ASA, Trouble with FTP Transfert

Unanswered Question
Feb 17th, 2009

Hi all,

I have some trouble and I have no idea now ...

I have the following network :

------------------------|-------------| <-Inside-> Cisco 1800 <--> Private VPN <--> FTP Server

FTP Client <-DMZ-> | ASA 5510 |

------------------------|-------------| <-Outside-> Modem/router <--> Internet

When I make a FTP connection, authentication is good (and slow) but I can't put any file.

The transfert begin but stop at 130 072 octets and I have a connection timeout.

If I remove the ASA 5510 like this :

FTP Client <--> Cisco 1800 <--> Private VPN <--> FTP Server

The authentication and transfert is Ok ...

People who maintain the Cisco 1800 say that they haven't any problem ...

The FTP Server is in Active Mode, my client too.

Static on ASA work because i can authenticating (tcp/21).

Ip inspect ftp is on (must be because we are in Active Mode).

I test a lot of thing but nothing better.

Access-list permit any for the test.

Finally, I sniff the network between the ASA and the 1800 and I don't have any ACK (I think) and I have a lot of TCP RETRANSMISSION.

Have you an idea to resolve my problem ...? Do you think this problem come from the ASA ?

Thanks a lot,

Fred

PS : I forget to do one thing ... fixed the speed and the duplex, I do it soon.

Sorry for my bad english ...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Tue, 02/17/2009 - 13:27

Your configuration contains the following items?

class-map inspection_default

match default-inspection-traffic

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

service-policy asa_global_fw_policy global

frederic.peng Wed, 02/18/2009 - 01:35

Yes, my configuration contains this items.

If I don't have the ASA, I have the following sequences (wireshark) :

ftp-data > 6049 [ACK] Seq=1 Ack=9577 Win=25992 Len=0 TSV=1675536326 TSER=23653399

FTP Data: 1368 bytes

FTP Data: 1368 bytes

ftp-data > 6049 [ACK] Seq=1 Ack=10945 Win=28728 Len=0 TSV=1675536334 TSER=23653399

FTP Data: 1368 bytes

FTP Data: 1368 bytes

With the asa :

ftp-data > 6051 [ACK] Seq=1 Ack=23353 Win=54720 Len=0 TSV=1675557559 TSER=23655526

FTP Data: 1368 bytes

FTP Data: 1368 bytes

[TCP Retransmission] FTP Data: 1368 bytes

[TCP Retransmission] FTP Data: 1368 bytes

ftp-data > 6051 [PSH, ACK] Seq=1 Ack=26089 Win=60192 Len=0

FTP Data: 1368 bytes

FTP Data: 1368 bytes

[TCP Retransmission] FTP Data: 1368 bytes

Finally, I have a connection timeout ...

frederic.peng Mon, 02/23/2009 - 01:24

A little update because I don't find any issue ...

If someone have a idea ... ?

sdoremus33 Mon, 03/23/2009 - 18:08

Following caveat from earlier post

CSCsc91450

Yes

FTP control channel timing out although data channel is active.

Actions

This Discussion