Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
0
Helpful
3
Replies

HELP !!! Zone-based Firewall stops SMTP with "Error encountered - SMTP commands and reply count mismatch"

zheka_pefti
Level 2
Level 2

‎08-09-2010 11:16 AM - edited ‎03-11-2019 11:22 AM

Hi folks,
I would appreciate if someone shed more light on the error we started getting in the router's syslog after enabling SMTP application inspection. Our users started complaining that they don't receive mail from some clients and it really makes me creepy. The exact error that ZBF puts into the syslog looks as follows:

08-08-2010    20:50:42    Local7.Warning    192.168.1.1    48: GIBSGW: .Aug  8 20:50:41: %APPFW-4-SMTP_INTERNAL_ERROR: Error encountered - SMTP commands and reply count mismatch. Closing SMTP session -Initiator address 117.194.195.230 Initiator port 1864 Responder address 192.168.1.10 Responder port 25


192.168.1.10 is the internal mail server and the router makes NAT to forward traffic to it.

The portion of the ZBF configuration looks as follows:

class-map type inspect match-all SMTP-CLMAP

match protocol smtp


class-map type inspect smtp match-all SMTP-STRICT-CLMAP
match  data-length gt 20000000

class-map type inspect match-any INT2INS-OTHER-CLMAP
match protocol https
match protocol pop3
match protocol imaps
match protocol pcanywheredata
match protocol pcanywherestat
match protocol user-HTTP-8080
match protocol user-RDP-3389

policy-map type inspect INT2INS-POLMAP
class type inspect WEB-CLMAP
   inspect
    service-policy http HTTP-STRICT-POLMAP
  class type inspect IMAP-CLMAP
   inspect
    service-policy imap IMAP-INSP-POLMAP
class type inspect SMTP-CLMAP
   inspect
    service-policy smtp SMTP-STRICT-POLMAP
class type inspect INT2INS-OTHER-CLMAP
   inspect
class class-default
drop log

Is it an inherent bug of ZBF or the sender's SMTP server doesn't comply with RFC or something that governs SMTP protocole

Eugene

Labels:
0 Helpful
3 Replies 3

underthesiege
Level 1
Level 1

‎08-09-2010 12:08 PM

Hi,

It's not a bug of ZBF. Some mail server's aren't completely  RFC compliant and the inspection corrupts the mail structure.

Regards,

0 Helpful

zheka_pefti
Level 2
Level 2
In response to underthesiege

‎08-09-2010 12:13 PM

Thanks,

How would I know what exactly is not being conformed to? As far as my config goes I only check the file size no other checks or enforcements. Is there any way to debug the session and see what's going on. ZBF is a fairly new concept to me.

Eugene

0 Helpful

underthesiege
Level 1
Level 1
In response to zheka_pefti

‎08-09-2010 11:28 PM

Hi,

By default when you enable SMTP inspection, Appliance performs 3 main tasks:,

- Restricts SMTP requests to seven basic SMTP commands and eight extended commands.

- Monitors the SMTP command-response sequence.

- Generates an audit trail

And also there are additional inspection configuration, you can define.( Ex. you've configured file size)

So when you enable SMTP inspection 3 main tasks are performed by default although you don't configure anything.

You can use;

show policy-map type inspect ?   command, to see what's going on.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card