Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
0
Helpful
6
Replies

ASA, Trouble with FTP Transfert

frederic.peng
Level 1
Level 1

‎02-17-2009 12:42 PM - edited ‎03-11-2019 07:51 AM

Hi all,

I have some trouble and I have no idea now ...

I have the following network :

------------------------|-------------| <-Inside-> Cisco 1800 <--> Private VPN <--> FTP Server

FTP Client <-DMZ-> | ASA 5510 |

------------------------|-------------| <-Outside-> Modem/router <--> Internet

When I make a FTP connection, authentication is good (and slow) but I can't put any file.

The transfert begin but stop at 130 072 octets and I have a connection timeout.

If I remove the ASA 5510 like this :

FTP Client <--> Cisco 1800 <--> Private VPN <--> FTP Server

The authentication and transfert is Ok ...

People who maintain the Cisco 1800 say that they haven't any problem ...

The FTP Server is in Active Mode, my client too.

Static on ASA work because i can authenticating (tcp/21).

Ip inspect ftp is on (must be because we are in Active Mode).

I test a lot of thing but nothing better.

Access-list permit any for the test.

Finally, I sniff the network between the ASA and the 1800 and I don't have any ACK (I think) and I have a lot of TCP RETRANSMISSION.

Have you an idea to resolve my problem ...? Do you think this problem come from the ASA ?

Thanks a lot,

Fred

PS : I forget to do one thing ... fixed the speed and the duplex, I do it soon.

Sorry for my bad english ...

Labels:
0 Helpful
6 Replies 6

eddie.mitchell
Level 3
Level 3

‎02-17-2009 01:27 PM

Your configuration contains the following items?

class-map inspection_default

match default-inspection-traffic

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

service-policy asa_global_fw_policy global

0 Helpful

frederic.peng
Level 1
Level 1
In response to eddie.mitchell

‎02-18-2009 01:35 AM

Yes, my configuration contains this items.

If I don't have the ASA, I have the following sequences (wireshark) :

ftp-data > 6049 [ACK] Seq=1 Ack=9577 Win=25992 Len=0 TSV=1675536326 TSER=23653399

FTP Data: 1368 bytes

FTP Data: 1368 bytes

ftp-data > 6049 [ACK] Seq=1 Ack=10945 Win=28728 Len=0 TSV=1675536334 TSER=23653399

FTP Data: 1368 bytes

FTP Data: 1368 bytes

With the asa :

ftp-data > 6051 [ACK] Seq=1 Ack=23353 Win=54720 Len=0 TSV=1675557559 TSER=23655526

FTP Data: 1368 bytes

FTP Data: 1368 bytes

[TCP Retransmission] FTP Data: 1368 bytes

[TCP Retransmission] FTP Data: 1368 bytes

ftp-data > 6051 [PSH, ACK] Seq=1 Ack=26089 Win=60192 Len=0

FTP Data: 1368 bytes

FTP Data: 1368 bytes

[TCP Retransmission] FTP Data: 1368 bytes

Finally, I have a connection timeout ...

0 Helpful

frederic.peng
Level 1
Level 1
In response to frederic.peng

‎02-23-2009 01:24 AM

A little update because I don't find any issue ...

If someone have a idea ... ?

0 Helpful

phendric
Level 1
Level 1

‎03-23-2009 12:17 PM

I am seeing the same issue. Interested in response.

0 Helpful

sdoremus33
Level 3
Level 3
In response to phendric

‎03-23-2009 06:05 PM

What version of ASA Code are you running? See following document

https://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn72.html

0 Helpful

sdoremus33
Level 3
Level 3
In response to sdoremus33

‎03-23-2009 06:08 PM

Following caveat from earlier post

CSCsc91450

Yes

FTP control channel timing out although data channel is active.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card