Re: ASA5505 is blocking outgoing SMTP




"Steffen Mauch" <stma@xxxxxxxx> wrote in message news:h8quf9$c2b$1@xxxxxxxxxxxxxxxxxxxx
Hi again,

I did the settings from jrguent but they seem not to fix the problem. Perhaps I haven't told all necessary information so I try to tell you everything that could be usefull:

1. The device which tries to send the mails is an industrial pc (ipc) running windows ce 6.0. The ipc is from beckhoff an is called cx1020. The applaication which sends the mails is written in CodeSys(?) with the IDE TwinCat. The ipc has a fix ip-adress (no dhcp). It is able to resolve the mailservers name to its ip-adress.

2. thread-detection in the asa is disabled - but it doesn't resolve the problem.

3. After restart of the box, some mails go through it without problems. Sometime it stops working with the mentioned rows in the logging-window: Disallowing new connections. Because I don't know when this occurres I haven't seen the "beginning" of the problem yet but I don't think that ipc is able to send a lot of mails in short time (like an "dos"-attack). When the "Disallowing new connections." occurres I can switch logging of and then all mails are able to pass the ASA until the problem occurres again. Usually I can enable logging again and disable it again to "fix" it again - temporarily. Because the mails are generated automatically, they look all similar (in the mails are statistics or error messages - but the envelope of the mails should be always correct or always wrong).

I'm no Cisco specialist. We chose the ASA because it was recommended us by the first Cisco Partner. But after we agreed he couldn't implent all features. So we went to the next Cisco Parter (don't remember whether there were all gold or whatever). The quality of his work wasn't acceptable. Keep the story short: now we have the fourth partner (cisco select certified - don't know what it stands for). He is the best of the four but seems not to be able to find the mail-problem :-(. Today we know the most weaknesses of the asa (and for our applikation it has a lot of them e.g. no support for smtp-auth for mailing syslogs, auto-update feature does only http 1.0 - no chance to use virtual hosting .....).

We have invested a lot of time (and money) but today (over 1 year later!) we don't have reached the goal. The mail functionality is essential for the project and because of the long time, the problem couldn't be resolved I don't believe the ASA can do this in our (special?) case.

Hope anyone has a idea for our problem.

Regards
Steffen

Are you sure your not running in to a licensing limitation or connections limitation on the firewall? Post the following;

show local-host (just the first couple of lines are OK)
show conn (just the first line is fine)
show xlate (first line again is fine)
show version

You can also try turning off esmtp inspection. If it's using the default settings type:

policy-map global_policy
class inspection_default
no inspect esmtp

-Brian

.