Cisco FWSM -> ASA upgrade broke our mail server
Solution 1:
Are there UTF-8 characters in the 'real' version of that username (after decoding)? If the inspection has triggered on it, I'm guessing there's a reason that it's picked that specific line.
But maybe not; the inspection feature is more akin to the chaos monkey than an IPS. Personally, the only things the inspection features have really provided for me have been headaches (through overly aggressive sanitizing of perfectly valid traffic) and security vulnerabilities. From a quick search:
- CVE-2011-0394 (reboot of the ASA from
inspect skinny
) - CVE-2012-2472 (CPU DoS from
inspect sip
) - CVE-2012-4660/4661/4662 (more reboots, you get the idea)
My recommendation is to not lose much sleep over needing to turn off aspects of the ASA's protocol inspection; the endpoint server applications (or a targeted security platform like a web application firewall) tend to do a much better job of enforcing protocol compliance anyway.