Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

%ASA-4-507003 terminated by inspection engine, reason - inspector disconnected, dropped packet.

Hello,

I am getting more and more of these logs, the message itself does not say much,

"reason - inspector disconnected"  is not a reason in my opinion.

Looking at the output of "sh service-policy inspect esmtp"

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: esmtp _default_esmtp_map, packet 54698280, drop 2676, reset-drop 0

        mask-banner, count 278499

        match cmd line length gt 512

          drop-connection log, packet 0

        match cmd RCPT count gt 100

          drop-connection log, packet 760

        match body line length gt 998

          log, packet 4954

        match header line length gt 998

          drop-connection log, packet 380

        match sender-address length gt 320

          drop-connection log, packet 0

        match MIME filename length gt 255

          drop-connection log, packet 0

        match ehlo-reply-parameter others

          mask, packet 144526

I am trying to find out why they get dropped.

I was wondering if someone can help me understand the meaning of each vlaue ?

I assume packet is the total number inspected and drop are the dropped ones.

but the addition of the values from the match commands does not add up to the top line.

Cheers,

Sami

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

%ASA-4-507003 terminated by inspection engine, reason - inspecto

Hi Sam,

The counters from the match lines aren't expected to add up to the aggregate count for the inspection. The match lines list the number of packets that have matched each of those criteria, while the top line is an aggregate count of the number of TCP/25 packets that have passed through the inspection engine.

In addition to the items listed in the match lines, the inspection also does basic ESMTP protocol enforcement. This means that things like invalid verbs or messages that don't conform to RFC will break when being inspected.

For more information on why the connection is being closed by the inspection, you can look at the output of 'debug esmtp 255'. Also, feel free to open a TAC case if the debug output isn't self-explanatory.

-Mike

Cisco Employee

%ASA-4-507003 terminated by inspection engine, reason - inspecto

Here is a detailed explanation on the counters and also how the esmtp inspection works.

To determine if there are devices on the network sending traffic not RFC compliant we need a capture however issue didn't re-appear.

The ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA and by adding monitoring capabilities.

ESMTP is an enhancement to the SMTP protocol and is similar in most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is

similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.

The inspect esmtp command includes the functionality previously provided by the fixup smtp command, and provides additional support for some extended SMTP commands. Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total of fifteen SMTP commands.

Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.

About the values you get on the service policy:

They are counters for all the features the ESMTP is inspecting for you:

Mask-banner: enforces banner obfuscation

Match cmd line length gt length: allows you to restrict the length of the command line.

Match cmd RCPT count gt count: allows you to restrict the number of recipient addresses.

Match body [line] length gt length: allows you to restrict the body length or body line length

Match header [line] length gt length: allows you to restrict the header length or header line length

Match sender-address length gt length: allows you to restrict the length of a sender's address

Match mime filename length gt length: allows you to restrict the MIME filename length

Match ehlo-reply-parameter extensions: allows you to set the ehlo-reply-parameters

All of them are taking different aspects of the traffic on port 25 and inspecting specific aspects of it.

Each of them will apply an action as below:

The drop-connection keyword drops the packet and closes the connection.

The mask keyword masks out the matching portion of the packet.

The log keyword, which you can use alone or with one of the other keywords, sends a system log message.

3 REPLIES
Cisco Employee

%ASA-4-507003 terminated by inspection engine, reason - inspecto

Hi Sam,

The counters from the match lines aren't expected to add up to the aggregate count for the inspection. The match lines list the number of packets that have matched each of those criteria, while the top line is an aggregate count of the number of TCP/25 packets that have passed through the inspection engine.

In addition to the items listed in the match lines, the inspection also does basic ESMTP protocol enforcement. This means that things like invalid verbs or messages that don't conform to RFC will break when being inspected.

For more information on why the connection is being closed by the inspection, you can look at the output of 'debug esmtp 255'. Also, feel free to open a TAC case if the debug output isn't self-explanatory.

-Mike

Cisco Employee

%ASA-4-507003 terminated by inspection engine, reason - inspecto

Here is a detailed explanation on the counters and also how the esmtp inspection works.

To determine if there are devices on the network sending traffic not RFC compliant we need a capture however issue didn't re-appear.

The ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA and by adding monitoring capabilities.

ESMTP is an enhancement to the SMTP protocol and is similar in most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is

similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.

The inspect esmtp command includes the functionality previously provided by the fixup smtp command, and provides additional support for some extended SMTP commands. Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total of fifteen SMTP commands.

Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.

About the values you get on the service policy:

They are counters for all the features the ESMTP is inspecting for you:

Mask-banner: enforces banner obfuscation

Match cmd line length gt length: allows you to restrict the length of the command line.

Match cmd RCPT count gt count: allows you to restrict the number of recipient addresses.

Match body [line] length gt length: allows you to restrict the body length or body line length

Match header [line] length gt length: allows you to restrict the header length or header line length

Match sender-address length gt length: allows you to restrict the length of a sender's address

Match mime filename length gt length: allows you to restrict the MIME filename length

Match ehlo-reply-parameter extensions: allows you to set the ehlo-reply-parameters

All of them are taking different aspects of the traffic on port 25 and inspecting specific aspects of it.

Each of them will apply an action as below:

The drop-connection keyword drops the packet and closes the connection.

The mask keyword masks out the matching portion of the packet.

The log keyword, which you can use alone or with one of the other keywords, sends a system log message.

New Member

%ASA-4-507003 terminated by inspection engine, reason - inspecto

Thanks for the clarification Jorge, I will keep monitoring the logs.

7050
Views
0
Helpful
3
Replies
CreatePlease to create content