Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
0
Helpful
6
Replies

Active FTP NOT WORKING

Diego Armando Cambronero Arias
Level 3
Level 3

‎09-08-2010 01:27 PM - edited ‎03-11-2019 11:37 AM

Hello experts,

I have a 5520 and PASV FTP is working fine but ACTIVE FTP is not. I have enabled ftp inspection and I am actually seeing resets.

Service-policy: global_policy

    Class-map: ESMTP-POLICY

      Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 1307204594, drop 5704127, reset-drop 0

      Inspect: ftp, packet 4004288, drop 0, reset-drop 45

In the capture that I did in the OUTSIDE interface  I am seeing NO problems with control channel however with the data channel Iam seeing problems. The Server tries to connect using port 20 to the client however in the next packet there is a reset from the ASA to the ftp server.

In the inside capture the packet from the server on port 20 to the client is never seeing so it's the ASA.

I have a ZBF in the inside however like I said the request from the server on port 20 to the client on port X  is never seeing in the capture.

Why whould the FTP INSPECTION reset the connection?

Im not using any regex to reset connections or something similar that could be causing this behavior.

Please help.

Labels:
0 Helpful
6 Replies 6

mirober2
Cisco Employee
Cisco Employee

‎09-08-2010 01:51 PM

Hi Diego,

Can you get simultaneous captures on either side of the ASA for a full FTP session? Also, you'll want to gather syslogs at the debug level during the FTP session.

-Mike

0 Helpful

Diego Armando Cambronero Arias
Level 3
Level 3
In response to mirober2

‎09-08-2010 01:59 PM

Ok I will get the logs I will keep you posted.

0 Helpful

golly_wog
Level 1
Level 1

‎09-08-2010 03:11 PM

What code are you running mate?

You might want to enable debugging for ftp inspection - I *think* that this is debug ftp? (sorry I don't have a unit to hand), then check the logs, the ftp client might not be conforming to the RFC.


BTW - this is a total stab in the dark! And I've just seen that I pretty much written what Mike said above. Give that man some points :-)

cheers

0 Helpful

Diego Armando Cambronero Arias
Level 3
Level 3
In response to golly_wog

‎09-09-2010 08:57 AM

tomorrow I will be able to do more troubleshooting thank u.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-08-2010 04:04 PM

Hello,

From your description, it seems like the server is on the outside and the

client is on the inside. Do you have one-to-one NAT mapping for the client?

If it is not there, can you configure one-to-one static (IP-to-IP) and see

if the active FTP works?

Regards,

NT

0 Helpful

Diego Armando Cambronero Arias
Level 3
Level 3
In response to Nagaraja Thanthry

‎09-09-2010 08:55 AM

Ok I will try with a one2one static to see wath happens.

Thank you very much.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card