ACE FTP issues with "inspect ftp"

jcarvalh · ‎07-06-2010

Hello.

My clients want to access an FTP server, via ACE, and I am having some issues. They can login and issue only one command... the second command will not be accepted an after a few seconds the prompt shows the message "connection closed by remote host".

I have sniffed traffic and I see that the connection between the client and the ACE has a strange behaviour because ACE open connection to data using an source port of 1039 (it should be 20, since we are usind an active mode client); between the ACE and the real server runs in active mode (I see normal ftp-data packets).

Other strange thing is that I have FWSM and they let traffic pass from ACE to client (they should expect traffic comming from port 20 and not 1039)

I am doing source NAT and ACE is doing all the necessary changes on source IP adresses.

Anyone has seen similar behaviour?

Any help would be appreciated.

In attach I send my config and traffic sniffing.

Thanks in advance.

Joao Ribau

P.S. - client is 10.1.44.98; VIP is 10.1.9.150; real server 10.1.36.124

Gilles Dufour · ‎07-07-2010

Ignore the ftp source port 1039 instead of 20 .... FTP doesn't always use sourcr port 20....it is actually even recommended not to use it for security reason.

Seems like ACE dropped the 200 ok response sent by the server (frame # 35 on the real server side is not seen on the client side).

Try to configure 'inspect ftp strict' and see if it helps.

Don't worry about the strict keyword, it will still allow non-rfc compliant clients/servers but the code is more robust.

Let me know if it makes a difference.

Gilles

jcarvalh · ‎07-07-2010

Hello Gilles.

Thanks on the advice but the problem remains.

Any more ideias? I have none, unless upgrading the image (I am running A2(1.3)).

I saw in one of your posts that versions A2(3.x) have new features. Do you think an upgrade could solve the problem?

Best regards,

Joao Ribau

P.S. - are there any special "tricks" when upgrading from a A2(1.3) to an A2(3.x)?

jcarvalh · ‎07-07-2010

Hello.

I didn´t mentioned this before but the gateway of all my networks is an ACE that is loadbalancing traffic to two firewall clusters. I think this is not important because I have a "catch all" VIP in all my interfaces; I assume that ACE forwards traffic with no restrictions or inspections leaving the inspection job to the firewalls and to the ACE that I use to load balance services.

Don´t think this could be the problem but just to make sure I decided to post it.

Best regards,

Joao Ribau.

P.S. - my configs on the ACE that loadbalance traffic to the firewalls are very straightforward. Serverfarms (interfaces of the firewalls), a class-map with a "catch-all" VIP, policy-map to for the serverfarm, a policy-map to tie the class to the serverfarm and finally a service-policy apllied to each interface.

jcarvalh · ‎07-08-2010

Hello.

After a few more tries debbuging I decided to upgrade my ima from a A2(1.3) to A2(1.6a). Now everything is working just fine.

Gilles, thanks for your reply since it gave me more confidence that this was a bug.

Best regards,

Joao Carvalho.