Remote connection dropped by host

Answered Question
Sep 29th, 2010

We have a Cisco 2800 router that we are having problems getting e-mail messages through that are are above 4MB. Emails are fine coming in and I have checked the exchange 2003 settings and the report is that the connection was dropped by the remote host. Any mails below this limit to the same recipient go through fine. The router  was configured by someone else and i want to know if anyone can point me in the right direction. The connection seems to get dropped and then it starts retransmitting the message again. This problem is driving me insane so If anyone out here can give me a few pointers I am no CCNE so am grateful for help on this.

Thanks in advance

class-map type inspect smtp match-any sdm-app-smtp
match  data-length gt 20000
class-map type inspect http match-any sdm-app-nonascii
match  req-resp header regex sdm-regex-nonascii
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-any https
match protocol https
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map https
match access-group name httpsin
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
match  invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any smtp
match protocol http
match protocol smtp
match protocol https
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any email
match protocol smtp
match protocol imap
match protocol pop3
match protocol pop3s
class-map type inspect match-all sdm-cls-sdm-inspect-1
match class-map email
match access-group name email
class-map type inspect pop3 match-any sdm-app-pop3
match  invalid-command
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map smtp
match access-group name smtp
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match  request port-misuse im
match  request port-misuse p2p
match  request port-misuse tunneling
match  req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect http match-any sdm-app-httpmethods

policy-map type inspect sdm-permit-icmpreply
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  inspect
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-smtp-1
  inspect
class class-default
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
  reset
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
  log
  reset
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
  log
  reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-cls-sdm-inspect-1
  pass
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-protocol-http
  inspect
class type inspect sdm-protocol-smtp
  inspect
  service-policy smtp sdm-action-smtp
class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
  inspect
  service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-im
  drop log
class type inspect sdm-insp-traffic
  inspect
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
  log
  reset
class type inspect http sdm-app-httpmethods
  log
  reset
class type inspect http sdm-app-nonascii
  log
  reset
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
  pass
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
  pass
class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip

I have this problem too.
0 votes
Correct Answer by Calin Chiorean about 6 years 3 months ago

Hello Darren,

When you say this:

"Any mails below this limit to the same recipient go through fine"

What is the limit under 4MB which worked for you?

Now, if we analyze your config, we are interested in this part:

class-map type inspect smtp match-any sdm-app-smtp
match   data-length gt 20000

This class-map will inspect smtp which has the data-lengh larger than 20000 bytes. This value is the maximum number of bytes (data) that can be  transferred in a single SMTP session. After the maximum value is  exceeded, the firewall logs an alert message and closes the session. The  default is 20.

Next you have this here:

policy-map type inspect smtp sdm-action-smtp
class type inspect smtp  sdm-app-smtp
  reset

Which means, that if any packets are matched in the class sdm-app-smtp, this policy-map will send a "reset" to this connection.

That value, 20000 bytes, is aprox 20Kb, and is way less than your 4MB attachement, that's why I've asked which is the largest attachement that you can send in your e-mail, but to be under 4MB?

As a solution, to see if it works, I would recommend either a larger value than 20000 (try 10000000 which is aprox 10MB), either take out for testing the "reset" option from the policy-map.

Let me know if these make sense for you or if you need more details.

Cheers,

Calin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Calin Chiorean Wed, 09/29/2010 - 04:09

Hello Darren,

When you say this:

"Any mails below this limit to the same recipient go through fine"

What is the limit under 4MB which worked for you?

Now, if we analyze your config, we are interested in this part:

class-map type inspect smtp match-any sdm-app-smtp
match   data-length gt 20000

This class-map will inspect smtp which has the data-lengh larger than 20000 bytes. This value is the maximum number of bytes (data) that can be  transferred in a single SMTP session. After the maximum value is  exceeded, the firewall logs an alert message and closes the session. The  default is 20.

Next you have this here:

policy-map type inspect smtp sdm-action-smtp
class type inspect smtp  sdm-app-smtp
  reset

Which means, that if any packets are matched in the class sdm-app-smtp, this policy-map will send a "reset" to this connection.

That value, 20000 bytes, is aprox 20Kb, and is way less than your 4MB attachement, that's why I've asked which is the largest attachement that you can send in your e-mail, but to be under 4MB?

As a solution, to see if it works, I would recommend either a larger value than 20000 (try 10000000 which is aprox 10MB), either take out for testing the "reset" option from the policy-map.

Let me know if these make sense for you or if you need more details.

Cheers,

Calin

dburgess.adliteuk Wed, 09/29/2010 - 06:58

Hi chiorean,

Thanks for your help. I did reply but have found it didnt make its way to the forum. The value was set to 20000000 so this doesnt seem tom be the problem but I do think you're on the right track with the reset can you tell me how i switch off the resets. What would be the exact command for this as I have tried to switch off without success. My main concern is to get the mail being allowed to send >4MB files without dropping the connection. Any Help is massively appreciated.

Many thanks to anyone whom can help

class type inspect sdm-nat-smtp-1
  inspect
class class-default
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
  reset
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
  log
  reset
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
  log
  reset

Actions

This Discussion