Hi NT,

We are running IIS 6.0 on this internal Windows Server. The firewall on the Windows IIS Box is not enabled which should in theory make enabled both Active & Passive FTP connection

There is a static one to one nat between the internal host and the outside with an Public IP address !!

static (inside,outside) web1-xlate web1 netmask 255.255.255.255 tcp 1000 500

Will run captures shortly

SG

Also NT,

some more info when we try and connect from an external ftp client using Passive FTP,  the connection is established and we can view the directories but when we start the upload it transfers very slow  as the client  cannot initiate the ftp data connection !!!

Hello,

If you are able to view the directories using passive FTP, the connection in

general is working fine. If the data transfer rate is very slow, then I

would suggest you start looking at the server (test the speed from behind

the firewall first) and then check for any MSS inconsistencies. Also, you

might want to check to see if there are any out-of-order drops.

"show service-policy" and "show asp drop" are the commands that could be

useful.

Hope this helps.

Regards,

NT

Hi Nt,

I am seeing no dropped packets when view the FTP  ( sh service-policy )

I am also getting hits on the acl that is permitting ftp from outside !!

Hello,

Can you do a directory listing when you are connected to the FTP server via

passive FTP?

Regards,

NT

Hi NT,

Yes this is possible !!

It is just the transfer speed is really slow and the ftp client keeps responding with " data connection already open, transfer starting

Hello,

Can you please post the output of "show asp drop" from the firewall?

Regards,

NT

image attached !!!

Hi NT,

Is a packet capture of the firewall : First part is a failed ftp passive mode transfer of vmware-vcb.exe file

Then the second part of the capture was a successful transfer using active mode with a file called : vuze_installer.exe

Hope this sheds some light !!

Thanks again Simon

Hello Simon,

The capture indicates that after the initial connection establishment, when

you try to store something, there is a delay in opening data connection. I

did not find any return traffic from the server side in the capture. I am

guessing that the delay is due to the delay occurred in getting an

acknowledgement from the server side. The delay seems to be in terms of

seconds rather than milliseconds. So, the problem seems to be on the server

end (firewall cannot delay packets to the magnitude of seconds). I am

guessing that when you go to passive mode, the server is trying to allocate

the port and is getting delayed there. If possible, collect the capture on

the server side as well (bi-directional traffic). That could help us narrow

down on the root cause.

Regards,

NT