HELP !!! Zone-based Firewall stops SMTP with "Error encountered - SMTP commands and reply count mismatch"
Hi folks, I would appreciate if someone shed more light on the error we started getting in the router's syslog after enabling SMTP application inspection. Our users started complaining that they don't receive mail from some clients and it really makes me creepy. The exact error that ZBF puts into the syslog looks as follows:
192.168.1.10 is the internal mail server and the router makes NAT to forward traffic to it.
The portion of the ZBF configuration looks as follows:
class-map type inspect match-all SMTP-CLMAP
match protocol smtp
class-map type inspect smtp match-all SMTP-STRICT-CLMAP match data-length gt 20000000
class-map type inspect match-any INT2INS-OTHER-CLMAP match protocol https match protocol pop3 match protocol imaps match protocol pcanywheredata match protocol pcanywherestat match protocol user-HTTP-8080 match protocol user-RDP-3389
policy-map type inspect INT2INS-POLMAP class type inspect WEB-CLMAP inspect service-policy http HTTP-STRICT-POLMAP class type inspect IMAP-CLMAP inspect service-policy imap IMAP-INSP-POLMAP class type inspect SMTP-CLMAP inspect service-policy smtp SMTP-STRICT-POLMAP class type inspect INT2INS-OTHER-CLMAP inspect class class-default drop log
Is it an inherent bug of ZBF or the sender's SMTP server doesn't comply with RFC or something that governs SMTP protocole
Re: HELP !!! Zone-based Firewall stops SMTP with "Error encounte
How would I know what exactly is not being conformed to? As far as my config goes I only check the file size no other checks or enforcements. Is there any way to debug the session and see what's going on. ZBF is a fairly new concept to me.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...