%FW-5-POP3_INVALID_COMMAND: Invalid POP3 command from initiator

Posted on 2012-08-20
Last Modified: 2012-09-06

I am getting this log frequently on my router and I don't know what is the cause.
%FW-5-POP3_INVALID_COMMAND: Invalid POP3 command from initiator ( Invalid verb

the IP is the IP range of internal clients and I have this message from many different clients. I was wondering if the thunderbird is the cause but it is not.

anybody knows what is the cause of this request and log.
Question by:kermanian
    LVL 23

    Accepted Solution

    The POP3 client is sending a command that the firewall does not know about.
    And the firewall is deciding the command is invalid and blocking the client.

    One way to make it stop would be to disable the POP3 protocol inspection,
    e.g.   no ip inspect name firewall pop3

    The other possibility would be to upgrade the software on your router.

    Get wireshark or another packet sniffer running on the mail server, and check the raw POP3 traffic for invalid commands.

    If none are found, contact Cisco TAC  for assistance.
    There's no way as end user to teach the router about new POP3 commands,
    or to eliminate the false positives.

    Your other options would be to   tolerate the condition,  punch a hole in inspection, or turn off protocol inspection entirely.
    LVL 21

    Expert Comment

    Is your email server internal or external?  if multiple internal clients are trying to send traffic out through your firewall, they may be mis-configured.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now