Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SMTP traffic on an ASA with a CSC module

I am having trouble getting SMTP traffic to pass thru my ASA and into the Linux machine hosting my E-Mail. When I try to telnet in on port 25 it just times out. I am routing multiple other protocols into other machines without a problem, but for some reason SMTP does not make it.

To make things even more confusing, I put a firewall rule at the top of my list that said to log and allow ANY traffic comming to this ip. And when I FTP in and such I can see the logged traffic. When I send in SMTP traffic I get nothing, no logs or anything.

The only thing I can think of is that possible the CSC module has a traffic inspection rule in place and is grabbing the traffic before it gets handed down to be processed by the built in rules. Anyone have an idea on this?

New Member

Re: SMTP traffic on an ASA with a CSC module

You're probably running into the same thing I hit awhile back. According to TAC, the following are the concurrent connection limits on the CSC:

CSC-10: 250 HTTP, 50 FTP, 15 SMTP

CSC-20: 500 HTTP, 100 FTP, 25 SMTP

So once the SMTP process on the CSC hits 15/25 concurrent SMTP connections (csc-10/20), and once it has filled its additional queue, it just starts ignoring additional connection requests. This results in massively flaky inbound (and outbound, if you're using it) SMTP service. In my case it also resulted in the blacklisting of a customer's mail server IP due to all the undeliverables being returned to external senders. As you can imagine, it doesn't take much mail at all to hit 15 concurrent connections, especially if you're using the CSC to its fullest potential and doing pretty deep scans on SMTP connections.

Also note that any concurrent FTP, HTTP, and POP3 connections will subract from the SMTP limit as well, as this is apparently a hardware horsepower limitation and not a licensing issue.