Can not connect to FTP Server

Unanswered Question
Sep 17th, 2009

Hi, I am working in 1 organisation and we provide FTP access to customers.Many customers able to access FTP Server but few of them are not able to connect. these commands we usually configure on PIX-525.

object-group network Customer_FTP

name X.X.X.X ABC_FTP01

object-group network Customer_FTP

network-object host ABC_FTP01 (ABC is customer name)

the same commands we configure for every customer. but few of them are not able to connect to FTP Server.

How can I check, where is problem? IF it is in Firewall ,what commands I can use to troubleshoot

and if it is problem at customer end.

what is the cause

Please Help me

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 09/17/2009 - 07:31

The system log is the best place to start for troubleshooting on the ASA. Also make sure the client FTP client is setup correctly (ie passive or active mode).

pushpendray Thu, 09/17/2009 - 11:11

how to check the system logs.

also client is trying to access from IE. though site is not at all opening, so how can I check whether its in active mode or passive mode

clark.d Thu, 09/17/2009 - 11:26

I would tend to think it is an active/passive issue. IE can be configured to use passive...I think it is under the advnaced setting, called Enable IE FTP folder view.....

Dave

pushpendray Thu, 09/17/2009 - 12:38

Hi,

I also think the same. I will access customer in next 1 hour. So I will check it.

But they are using Filezilla application also for FTP, they are not able to connect with Filezilla too.

IF it is an issue with IE Setting then also they should be able to connect with Filezilla FTP Application.

the complete status I can give in next 1 hour.

but please suggest any other thing if possible, cause I would like to check every possible Setting at customer end.

pushpendray Thu, 09/17/2009 - 14:09

Hi I checked it on the customer end. The problem is not Active or Passive.

I tried to log in from Filezilla/IE/Command prompt

but there is no luck

There is some other issue

Kidnly help

clark.d Fri, 09/18/2009 - 03:52

From command line, do you get FTP login prompt?? Can you login?? If can login, does the 'DIR' command fail??

pushpendray Fri, 09/18/2009 - 04:17

from command line too I am not able to connect to the mentioned FTP Site

cisco24x7 Fri, 09/18/2009 - 05:03

The best thing to do this is to use a linux client and use tcpdump to look at the traffics behavior. This below will help you:

[Expert@rkv-cpfw]# tcpdump -nnni eth0 host 192.168.1.204 and not port 161 and not icmp

tcpdump: listening on eth0

12:57:04.241710 129.174.1.13.36717 > 192.168.1.204.21: S 2720628260:2720628260(0) win 5840 (DF)

12:57:04.242040 192.168.1.204.21 > 129.174.1.13.36717: S 291670884:291670884(0) ack 2720628261 win 5840 (DF)

12:57:04.242145 129.174.1.13.36717 > 192.168.1.204.21: . ack 1 win 46 (DF)

12:57:04.244285 192.168.1.204.21 > 129.174.1.13.36717: P 1:21(20) ack 1 win 1460 (DF)

12:57:07.260314 192.168.1.204.21 > 129.174.1.13.36717: P 78:97(19) ack 34 win 1460 (DF)

12:57:12.426199 129.174.1.13.36717 > 192.168.1.204.21: P 34:64(30) ack 97 win 46 (DF) [tos 0x10]

12:57:12.426686 192.168.1.204.21 > 129.174.1.13.36717: P 97:148(51) ack 64 win 1460 (DF)

12:57:12.426798 129.174.1.13.36717 > 192.168.1.204.21: . ack 148 win 46 (DF) [tos 0x10]

12:57:12.426842 129.174.1.13.36717 > 192.168.1.204.21: P 64:70(6) ack 148 win 46 (DF) [tos 0x10]

Switch to FTP Active mode and do an ls after that:

12:57:12.427192 192.168.1.204.20 > 129.174.1.13.61898: S 292770281:292770281(0) win 5840 (DF)

12:57:12.427277 129.174.1.13.61898 > 192.168.1.204.20: S 2717254501:2717254501(0) ack 292770282 win 5840 (DF)

12:57:12.427687 192.168.1.204.20 > 129.174.1.13.61898: . ack 1 win 1460 (DF)

12:57:12.427697 192.168.1.204.21 > 129.174.1.13.36717: P 148:187(39) ack 70 win 1460 (DF)

12:57:12.427701 192.168.1.204.21 > 129.174.1.13.36717: P 187:211(24) ack 70 win 1460 (DF)

12:57:12.427705 192.168.1.204.20 > 129.174.1.13.61898: F 1:1(0) ack 1 win 1460 (DF) [tos 0x8]

12:57:12.427857 129.174.1.13.61898 > 192.168.1.204.20: . ack 2 win 46 (DF)

12:57:12.427943 129.174.1.13.36717 > 192.168.1.204.21: . ack 211 win 46 (DF) [tos 0x10]

12:57:12.428083 129.174.1.13.61898 > 192.168.1.204.20: F 1:1(0) ack 2 win 46 (DF) [tos 0x8]

12:57:12.428435 192.168.1.204.20 > 129.174.1.13.61898: . ack 2 win 1460 (DF) [tos 0x8]

switch to FTP Passive mode:

12:57:14.207176 129.174.1.13.36717 > 192.168.1.204.21: P 70:76(6) ack 211 win 46 (DF) [tos 0x10]

12:57:14.207523 192.168.1.204.21 > 129.174.1.13.36717: P 211:263(52) ack 76 win 1460 (DF)

Perform an ls in Passive mode:

12:57:14.207736 129.174.1.13.51245 > 192.168.1.204.27915: S 2729670895:2729670895(0) win 5840 (DF)

12:57:14.208023 192.168.1.204.27915 > 129.174.1.13.51245: S 293569152:293569152(0) ack 2729670896 win 5840 (DF)

12:57:14.208075 129.174.1.13.51245 > 192.168.1.204.27915: . ack 1 win 46 (DF)

12:57:14.208138 129.174.1.13.36717 > 192.168.1.204.21: P 76:82(6) ack 263 win 46 (DF) [tos 0x10]

12:57:14.208522 192.168.1.204.21 > 129.174.1.13.36717: P 263:302(39) ack 82 win 1460 (DF)

12:57:14.208529 192.168.1.204.21 > 129.174.1.13.36717: P 302:326(24) ack 82 win 1460 (DF)

12:57:14.208532 192.168.1.204.27915 > 129.174.1.13.51245: F 1:1(0) ack 1 win 1460 (DF) [tos 0x8]

12:57:14.208643 129.174.1.13.36717 > 192.168.1.204.21: . ack 326 win 46 (DF) [tos 0x10]

12:57:14.208711 129.174.1.13.51245 > 192.168.1.204.27915: F 1:1(0) ack 2 win 46 (DF) [tos 0x8]

12:57:14.209023 192.168.1.204.27915 > 129.174.1.13.51245: . ack 2 win 1460 (DF) [tos 0x8]

12:57:15.457110 129.174.1.13.36717 > 192.168.1.204.21: P 82:88(6) ack 326 win 46 (DF) [tos 0x10]

12:57:15.457456 192.168.1.204.21 > 129.174.1.13.36717: P 326:340(14) ack 88 win 1460 (DF)

12:57:15.457608 129.174.1.13.36717 > 192.168.1.204.21: F 88:88(0) ack 340 win 46 (DF) [tos 0x10]

12:57:15.457709 192.168.1.204.21 > 129.174.1.13.36717: F 340:340(0) ack 88 win 1460 (DF)

12:57:15.457767 129.174.1.13.36717 > 192.168.1.204.21: . ack 341 win 46 (DF) [tos 0x10]

12:57:15.457958 192.168.1.204.21 > 129.174.1.13.36717: . ack 89 win 1460 (DF)

pushpendray Fri, 09/18/2009 - 05:49

I am not getting any logs on my firewall, even I tried to access through my IP which is not allowed for FTP. but I am not getting anylog for that.

but when I am opening ftp through IE I am not getting this page can not be displayed error but a blank page

while where th problem is occuring is getting "this page can not be displayed"

Stuart Hare Mon, 09/21/2009 - 00:58

Hi,

What code version are you running on the PIX?

Are you getting any ftp connections at all through the PIX?

Are you inspecting FTP traffic on the PIX?

You will need this enabled for it to work due to the dynamic nature of FTP.

Depending on the code version you will see either:

fixup protocol ftp

or

inspect ftp

Stu

pushpendray Mon, 09/21/2009 - 04:30

Hey, I am already getting FTP traffic for many customers, there are v few who are not able to login.

Also I have seen logs generated by Sh logging command but I dint find any entry for perticular FTP Site.

pushpendray Wed, 09/23/2009 - 09:59

Hey.....I dint mention that they are able to traceroute and able to ping to FTP Server

but not able to connect to FTP Server

Actions

This Discussion