NBAR classifying FTP traffic as unknown

Unanswered Question
Dec 14th, 2009
User Badges:


It is my understanding that NBAR is able to classify certain packets based on certain descriptors in the packet.  It is also my understanding that the FTP client and server negotiate different port numbers once the session is initiated.  I have enable NBAR protocol discovery on all ports and Debug NBAR unclassified port stats. Once the session is initiated all FTP traffic is classified as unknown with different port numbers.  I have also tried using extended access lists to match some traffic but it only sees the initial traffic.


How can I classify FTP traffic coming into my router from the internet?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Mon, 12/21/2009 - 15:24
User Badges:
  • Cisco Employee,

Hello,


Are you using NAT or TCP Intercept feature on the same router? I have had experiences when mixing these features with the NBAR that it did not work as expected. The NAT or TCP Intercept modify the original packet's header fields, thereby wreaking havoc with the NBAR. I have even made a note to myself that when the NBAR was enabled on a "NAT inside" interface, it was not able to properly classify the FTP flows which may well be the issue you are experiencing yourself.


Best regards,

Peter

fruition3000 Sat, 12/26/2009 - 16:45
User Badges:

Thanks for the heads up but unfortunately I was setting this up in a lab environment to rollout at a customer site and this was setup without NAT or TCP intercept.

Peter Paluch Sat, 12/26/2009 - 17:31
User Badges:
  • Cisco Employee,

Hello,


Can you perhaps provide us with the following information?


  1. The router platform and the IOS version you are using
  2. The sanitized configuration of your router (without passwords and sensitive information)
  3. The description of the FTP session you are testing (IP of the FTP client and server, active/passive mode, what exactly fails - the sesion setup or the file transfer)


Thank you!


Best regards,

Peter

Actions

This Discussion

Related Content