Cannot Download From FTP Site

Unanswered Question
Jan 11th, 2010

I can connect and browse the subfolders but when ever I try to download anything IE 7 just hangs. I am behind a ASA 5510. when I try to download the same file from my home PC it starts the download right away, which is why I think its my firewall. What do I need on the firewall to allow the download?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rmanapat Mon, 01/11/2010 - 14:26

Try to check your Inspect Policy on your ASA.  make sure that inspect ftp is in there.  I hope this helps.


vilaxmi Mon, 01/11/2010 - 20:32


Few things we need to consider about SLOW downloads from your FTP server (which I ASSUME is out on the internet) for clients behind the firewall.

Was any s/w upgrade or h/w change done to the box when you noticed such a behavior ?

Since you are able to connect to the FTP site, most probably  it will have nothing to do with your inspect FTP command on the box.

What you need to do is to setup captures on the box for interesting traffic and then analyse it using wireshark network analyser, to check for :

Increased MSS sizes being used for TCP transmission across the ASA. By default ASA has MSS of 1380 bytes, so if any greater segment sizes are coming to the ASA, then it will have to break them up into several PDU's which would mean a lot of reassembling will be done. This could slow down downloads.

Increased TCP MSS segments can be allowed on ASA, using advaced TCP options in MPF.

Check the asp drop counters on firewall to check for o-o-o packets (out of order) and try to increase the queue-limit for allowing such kinds of packets and montior if that helps.

Bottom line, best way to troubleshoot latency issues for downloads are packet captures. Here is a  link to help you setup captures



Dileep Sivadas ... Mon, 01/11/2010 - 20:56

Also check forthe following

1. Any filter rules configured on ASA.

2. If you have any SSM modules check for alerts (means AIP, CSC).

3. Fragmentation issue, check you have permitted ICMP unreachable message on ASA, otherwise it will casue PMTUD (path mtu discovery)process to fail.


kencranmer Tue, 01/12/2010 - 07:48

Turns out to be a problem with CSC. Waiting for a tech specialized in this area to look into

it for me. Thanks for the advice!


This Discussion