Large FTP file timed out

Unanswered Question
Sep 25th, 2009
User Badges:

Users are experiencing FTP timed out for job that file is larger than 1 Gig on Windows 2003 servers. It seems to time out every 10 mins even they tried to increase time out to 20 mins but ftp job still failed. Is there a way we can increase FTP timeout on firewall? Thank you in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Yudong Wu Fri, 09/25/2009 - 12:21
User Badges:
  • Gold, 750 points or more

If it is PIX/ASA, you can use "timeout conn" to increase tcp timeout. But I am not sure if the problem is on PIX/ASA. What's your current tcp timeout setting?

santipongv Fri, 09/25/2009 - 12:23
User Badges:

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

Yudong Wu Fri, 09/25/2009 - 12:26
User Badges:
  • Gold, 750 points or more

So your tcp timeout is 1 hour. Are you sure it's FW to close the connection. Can you check log to see what the reason is for the connection to be tear down.

santipongv Fri, 09/25/2009 - 12:29
User Badges:

ASA log shows the ftp session was torn down by ASA. It seems that FTP session (communication port 21) was timed out then session was torn down.

Yudong Wu Fri, 09/25/2009 - 12:31
User Badges:
  • Gold, 750 points or more

what's your asa version.

Yudong Wu Fri, 09/25/2009 - 12:47
User Badges:
  • Gold, 750 points or more

Since you mentioned control channel (port 21) was timeout, I thought it might be related to bug CSCsc91450. But your version should have the fix.

You might try use policy map to change tcp timeout just for FTP/21 connection.

1. define FTP traffic in ACL

2. Define class-map

3. use policy-map and add the following command in the class defined in step 2

"set connection timeout tcp 02:00:00 reset"

4. Apply it to the interface.

If its still not working, open TAC case to investigation.

santipongv Fri, 09/25/2009 - 12:52
User Badges:

But my tcp timeout was set to 1 hr? Why FTP/21 is terminated at 10 mins range?

santipongv Fri, 09/25/2009 - 12:53
User Badges:

Is it possible to use a tcp-map to change just the timeout for the session in question?

Yudong Wu Fri, 09/25/2009 - 12:57
User Badges:
  • Gold, 750 points or more

I don't remember the detail of the commands. You can check the command ref to see. If it is FW to tear down the connection, it looks like the default timeout does not work. Therefore, I suggest you to use policy map to change the tcp timeout on FTP only.


This Discussion