HELP !!! Zone-based Firewall stops SMTP with "Error encountered - SMTP commands and reply count mismatch"

Unanswered Question
Aug 9th, 2010

Hi folks,
I would appreciate if someone shed more light on the error we started getting in the router's syslog after enabling SMTP application inspection. Our users started complaining that they don't receive mail from some clients and it really makes me creepy. The exact error that ZBF puts into the syslog looks as follows:

08-08-2010    20:50:42    Local7.Warning    48: GIBSGW: .Aug  8 20:50:41: %APPFW-4-SMTP_INTERNAL_ERROR: Error encountered - SMTP commands and reply count mismatch. Closing SMTP session -Initiator address Initiator port 1864 Responder address Responder port 25 is the internal mail server and the router makes NAT to forward traffic to it.

The portion of the ZBF configuration looks as follows:

class-map type inspect match-all SMTP-CLMAP

match protocol smtp

class-map type inspect smtp match-all SMTP-STRICT-CLMAP
match  data-length gt 20000000

class-map type inspect match-any INT2INS-OTHER-CLMAP
match protocol https
match protocol pop3
match protocol imaps
match protocol pcanywheredata
match protocol pcanywherestat
match protocol user-HTTP-8080
match protocol user-RDP-3389

policy-map type inspect INT2INS-POLMAP
class type inspect WEB-CLMAP
    service-policy http HTTP-STRICT-POLMAP
  class type inspect IMAP-CLMAP
    service-policy imap IMAP-INSP-POLMAP
class type inspect SMTP-CLMAP
    service-policy smtp SMTP-STRICT-POLMAP
class type inspect INT2INS-OTHER-CLMAP
class class-default
drop log

Is it an inherent bug of ZBF or the sender's SMTP server doesn't comply with RFC or something that governs SMTP protocole


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
underthesiege Mon, 08/09/2010 - 12:08


It's not a bug of ZBF. Some mail server's aren't completely  RFC compliant and the inspection corrupts the mail structure.


zheka_pefti Mon, 08/09/2010 - 12:13


How would I know what exactly is not being conformed to? As far as my config goes I only check the file size no other checks or enforcements. Is there any way to debug the session and see what's going on. ZBF is a fairly new concept to me.


underthesiege Mon, 08/09/2010 - 23:28


By default when you enable SMTP inspection, Appliance performs 3 main tasks:,

- Restricts SMTP requests to seven basic SMTP commands and eight extended commands.

- Monitors the SMTP command-response sequence.

- Generates an audit trail

And also there are additional inspection configuration, you can define.( Ex. you've configured file size)

So when you enable SMTP inspection 3 main tasks are performed by default although you don't configure anything.

You can use;

show policy-map type inspect ?   command, to see what's going on.



This Discussion