cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
814
Views
3
Helpful
16
Replies

Connection problem with firewall

suthomas1
Level 6
Level 6

I am having problems with ftp to my server.

Client IP:10.0.1.2

Server IP : 10.35.20.1

It says connection timeout & when telnet is done on 21,gives connect to port 21 failed. ftp seems to be open locally on server as when i try a ftp from another server locally, it prompts for login.

Below are logs on my firewall for this connection.

10.0.1.2 1667 10.35.20.1 21 Teardown TCP connection 12379739847839711173 for AppZone:10.0.1.2 1667 to ftp_app:10.35.20.1/21 duration 0:00:20 bytes 66 SYN Timeout

Please suggest what could be the cause.Any issues with firewall?

Also how to determine from this output if this ftp is on passive or active mode?

Thanks.

1 Accepted Solution

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

10.0.1.2 1667 10.35.20.1 21 Teardown TCP connection 12379739847839711173 for AppZone:10.0.1.2 1667 to ftp_app:10.35.20.1/21 duration 0:00:20 bytes 66 SYN Timeout

This means that the server on the outside did not respond to they SYNs sent from the client.

jjohnston1127 asked the right question.

Does the client have a route to the server network? I think it does or we wouldn't see the syn arrive on the firewall.

Does the server have a route back to the client network?

Just because the FWSM can ping both the client and the server, it doesn't mean server and the client can get to each other.

Make sure the server and the client can ping each other.

What code is the FWSM running?

If it is 2.x then you should have

fixup protocol ftp 21

If it is 3.x and above you should have

inspect ftp configured under policy-map

It doesn't look like that is the problem. It looks like the server does not have a route back to the client's IP. Pls. check the gateway that the server is pointing to and make sure it has a route back to the client network

otherwise, just add a static route on the windows server such that it will reach the FWSM ftp_app interface in order to get to 10.0.1.2

route add 10.0.1.2

and give that a shot.

Wireshark capture on the server may be a good idea to see where it is sending the syn ack (as to which mac address)

Let us know how that goes.

View solution in original post

16 Replies 16

John Blakley
VIP Alumni
VIP Alumni

Are you ftp'ing from the outside of your firewall, or are you trying to ftp from inside to outside? Can you post your config?

HTH,

John

HTH, John *** Please rate all useful posts ***

These are on firewall module & ftp is tried from outside to inside,or to be clear server is on security level 0 & client is on 100.

access-list AppZone_list_in permit tcp host 10.0.1.2 host 10.35.20.1 eq 21

this is applied inbound on AppZone.

Counts on rule can be seen when this is tried.

Thanks.

SYN timeouts are usually related to routing problems. Make sure your firewall has a route to get to your network the clients are on. Also make sure that your internal network has a route back to the firewall for that network.

Routing looks right for both ways.i can ping both server/client from the firewall.

Tks.

Ok, the firewall can ping the server and the client, that is fine.

Can the SERVER get back to the CLIENT?

Your firewall is incrementing the access list, so the connection is coming inbound, leaving the firewall then passing it in to your server. What is happening is the firewall is never receiving a response from the server back to the client so you get the SYN timeout. The problem is probably due to internal routing (from your server network to the client network of 10.0.1.0)

You mean the server route table ?

if so, i am also suspecting this,but just needed some expert inputs or some other possible causes from gurus here.

Tks

What kind of server is it? Is it a Windows box running FTP? Is it Linux based?

It could be an issue with the default gateway of the server or the routing table. It could be an issue with the routing on your default gateway to know how to get to the external network of your client 10.1.0.0/?

Its a windows box.One query here, if the server doesnt find proper route path back to client, won't it take its default gateway and try reach the client & shouldn't this work for the connection to reach atleast firewall thus responding with syn-ack.

or is a more specific path required?

Thanks.

access-list AppZone_list_in permit tcp host 10.0.1.2 host 10.35.20.1 eq 21

this is applied inbound on AppZone.

Is this applied on the outside interface or the inside interface (0 or 100). If it's applied on the inside interface, do you have an acl that's applied to the outside interface? If you have an acl on the outside interface, try adding port 20 to that acl. Active FTP connections make a connection to port 21, but the server tries to connect back to the client on port 20, and this could be the cause of your timeouts.

HTH,

John

HTH, John *** Please rate all useful posts ***

Oh, another thing, I've never worked with the FWSM, but in PIX/ASA you can use fixup commands to fix things like this:

fixup protocol ftp 21

This could solve all of your problems instead of going through everything else you've done. =)

HTH,

John

HTH, John *** Please rate all useful posts ***

Its applied on outside(level 0).Anyway to know from this output if its active or passive?

for active as i know, server would give port 20 to client & try connecting back to random port >1023 which client had given during the second phase.

I may be wrong,please correct if so.

Thanks.

You're correct. Do you have any statics configured for this connection?

HTH, John *** Please rate all useful posts ***

No statics for this connection.

Kureli Sankar
Cisco Employee
Cisco Employee

10.0.1.2 1667 10.35.20.1 21 Teardown TCP connection 12379739847839711173 for AppZone:10.0.1.2 1667 to ftp_app:10.35.20.1/21 duration 0:00:20 bytes 66 SYN Timeout

This means that the server on the outside did not respond to they SYNs sent from the client.

jjohnston1127 asked the right question.

Does the client have a route to the server network? I think it does or we wouldn't see the syn arrive on the firewall.

Does the server have a route back to the client network?

Just because the FWSM can ping both the client and the server, it doesn't mean server and the client can get to each other.

Make sure the server and the client can ping each other.

What code is the FWSM running?

If it is 2.x then you should have

fixup protocol ftp 21

If it is 3.x and above you should have

inspect ftp configured under policy-map

It doesn't look like that is the problem. It looks like the server does not have a route back to the client's IP. Pls. check the gateway that the server is pointing to and make sure it has a route back to the client network

otherwise, just add a static route on the windows server such that it will reach the FWSM ftp_app interface in order to get to 10.0.1.2

route add 10.0.1.2

and give that a shot.

Wireshark capture on the server may be a good idea to see where it is sending the syn ack (as to which mac address)

Let us know how that goes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: