SMTP traffic on an ASA with a CSC module

Unanswered Question
Mar 20th, 2007

I am having trouble getting SMTP traffic to pass thru my ASA and into the Linux machine hosting my E-Mail. When I try to telnet in on port 25 it just times out. I am routing multiple other protocols into other machines without a problem, but for some reason SMTP does not make it.

To make things even more confusing, I put a firewall rule at the top of my list that said to log and allow ANY traffic comming to this ip. And when I FTP in and such I can see the logged traffic. When I send in SMTP traffic I get nothing, no logs or anything.

The only thing I can think of is that possible the CSC module has a traffic inspection rule in place and is grabbing the traffic before it gets handed down to be processed by the built in rules. Anyone have an idea on this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jdsuhr Thu, 04/05/2007 - 11:32

You're probably running into the same thing I hit awhile back. According to TAC, the following are the concurrent connection limits on the CSC:

CSC-10: 250 HTTP, 50 FTP, 15 SMTP

CSC-20: 500 HTTP, 100 FTP, 25 SMTP

So once the SMTP process on the CSC hits 15/25 concurrent SMTP connections (csc-10/20), and once it has filled its additional queue, it just starts ignoring additional connection requests. This results in massively flaky inbound (and outbound, if you're using it) SMTP service. In my case it also resulted in the blacklisting of a customer's mail server IP due to all the undeliverables being returned to external senders. As you can imagine, it doesn't take much mail at all to hit 15 concurrent connections, especially if you're using the CSC to its fullest potential and doing pretty deep scans on SMTP connections.

Also note that any concurrent FTP, HTTP, and POP3 connections will subract from the SMTP limit as well, as this is apparently a hardware horsepower limitation and not a licensing issue.

HTH

Actions

This Discussion