The problem here is that the device is interpreting the first @ as the delimiter between the credentials and the FTP server address.
Perhaps configuring the username and password in global-configuration mode and then redirecting the show tech without specifying the credentials would do the trick. Otherwise, and I know this is a wimpy solution, changing the password to not include that one character may be the easiest and perhaps most secure way of working around this issue.
Answering my own question to help future googlers. I spent about 3 hours on the phone with TAC; we finally got to the root cause of the issue.
The solution is to add a special NAT entry, which matches the IP address in the DNS A-Record when it arrives on the INSIDE interface.
object network DNS_NAT_masd1
description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
host 1.195.18.182
nat (DMZ,INSIDE) static 10.195.18.182
When I asked for a pointer to documentation that describes why DNS translation works this way, the TAC lead said that he didn't know of any that described this behavior. The TAC lead also mentioned that with more code, the ASA would know to automatically translate the DNS A-Record without explicitly adding object network DNS_NAT_masd1; however, that is not how the dns keyword for ASA NAT works today. For reasons that still are not completely clear yet, the ASA requires the DNS A-Record IP to match the <proxy_addr> in the NAT statement, using syntax similar to this...
object network obj-EXAMPLE
description NAT object explicitly for translating DNS A-Records
host <proxy_addr>
nat (<REAL_INTF>,<PROXY_INTF>) static <real_addr> dns
The difficulty is that this configuration is exactly backwards for what you need to do if you're going to nat regular "data plane" IP traffic through the firewall.
This is the whole configuration that works...
object network DMZ_NAT_masd1
host 10.195.18.182
description xlate masd1 NAT DMZ src 10.195.18.182 to INSIDE src 192.168.11.101
object network INSIDE_NAT_masd1
host 10.195.18.182
description xlate masd1 NAT INSIDE src 10.195.18.182 to DMZ src 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
host 1.195.18.182
description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
!
object network DMZ_NAT_masd1
nat (DMZ,INSIDE) static 192.168.11.101
object network INSIDE_NAT_masd1
nat (INSIDE,DMZ) static 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
nat (DMZ,INSIDE) static 10.195.18.182 dns
Best Answer
as stated in https://supportforums.cisco.com/discussion/10780211/help-underrun-errors : underruns occours when rx-ring is full (unable to accept more pkts); it mean that NIC is unable to pass data to IP level at same speed they arrive at NIC.