ASA, Trouble with FTP Transfert

Unanswered Question
Feb 17th, 2009
User Badges:

Hi all,


I have some trouble and I have no idea now ...


I have the following network :


------------------------|-------------| <-Inside-> Cisco 1800 <--> Private VPN <--> FTP Server

FTP Client <-DMZ-> | ASA 5510 |

------------------------|-------------| <-Outside-> Modem/router <--> Internet



When I make a FTP connection, authentication is good (and slow) but I can't put any file.


The transfert begin but stop at 130 072 octets and I have a connection timeout.


If I remove the ASA 5510 like this :


FTP Client <--> Cisco 1800 <--> Private VPN <--> FTP Server


The authentication and transfert is Ok ...


People who maintain the Cisco 1800 say that they haven't any problem ...


The FTP Server is in Active Mode, my client too.


Static on ASA work because i can authenticating (tcp/21).


Ip inspect ftp is on (must be because we are in Active Mode).


I test a lot of thing but nothing better.


Access-list permit any for the test.


Finally, I sniff the network between the ASA and the 1800 and I don't have any ACK (I think) and I have a lot of TCP RETRANSMISSION.


Have you an idea to resolve my problem ...? Do you think this problem come from the ASA ?


Thanks a lot,


Fred


PS : I forget to do one thing ... fixed the speed and the duplex, I do it soon.


Sorry for my bad english ...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Tue, 02/17/2009 - 13:27
User Badges:
  • Silver, 250 points or more

Your configuration contains the following items?


class-map inspection_default

match default-inspection-traffic


policy-map asa_global_fw_policy

class inspection_default

inspect ftp


service-policy asa_global_fw_policy global


frederic.peng Wed, 02/18/2009 - 01:35
User Badges:

Yes, my configuration contains this items.


If I don't have the ASA, I have the following sequences (wireshark) :


ftp-data > 6049 [ACK] Seq=1 Ack=9577 Win=25992 Len=0 TSV=1675536326 TSER=23653399

FTP Data: 1368 bytes

FTP Data: 1368 bytes

ftp-data > 6049 [ACK] Seq=1 Ack=10945 Win=28728 Len=0 TSV=1675536334 TSER=23653399

FTP Data: 1368 bytes

FTP Data: 1368 bytes


With the asa :


ftp-data > 6051 [ACK] Seq=1 Ack=23353 Win=54720 Len=0 TSV=1675557559 TSER=23655526

FTP Data: 1368 bytes

FTP Data: 1368 bytes

[TCP Retransmission] FTP Data: 1368 bytes

[TCP Retransmission] FTP Data: 1368 bytes

ftp-data > 6051 [PSH, ACK] Seq=1 Ack=26089 Win=60192 Len=0

FTP Data: 1368 bytes

FTP Data: 1368 bytes

[TCP Retransmission] FTP Data: 1368 bytes


Finally, I have a connection timeout ...



frederic.peng Mon, 02/23/2009 - 01:24
User Badges:

A little update because I don't find any issue ...


If someone have a idea ... ?

sdoremus33 Mon, 03/23/2009 - 18:08
User Badges:
  • Bronze, 100 points or more

Following caveat from earlier post


CSCsc91450

Yes

FTP control channel timing out although data channel is active.

Actions

This Discussion