The SMTP access is allowed throughout. I can see Build/Teardown on FWSM and 2nd Level ASA. However, on 1st Level ASA I can see 'Deny TCP (no connection)..RST Flag' in the logs of 1st Level ASA for the return traffic.
Going through forums etc, I believe there are mainly two reasons for this error 1) Asymmetric routing 2) SMTP inspection
In my case, neither Asymmetric routing nor SMTP inspection is occuring. Still I get the above error.
Deny TCP (no connection) is a statement that a packet arrived on the firewall for a connection that doesn't exist - the connection may never existed or recently torn down. To determine what may have caused this situation, choose a single connection (source/destination IP address) and configure a packet capture on the ingress and egress interfaces as described at this link (be sure to use the interface specific/NAT IP addresses):
Also, to supplement this packet capture, enable the following:
logging buffered debugging
logging buffer-size 512000
Run an example test (matching the configured packet capture) and gather all relevant logs from the time of the traffic. This syslog output as well as the packet captures should provide you an insight as to what the issue is.
If SMTP inspection is enabled, you may want to confirm whether the SMTP server sends a TCP Reset. Also, confirm if any SMTP commands as sent between the client and server are modified to X's. Sometimes, changing the available SMTP commands can result in a reset from the SMTP Server with a 500 ERROR. More information about 'inspect esmtp' is available at the link below:
This 'RST Flag' Deny TCP (no connection) may be just a final errant packet sent from the host after the connection was torn down by the ASA or the other end. A packet capture and syslogs of the flow will greatly assist diagnosing the issue.
'logging buffered debugging' rarely degrades performance on a production box in my experience. However, do NOT enable 'logging traps debugging' or 'logging console debugging' if your ASA is heavily utilized. This could impact performance.
It gets extremely complicated to troubleshoot any one flow when you have multiple firewalls in the path.
With that said, these deny tcp no conn syslog is only for a reset packet, which is ok to see. Once the conn gets torn down, reset packets for the same flow arrives which does not get passed on to the other interface for the reason no connection in the table.
Pls. see if you can eliminate one firewall at a time by placing the client after one firewall at a time.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...