IM and ESMTP Inspection

Hello,
I got a strange behavior. I want to stop IM for some specific IP, when I enable Inspection for IM (policy-map inspection im to drop the traffic) MSN is actually blocked how ever this users cannot send emails.
Any idea or bug?
ACL to allow some  users and the rest shouldn't have msn
access-list MSN extended deny ip object-group VIP any
access-list MSN extended permit ip any any
class-map MSN
match access-list MSN
class-map type inspect im match-all MESSENGER
match protocol msn-im
policy-map type inspect im MESSENGER
parameters
class MESSENGER
  reset log
policy-map INSIDE
class MSN
  inspect im  MESSENGER
service-policy INSIDE interface inside
ASA-XXXX(config-pmap)# sh service-policy | inc im
      Inspect: im MESSENGER, packet 64896, drop 0, reset-drop 9
ESMTP inspection is enabled and everything works perfect when I disable the IM Inspection
Inspect: esmtp _default_esmtp_map, packet 2916, drop 0, reset-drop 0
something weird that I noticed is the following log when I enable IM Inspection and emails stop working
Jul 26 2012 17:11:05: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 527 per second, max configured rate is 10; Current average rate is 466 per second, max configured rate is 5; Cumulative total count is 279915
Jul 26 2012 17:11:05: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 87 per second, max configured rate is 8; Current average rate is 151 per second, max configured rate is 4; Cumulative total count is 545514
Jul 26 2012 17:11:05: %ASA-4-733100: [ SYN attack] drop rate-1 exceeded. Current burst rate is 527 per second, max configured rate is 200; Current average rate is 466 per second, max configured rate is 100; Cumulative total count is 279610
Jul 26 2012 17:11:05: %ASA-4-733100: [ SYN attack] drop rate-2 exceeded. Current burst rate is 87 per second, max configured rate is 160; Current average rate is 150 per second, max configured rate is 80; Cumulative total count is 543537
thanks

Diego:
TCP Proxy functionality drops last ACK in TCP 3-way-handshake
Symptom: The ASA Firewall may drop the third packet (ACK) in the standard TCP 3-way-handshake if the traffic is proxied by an inspection process.   Conditions: This is seen starting in version 8.2.3.5. Prior versions do not seem to be affected.  Workaround: Ensure that the traffic does not match an inspection process on the firewall to prevent the TCP proxy engine from attempting to track/re-assemble the data-stream.  Additional Information: Even while hitting this bug, some traffic may NOT be impacted. If the connection/protocol being used requires that the SERVER send the first data on the connection, the connection will fail. If the CLIENT sends the first data on the connection, the connection will succeed just fine. This is because the dropped ACK from the CLIENT is processed by the ASA but the server never sees it. If the CLIENT then immediately sends data (ex. HTTP GET) then that PSH-ACK is passed and since it has the same ACK as the dropped ACK, the SERVER accepts as an ACK to its SYNACK and continues just fine. When the server must send the first bit of DATA (like SMTP banner) the connection will fail since the server never see's the ACK to its SYN-ACK it cannot advance to the point of sending a banner/etc. This is why some protocols are affected and some aren't.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj88604
Mike

Similar Messages

  • Disable esmtp Inspection for Specific Host

    Hello.  Is it possible to disable esmtp inspection for a specific INSIDE host with use of a policy-map?  If so, could you provide an example configuration.
     

    Yes it is possible.  You could do something like the following:
    access-list ESMTP deny ip host 1.1.1.10 any
    access-list ESMTP permit ip 1.1.1.0 255.255.255.0 any
    class-map CMAP
    match access-list ESMTP
    policy-map PMAP
    class CMAP
    inspect esmtp
    service-policy PMAP interface inside
    Please remember to select a correct answer and rate helpful posts

  • ASA 8.4x ESMTP Inspection bug CSCtr92976?

    We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.
    I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same.  I have an Exchange 2007 server and I can see in the logs the following messages:
    2012-08-10T13:04:37.331Z,EXCHANGE\Default EXCHANGE,08CF3610468A42D7,3,192.168.102.28:25,192.168.250.26:52756,<,XXXX XXXXXXXXXXXXXXX,
    2012-08-10T13:04:42.345Z,EXCHANGE\Default EXCHANGE,08CF3610468A42D7,4,192.168.102.28:25,192.168.250.26:52756,>,500 5.3.3 Unrecognized command,
    2012-08-10T13:05:20.506Z,EXCHANGE\Default EXCHANGE,08CF3610468A42D7,5,192.168.102.28:25,192.168.250.26:52756,<,XXX,
    This is with the default ESMTP inspection enabled.  I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same.  Sometimes traffic will pass but most of the time it won't.  The workaround is to just disable the ESMTP inspection but I don't like the idea of this.
    Any idea when this will be fixed or if there is some other magic workaround?
    Andy

    Will it ever be? The ESMTP-inspection is somehow the successor of the "Mailguard". And that was the worst function for nearly every mail-administrator in the past with PIX firewalls on the network ...
    It got better with the ESMTP-inspection, but I assume the troble will never end. I typically disable it. The mailserver is protected by the mail-relay in the DMZ and the mail-relay has to protect himself.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Storage location extension for Blocked and Quality inspection stocks

    Hi All,
    Could any one explain how to extend a Storage location (which is actually maintained for the Returns) to make use for the Blocked and Quality inspection stocks. Does this require any config settings.
    Thanks in advance.
    Kalyan

    Hi,
    Thanks for the Reply.
    Let me be more clear,in describing my requirement. Actually the present Storage location is maintained for only Returns. But in addition to this I require to make use of this storage location for the purpose of the maintianing Blocked Stock or QI stock.
    Therfore to achieve above what are necessary steps or do i need to maintain any config settings for this.
    Thank You,
    Kalyan.

  • PM Notification: User-Define Values for Reported By and Tech Inspected by

    Hi Friends,
    My user wants the name to be filled in the field Reported by and Tech inspected by in the Notification Should be from a dropdown list.
    Please suggest some solution, any customer exit or user exit.
    Regards
    Pankaj Verma

    Programmer used field validation in IW21/IW22, IW31/IW32 screen for that functionality.
    Sorry, I don't have code or specific enhancement names. All I can say is that after enhancement, it worked very well.
    Thanks-

  • Should I disable ESMTP inspect engine on the ASA??

    Hello all,
    I read a lot of blog that recomend disable the ESMTP inspect engine because in the mostly time affects email comunication servers between networks.
    It is a good pratice ??
    Thank you  !!!!!

    Hi Konsu,
    You will find your answer here:
    https://supportforums.cisco.com/message/3110997#3110997
    Hope that helps.
    Varun

  • Difference between Characterstics and Master Inspection Characterstics??

    Could some please explain me the difference between characterstics and Master inspection Characterstics?
    How do you create a new master inspection characterstics?

    Classification and Characteristics are cross-application functions ( [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/en/dd/ae56614bb411d192f20000e829fbc6/frameset.htm] ) used in many areas of SAP such as:
    - Equipment
    - Functional location
    - Notification
    - Task lists
    - Materials
    - QM master inspection characteristics
    - Sales orders
    - Etc
    PeteA

  • Maintain new inspection lot origin and assign inspection types

    Hi,
    I want to Maintain new inspection lot origin and assign inspection types .For Ex: 90, NoRange: 90 DCr :001 ,TL Type : S and Stat : 4 because i want to maintain TL Tpe S- reference operation set.
    Please provide me the solution.
    Regards,
    Niyas.

    Hi
    As per SAP std You can not  create a Inpsection lot origine but you can certainly create a Inspection type.
    Just a suggesion..
    Try Inspection lot origin: 89 (Misc) NoRange: 90 DCr :001 ,TL Type : S and Stat : 4
    and  create Inspection type 90 with varient 01/02 in inspection lot origine 01.
    This will solve your purpose
    Regards
    Sujit

  • Best scenario to use variable inspection and attributive inspection

    Hello!
    Can anyone help me with a practical example of difference between attributive inspection and variable inspection by s-method? What are the best scenarios to use them repectively?

    variable inspection :Variable inspection is in SAP terms Quantitative inspection means have some value which is variable & can be measured .Examples can be very wide range like say in mechanical companies like auto industry components needs to be inspection in micron with Upper & lower limits.Like 12 mm + 0.001 / - 0.002 etc.
    These could be the scenarios where you need to comply with upper & lower limits.
    Attributive inspection:In SAP terms its Qualitative type means can not be measured but can be derived or compared.Like Go-NoGo gauge,Yes -No ,Pass-Fail etc etc.
    scenarios are mostly in mechanical or Elec industry where such values need to be monitored.Like say A equipment pass or fail in a certain test char. or say a component has surface finish problems etc which can only be seen or compared.

  • ESMTP Inspection Dropping Connections

    I am trying to understand why my ASA appears to be dropping packets with the following message
    %ASA-4-108004: ESMTP Classification: Dropped connection for ESMTP Request from inside:1.1.1.1/1292 to DMZ:2.2.2.2/25; matched Class 31: cmd RCPT count gt 100
    My understanding is that the "RCPT count gt 100" drops connections if the number of recipients is gt 100. I have a wireshark trace of this transaction and there is only 1 recipient on this email.
    This makes no sense to me. Why else would I be seeing this message if the number of RCPT To addresses is 1? Does this have anything to do with the number of length of the RCPT TO email address?
    Thanks.

    policy-map type inspect esmtp esmtp_map
    parameters
    match cmd line length gt 512
      drop-connection log
    match cmd RCPT count gt 100
      drop-connection log
    match body line length gt 998
      log
    match header line length gt 998
      log
    match sender-address length gt 320
      drop-connection log
    match MIME filename length gt 255
      drop-connection log
    match ehlo-reply-parameter others
      mask

  • Goods receipts blocked stock and quality inspection

    Hi,
    we want to create an inspection lot for an initial sample automatically as the goods receipts is posted. At the same time we don't want the amount to appear in the normal quality inspection stock or in the normal blocked stock but instead it should be posted in the goods receipt blocked stock.
    Is it possible to post it automatically to the goods receipts blocked stock?
    Is it possible to create an inspection lot automatically for this?
    Thanks,
    Marcus.

    This isn't something that is straight forward, like just running a report.
    You have to look at the field QALS-LMENGEZUB which is the quantity to be posted of he inspection lot.  Keeping in mind that you can have multiple inspection lots for the same batch, you'd have to get all qals records for the batch you are interested in.
    You then have to compare all the related MCHB records for the material and ln that table sum all the values in field CINSM.
    That should show you any inconsistencies between the MM and QM.
    I am assuming this is for batch managed, non-HU managed materials.
    If not, let me know and we'll take another crack at it.
    FF

  • Non stock material and quality inspection

    Hi All,
    We are using a material short text for a material procurement. System allows me to post the goods receipt with mvt type 101 into quality inspection stock.
    However once posted to QI stock, we can not enter 321 movement with reference to GR document.
    But i can enter rejection for full or partial quantity using movement type 122,with reference to GR document.
    Can any one suggest the method to transfer the stock from QI stock to consumption. SAP doesnot allow consumption from QI stock. How to handle the process.
    Prashant

    Hi,
    When you do GR at that time only system books the consumption of material quantity and value immediately. Since there is not any material master (Material text purchase)
    The quality lot generated is for keeping the record of the materials Usage Decision and Result Recording and to generate the COA. It is not related with Stock Posting since there is not any stock after GR.

  • MRP exception messages and QI inspection lots

    Hi all
    Currently my QI inspection lots (that are awaiting a Usage Decision which can take weeks) appear in MD04 with "Cancel process" or "reschedule out" messages.
    I don't understand this as the stock is on site so I cannot cancel.  How can I stop these messages appearing so my planner only sees Cancel process messages for MRP elements that she can actually cancel like open POs etc?
    Thanks.

    Hi
    The 'Cancel' can be set for all elements, e.g. inspecton lot, purchase order, purchase requisition, production order, process order, if the quantities of them are redundant because the stock and elements before them is enough to meet the requirement.
    The exception message is just shown in the case above to suggest the users consider if they are really needed.
    If theere were no enough stock and receipts which can meet the requirements before the QM lots the exception would not haapen for them.
    Leon Shen.

  • Time taken between GRN and Quality inspection

    Hi all,
         Once the GRN happens the Qty is moved to the quality inspection and when quality inspection is completed the stock is moved to unrestricted use...so i want the  time from the qty moved to Q insp to the time ir reached the unrestricted....
    Is there any standard report to  find the time taken for quality inspection..???
    Regards,
    Joseph.
    Edited by: joseph5885 on Nov 11, 2010 3:01 PM

    This is referred as the lead time in QI .This is available in std reports but in SAP std its considered to be the 24 hrs duration.
    Refer thread.
    Re: time taken between grn and QM inspection

  • Runtime error at maintain insp lot origins and assign inspection types

    Hi all,
    When i want to assign a new inspection type to lot origin 05 i get a runtime error. I don't know what's happening, but i think that it is caused because the system cannot find a record. When i look in TQ31 and TQ33 i see a line with lot origin 05. In table TQ32 there is no line.
    I can still maintain all other inspection lot origins. I removed the inspection type from 05 and want to add another one, but it's not possible anymore because of the error...
    Does anybody have an idea?

    It sounds like you deleted the 05 insepction type that SAP delivers and had linked to origin 05
    You shouldn't do that. 
    SAP is very picky about having the 01 variant assigned.  You have deleted the 01 variant. 
    You can try to create it back maybe.  If it fails, my guess is you'll have to have the basis team regenerate the TQ32 table from the 000 client.  Then you'll have to redo any entries you need, like any custom inspection types.
    FF

Maybe you are looking for