09-16-2010 03:14 AM - edited 03-06-2019 01:00 PM
Hi guys Not sure where this falls under.
Here's the scenario: We have a mail server that needs to send out bulk emails to internal and external addresses. Sometimes, the mail server would need to send a lot of emails in one burst, so to speak, and I think ASA is blocking it.
The mail server is located in the DMZ switch which then plugs into one of the interface in ASA.
The destination mail server is located in our internal network which plugs into a CISCO switch then to Watchguard, then to our internal switch.
Symptom: On the mail server, mails going to our internal mail server (and out to the internet, but it is more noticeable on emails going in) got stuck in the postfix mail queue with the message "timed out while sending end of data -- message may be sent more than once". Those mails will be stuck in the queue for eternity, whilst other mails would get happily sent out. Here's the kicker: relaying the problematic emails through another mail server instead of directly to the internal mail server on the DMZ (then from that server to our internal server) works just fine.
I have done a lot of troubleshooting, and this is what I found:
Running wireshark on the spam port of the DMZ and the switch between ASA and Watchguard, the initial communication (syn-synack-ack, then ehlo, mailfrom, rcpt to:, data) went well.
Because of the size of the email, the mail was broken up into 2 parts. The first DATA part was sent, and acknowledged. The second part of the email, which includes the QUIT command was sent (I can see the packets on the wire using wireshark) but never made it through ASA (didn't see the packets on the switch between ASA and Watchguard).
One more thing, we also have ASA sent stuff to our CISCO MARS (which is in our internal network, not acting as IPS) log, and we got this on the the MARS box: "Client Exploit - Mass Emailing Worm". I figured that somehow either the amount of connections, bandwidth, or something, causes ASA to block those particular packets. Any help on how to turn on logging so I can at least start troubleshooting this?
*EDIT for formatting
09-16-2010 05:46 AM
Hello,
Do you have any AIP-SSM module installed on the ASA? Have you turned on ESMTP inspection on the ASA? Can you bypass this specific traffic from the inspection Engine and see if that helps? Please post the output of "show run policy-map" and "show run service-policy" commands here so we can suggest configuation changes.
Regards,
NT
09-16-2010 04:15 PM
HI Nagaraja (does it mean king of the dragons? ;))
Thank you for your reply.
Here's my response:
AIP-SSM Module: yes, we do have that module. It is set as inspect but blocking isn't turned on
ESMTP Inspection: the first thing I did to troubleshoot this was to run "no fixup protocol smtp 25" on the ASA. So I would say that the inspection isn't running.
RE: bypass this specific traffic from the inspection Engine, do you mean on the ASA or AIP-SSM module?
Show run policy-map:
!
policy-map global_policy
class inspection_default
inspect netbios
inspect dns
class class_ftp
inspect ftp
class class_ftp1
inspect ftp
policy-map type inspect h323 H323_Map_100
description H323 Policy Map
parameters
call-party-numbers
h245-tunnel-block action log
state-checking h225
state-checking ras
rtp-conformance enforce-payloadtype
match media-type audio
drop log
match media-type video
drop log
match media-type data
drop log
policy-map type inspect netbios NetBIOS_Map_100
description NetBIOS Intrusion Detection Map
parameters
protocol-violation action log
policy-map type inspect http HTTP-Map-100
parameters
body-match-maximum 256
protocol-violation action log
match req-resp content-type mismatch
log
match request header content-type violation
log
match response header content-type violation
log
class _default_gator
drop-connection log
class _default_kazaa
drop-connection log
class _default_http-tunnel
drop-connection log
class _default_gnu-http-tunnel
drop-connection log
class _default_httport-tunnel
drop-connection log
class _default_firethru-tunnel
drop-connection log
class _default_GoToMyPC-tunnel
drop-connection log
class _default_windows-media-player-tunnel
drop-connection log
class _default_shoutcast-tunneling-protocol
drop-connection log
class _default_msn-messenger
drop-connection log
class _default_aim-messenger
drop-connection log
class _default_yahoo-messenger
drop-connection log
match request method post
log
match request method put
log
match request method trace
log
match request method delete
log
match request method options
log
match request method connect
log
match request method get
log
match request method head
log
match request method unlock
log
match request method edit
log
match request method save
log
match request method mkdir
log
match request method copy
log
match request method lock
log
match request method index
log
match request method move
log
match request method unedit
log
match request header transfer-encoding chunked
log
match response header transfer-encoding chunked
log
match request header transfer-encoding compress
log
match response header transfer-encoding compress
log
match request header transfer-encoding deflate
log
match response header transfer-encoding deflate
log
match request header transfer-encoding gzip
log
match response header transfer-encoding gzip
log
match request header transfer-encoding identity
log
match response header transfer-encoding identity
log
policy-map type inspect ftp FTP-Map-100
parameters
mask-banner
mask-syst-reply
policy-map type inspect dns DNS_Map_100
description DNS Policy_Map
parameters
message-length maximum 4096
id-randomization
id-mismatch action log
policy-map type inspect sip SIP_Map_100
description SIP Intrusion prevention Policy Map
parameters
ip-address-privacy
max-forwards-validation action log
state-checking action drop-connection log
software-version action mask log
strict-header-validation action drop log
no traffic-non-sip
uri-non-sip action mask log
rtp-conformance enforce-payloadtype
policy-map type inspect skinny SCCP_Map_100
description Skinny Protocol Inspection Map
parameters
enforce-registration
message-id max 0x141
sccp-prefix-len max 65536
timeout media 0:01:00
timeout signaling 0:05:00
rtp-conformance enforce-payloadtype
policy-map global-policy
description Policy for IPS Sensor
class global-class
inspect sqlnet
inspect xdmcp
inspect tftp
inspect icmp error
inspect rtsp
inspect sunrpc
inspect mgcp
inspect pptp
inspect ctiqbe
inspect rsh
inspect icmp
inspect ils
inspect snmp SNMP-Map-100
inspect http HTTP-Map-100
inspect ftp strict FTP-Map-100
inspect dns DNS_Map_100
inspect netbios NetBIOS_Map_100
inspect sip SIP_Map_100
inspect skinny SCCP_Map_100
inspect h323 h225 H323_Map_100
inspect h323 ras H323_Map_100
class IPS_Class_10
ips inline fail-open
set connection advanced-options TCP-Norm-Map-100
policy-map type inspect im Instant_Messaging_Inspect_Map_100
description Policy Map to detect and log Instant Messaging and Tunnelling protocols within IM and HTTP tunnels
parameters
match protocol msn-im yahoo-im
log
match version regex _default_GoToMyPC-tunnel
log
match version regex _default_GoToMyPC-tunnel_2
log
match version regex _default_aim-messenger
log
match version regex _default_firethru-tunnel_1
log
match version regex _default_firethru-tunnel_2
log
match version regex _default_gator
log
match version regex _default_gnu-http-tunnel_arg
log
match version regex _default_gnu-http-tunnel_uri
log
match version regex _default_http-tunnel
log
match version regex _default_httport-tunnel
log
match version regex _default_icy-metadata
log
match version regex _default_msn-messenger
log
match version regex _default_shoutcast-tunneling-protocol
log
match version regex _default_windows-media-player-tunnel
log
match version regex _default_x-kazaa-network
log
match service chat conference games voice-chat webcam
log
policy-map type inspect dns DNS_MAP_110
parameters
message-length maximum 4096
id-randomization
id-mismatch action log
tsig enforced action log
!
Show run service-policy:
service-policy global_policy global
09-16-2010 06:44 PM
Hello,
Probably the IPS is checking all the traffic and triggering the alarm. Can you include the following line in the access-list for IPS class?
access-list
Hope this helps.
Regards,
NT
BTW, Nagaraja means King Cobra
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: