Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1295
Views
0
Helpful
3
Replies

Active FTP failing on ACE module

JeramyKoval
Level 1
Level 1

‎12-18-2009 09:17 AM

I've setup FTP as show in the configuration examples.  Passive FTP works fine but for some reason active FTP breaks.


The client reported that he can authenticate to the FTP server with no problem.  However when he issues a FTP command such as LIST the connection just hangs.  Eventually he has to abort the connection.  10.24.32.75 is my source NAT address.

PORT 10,24,32,75,239,165

200 PORT command successful.

LIST

150 Opening ASCII mode data connection for /bin/ls.

425 Can't open data connection.

When I look at the sniff trace between the NAT and server I see the ftp server initiate the ftp-data connection on port 20.  But then the ACE receives it and sends a reset back to the ftp server.

Anyone know of commands that can be executed that can show details as to why the connection gets reset by the ACE?

I have a TAC case opened but still waiting for an engineer to respond.  Just thought I'd post to see if anyone else has experienced this.

Labels:
0 Helpful
3 Replies 3

Eric Rose
Cisco Employee
Cisco Employee

‎12-18-2009 10:57 AM

It sounds like you probably didn't configure FTP INSPECT rule for this VIP.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/appinsp.html#wp1310518

The ACE performs the FTP command inspection process as follows:

Prepares a dynamic secondary data connection. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be prenegotiated. The port is negotiated through the PORT or PASV commands.

Thanks

Eric Rose

0 Helpful

JeramyKoval
Level 1
Level 1
In response to Eric Rose

‎12-18-2009 11:58 AM

I triple checked that part of our configuration and made sure the inspect-ftp command was configured. 

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to JeramyKoval

‎12-21-2009 11:42 AM

We'll need to see your config and the sniffer trace.

G.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents