowing new connections.
    3|Aug 03 2009|17:09:17|201008|||||Disallowing new connections.
    3|Aug 03 2009|17:09:11|201008|||||Disallowing new connections.

    I've only 2 choises to fix (temporarly) this Problem:
    1. reboot the ASA
    2. turn off logging (<- found as solution by google the internet - but
    doesn't fix the problem full)

    After a few successful tries the ASA blocks again with same message. I've
    already disabled "Basic thread Detection" in the firewall settings. No
    improvement.

    An export of the access rules:

    "Interface","#","Enabled","Source","Destination","Service","Action","Hits","Logging","Time","Description"
    "[email protected]","1","True","inside-network/24","any","tcp/http","Permit","0","Default","",""
    "[email protected]","2","True","inside-network/24","any","tcp/https","Permit","0","Default","",""
    "[email protected]","3","True","inside-network/24","any","tcp/123","Permit","0","Default","",""
    "[email protected]","4","True","inside-network/24","any","tcp/domain","Permit","0","Default","",""
    "[email protected]","5","True","inside-network/24","any","tcp/ssh","Permit","0","Default","",""
    "[email protected]","6","True","inside-network/24","any","tcp/telnet","Permit","0","Default","",""
    "[email protected]","7","True","inside-network/24","any","ping_out","Permit","0","Default","",""
    "[email protected]","8","True","192.168.199.221","any","tcp/smtp","Permit","0","Default","",""
    "[email protected]","9","True","inside-network/24","any","udp/domain","Permit","0","Default","",""
    "[email protected]","10","","any","any","ip","Deny","","Default","","Implicit
    rule"
    "[email protected]","1","True","inside-network/24","inside-network/24","ping_out","Permit","0","Default","",""
    "[email protected]","2","","any","any","ip","Deny","","Default","","Implicit
    rule"

    Any ideas what I could do to stop this behavior?

    Some information of the ASAs:


    Result of the command: "show version"

    Cisco Adaptive Security Appliance Software Version 8.0(4)
    Device Manager Version 6.1(5)57

    Compiled on Thu 07-Aug-08 20:53 by builders
    System image file is "disk0:/asa804-k8.bin"
    Config file at boot was "startup-config"

    BVH060269 up 16 hours 43 mins

    Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW080 @ 0xffe00000, 1024KB

    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision
    0x0)
    Boot microcode : CN1000-MC-BOOT-2.00
    SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
    IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
    0: Int: Internal-Data0/0 : address is 0024.1488.12d1, irq 11
    1: Ext: Ethernet0/0 : address is 0024.1488.12c9, irq 255
    2: Ext: Ethernet0/1 : address is 0024.1488.12ca, irq 255
    3: Ext: Ethernet0/2 : address is 0024.1488.12cb, irq 255
    4: Ext: Ethernet0/3 : address is 0024.1488.12cc, irq 255
    5: Ext: Ethernet0/4 : address is 0024.1488.12cd, irq 255
    6: Ext: Ethernet0/5 : address is 0024.1488.12ce, irq 255
    7: Ext: Ethernet0/6 : address is 0024.1488.12cf, irq 255
    8: Ext: Ethernet0/7 : address is 0024.1488.12d0, irq 255
    9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
    10: Int: Not used : irq 255
    11: Int: Not used : irq 255

    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs : 3, DMZ Restricted
    Inside Hosts : 10
    Failover : Disabled
    VPN-DES : Enabled
    VPN-3DES-AES : Enabled
    VPN Peers : 10
    WebVPN Peers : 2
    Dual ISPs : Disabled
    VLAN Trunk Ports : 0
    AnyConnect for Mobile : Disabled
    AnyConnect for Linksys phone : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Proxy Sessions : 2

    This platform has a Base license.

    Serial Number: (deleted by poster)
    Running Activation Key: 0xde0fc55b 0x3c0bdd30 0x20920d90 0xbf782840
    0x822d0394
    Configuration register is 0x1
    Configuration has not been modified since last system restart.



    Thank You for any help
     
    Steffen Mauch, Aug 4, 2009
    #1
    1. Advertisements

  2. Steffen Mauch

    jrguent Guest

    Hello,

    In your configuration, Under the policy-map global_policy
    do you have "inspect esmtp" or "inspect smtp" in your
    configuration?

    Regards
     
    jrguent, Aug 4, 2009
    #2
    1. Advertisements

  3. Hello,
    Hello,

    these is my config:

    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    !

    as you can see, there is an "inspect esmtp". Is this my problem? When yes,
    how do I disable this inspection, which seems not to work to well in my
    special case?

    Thank you for Your help!

    Regards
    Steffen
     
    Steffen Mauch, Aug 5, 2009
    #3
  4. Steffen Mauch

    jrguent Guest

    Hello,

    It is possible that this esmtp inspection is related to this problem.
    I suggest disabling it and then see if the problem is resolved.
    Interesting, I was working with a test ASA running 8.0(4) code and
    tried to remove the inspection while using an SSH management
    connection to the firewall. I could not figure out how to disable it
    via the CLI. However, using ASDM I found how to disable it. Go to
    Configuration>Firewall>Service Policy Rules> Highlight
    "inspection_default" row, then select edit; Go to "Rule Actions" tab,
    and you will see ESMTP box checked as it is one of the inspections
    enabled by default in a beginning configuration. Just uncheck this
    box to disable it and apply the rule changes.

    Regards.
     
    jrguent, Aug 5, 2009
    #4
  5. Hello,

    thank You for Your idiot-proof explanation how to disable this "feature"! I
    will try the setting on my ASAs at once.

    Regards
    Steffen
     
    Steffen Mauch, Aug 6, 2009
    #5
  6. Hi again,

    I did the settings from jrguent but they seem not to fix the problem.
    Perhaps I haven't told all necessary information so I try to tell you
    everything that could be usefull:

    1. The device which tries to send the mails is an industrial pc (ipc)
    running windows ce 6.0. The ipc is from beckhoff an is called cx1020. The
    applaication which sends the mails is written in CodeSys(?) with the IDE
    TwinCat. The ipc has a fix ip-adress (no dhcp). It is able to resolve the
    mailservers name to its ip-adress.

    2. thread-detection in the asa is disabled - but it doesn't resolve the
    problem.

    3. After restart of the box, some mails go through it without problems.
    Sometime it stops working with the mentioned rows in the logging-window:
    Disallowing new connections. Because I don't know when this occurres I
    haven't seen the "beginning" of the problem yet but I don't think that ipc
    is able to send a lot of mails in short time (like an "dos"-attack). When
    the "Disallowing new connections." occurres I can switch logging of and then
    all mails are able to pass the ASA until the problem occurres again. Usually
    I can enable logging again and disable it again to "fix" it again -
    temporarily. Because the mails are generated automatically, they look all
    similar (in the mails are statistics or error messages - but the envelope of
    the mails should be always correct or always wrong).

    I'm no Cisco specialist. We chose the ASA because it was recommended us by
    the first Cisco Partner. But after we agreed he couldn't implent all
    features. So we went to the next Cisco Parter (don't remember whether there
    were all gold or whatever). The quality of his work wasn't acceptable. Keep
    the story short: now we have the fourth partner (cisco select certified -
    don't know what it stands for). He is the best of the four but seems not to
    be able to find the mail-problem :-(. Today we know the most weaknesses of
    the asa (and for our applikation it has a lot of them e.g. no support for
    smtp-auth for mailing syslogs, auto-update feature does only http 1.0 - no
    chance to use virtual hosting .....).

    We have invested a lot of time (and money) but today (over 1 year later!) we
    don't have reached the goal. The mail functionality is essential for the
    project and because of the long time, the problem couldn't be resolved I
    don't believe the ASA can do this in our (special?) case.

    Hope anyone has a idea for our problem.

    Regards
    Steffen
     
    Steffen Mauch, Sep 16, 2009
    #6
  7. Steffen Mauch

    Brian V Guest

    Are you sure your not running in to a licensing limitation or connections
    limitation on the firewall? Post the following;

    show local-host (just the first couple of lines are OK)
    show conn (just the first line is fine)
    show xlate (first line again is fine)
    show version

    You can also try turning off esmtp inspection. If it's using the default
    settings type:

    policy-map global_policy
    class inspection_default
    no inspect esmtp

    -Brian
     
    Brian V, Sep 16, 2009
    #7
  8. Hi Brian,

    thank You for Your reply. Here are the Information you asked for. Because
    I'm not very good in using the console I used Your commands in the "command
    Line Interface" in ASDM. Hope the results are the same.
    Result of the command: "show local-host"

    Detected interface 'outside' as the Internet interface. Host limit applies
    to all other interfaces.
    Current host count: 0, towards licensed host limit of: 10

    Interface outside: 3 active, 9 maximum active, 0 denied
    Interface inside: 0 active, 3 maximum active, 0 denied
    Interface _internal_loopback: 0 active, 0 maximum active, 0 denied

    Result of the command: "show conn"

    4 in use, 14 most used

    Result of the command: "show xlate"

    0 in use, 2 most used

    Result of the command: "show version"

    Cisco Adaptive Security Appliance Software Version 8.0(4)
    Device Manager Version 6.1(5)57

    Compiled on Thu 07-Aug-08 20:53 by builders
    System image file is "disk0:/asa804-k8.bin"
    Config file at boot was "startup-config"

    BVH060492 up 17 hours 59 mins

    Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW080 @ 0xffe00000, 1024KB

    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision
    0x0)
    Boot microcode : CN1000-MC-BOOT-2.00
    SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
    IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
    0: Int: Internal-Data0/0 : address is 0024.1488.0595, irq 11
    1: Ext: Ethernet0/0 : address is 0024.1488.058d, irq 255
    2: Ext: Ethernet0/1 : address is 0024.1488.058e, irq 255
    3: Ext: Ethernet0/2 : address is 0024.1488.058f, irq 255
    4: Ext: Ethernet0/3 : address is 0024.1488.0590, irq 255
    5: Ext: Ethernet0/4 : address is 0024.1488.0591, irq 255
    6: Ext: Ethernet0/5 : address is 0024.1488.0592, irq 255
    7: Ext: Ethernet0/6 : address is 0024.1488.0593, irq 255
    8: Ext: Ethernet0/7 : address is 0024.1488.0594, irq 255
    9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
    10: Int: Not used : irq 255
    11: Int: Not used : irq 255

    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs : 3, DMZ Restricted
    Inside Hosts : 10
    Failover : Disabled
    VPN-DES : Enabled
    VPN-3DES-AES : Enabled
    VPN Peers : 10
    WebVPN Peers : 2
    Dual ISPs : Disabled
    VLAN Trunk Ports : 0
    AnyConnect for Mobile : Disabled
    AnyConnect for Linksys phone : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Proxy Sessions : 2

    This platform has a Base license.

    Serial Number: JMX1251Z1MJ
    Running Activation Key: 0x4024dc58 0xb42aedc2 0xb4819dc4 0x8480cc00
    0x853539ab
    Configuration register is 0x1
    Configuration last modified by admin at 18:28:29.598 CEDT Wed Sep 16 2009
    Is this the same procedure as described from jrguent in his post from
    05.08.2009 17:19?

    One point: we will update to the latest ASA-Version in the next few days.

    Regards
    Steffen
     
    Steffen Mauch, Sep 17, 2009
    #8
  9. Steffen Mauch

    Techno_Guy Guest

    I think Brian is on the right track with the licensing..

    when you ran "show local-host" was the outbound smtp traffic being
    blocked?

    You have a "base license" which only allows 10 connections. I am
    thinking you need to upgrade your licensing
     
    Techno_Guy, Sep 18, 2009
    #9
  10. Steffen Mauch

    Techno_Guy Guest

    I dont want to assume anything here so I will ask if any of the below
    pertains to your config?

    Explanation: This message appears when you have enabled TCP system log
    messaging and the syslog server cannot be reached, or when using
    security appliance Syslog Server (PFSS) and the disk on the Windows NT
    system is full, or when the auto-update timeout is configured and the
    auto-update server is not reachable. Recommended Action: Disable TCP
    system log messaging. If using PFSS, free up space on the Windows NT
    system where PFSS resides. Also, make sure that the syslog host is up
    and you can ping the host from the security appliance console. Then
    restart TCP system message logging to allow traffic. If the Auto
    Update Server has not been contacted for a certain period of time, the
    following command will cause it to cease sending packets: [no] auto-
    update timeout period.
     
    Techno_Guy, Sep 18, 2009
    #10
  11. Steffen Mauch

    Techno_Guy Guest

    Are you using tcp syslogging? if so why? that is alot of overhead to
    carry.

    Here is some more info on using tcp syslogging.
    http://www.clearnetsec.com/2007/08/23/tech-note-on-syslog-tcp-and-cisco-asa-pix
     
    Techno_Guy, Sep 18, 2009
    #11
  12. Steffen Mauch

    Techno_Guy Guest

    look for these errors

    %PIX-3-201008
    The PIX is disallowing new connections.

    %PIX-3-201009
    TCP connection limit of number for host IP_address on interface_name
    exceeded.

    if you see them then you having a licensing issue. if not post up your
    entire config. make sure you remove your ip and username info before
    posting
     
    Techno_Guy, Sep 18, 2009
    #12
  13. Hi Techno_Guy,

    Thank you for your hints. I'will check them. I have exactly the first error
    code 201008 from your post (as already described in my initial post).
     
    Steffen Mauch, Sep 18, 2009
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.