ASA 5500 series dropping TLS packets

I’ve had this nagging problem with our email for quite awhile now, maybe a year or so. I’m more of a desktop/server/software troubleshooter, not so much into the networking stuff. My boss is the network admin. I’ve been getting much more involved in our firewalls and routers as of late. I noticed that TLS hasn’t been working for some reason. I didn’t figure out why until today. It hasn’t been a big issue because we’ve been getting emails anyway, but someone from outside our organization has now sent me two emails in the last month and a half with bounces he’s received.

Diagnostic-Code: smtp; 510 Did not receive the expected protocol response.

It’s sporadic though, he didn’t always have this problem. I was determined to figure it out today. There are people out there who don’t really care if something is working well, as long as it’s working – I’m not one of those. If I’m responsible for it, it’s going to function properly.

We have a firewall in front of our email gateway, an ASA to be exact. I have spent all day working on this, bouncing between our email gateway and the firewall trying to determine where the problem is. I noticed that email from our email server to the gateway was encrypted and from the gateway to the email server was as well. But anything coming to the gateway from the outside and anything going out from the gateway was not. So, ding ding ding, it has to be firewall.

I’m getting more comfortable working with the firewall, but it always makes me anxious because I’m afraid to break something. Essentially what was happening was that the ESMTP inspection was dropping the TLS packets since it couldn’t actually inspect them. Which would be why their server wasn’t receiving the expected response. It’s annoying though, that I didn’t see any indication of packets being dropped in the logs. Maybe I wasn’t looking in the right place. It makes me wonder who else has been having this problem and just not reaching out to us to let us know. I used the GUI for this, but there are commands to run it as well that you can see here at Experts Exchange.

For the GUI: In ASDM go to configuration -> firewall -> service policy rules -> under Global; global_policy, right click on inspection_default and edit -> go to the Rule Actions tab -> uncheck ESMTP.

As soon as I did that and hit apply I went back to my gateway and saw everything being sent/received in TLS now. Mission accomplished.



  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: