cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14088
Views
0
Helpful
35
Replies

ASA 8.4(1) ftp passive problem with NAT

gdelavenne
Level 1
Level 1

Hi !

We have 2 ASA 5580 with a cluster active/standby configuration

We have updated to version 8.4.(1) since version 8.3(1) but since then it is impossible to establish the FTP connection in passive mode with NAT.

Before this update, all was OK.

Here our configuration :

class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
  inspect dns
  inspect http
  inspect icmp
  inspect icmp error
  inspect sunrpc
  inspect tftp
  inspect pptp
  inspect rtsp
  inspect ftp
!
service-policy global-policy global

Do you know if it's a bug or you can fixed this problem ?

Thank you very much for your help.

Regards,

35 Replies 35

Have you checked your syslogs or checked the show service-policy for drops?

Thanks for your response.

We have no errors in syslog messages and "show service-policy" display :

Inspect: ftp, packet 650742, lock fail 0, drop 0, reset-drop 8

ok, there are some drop-resets on your service-policy that could be the cause. Is it possible for you to test the FTP connection and check the logs and the service-policy to see if the number increases?

Inspect: ftp, packet 771540, lock fail 0, drop 0, reset-drop 8

The reset-drop does not increase.

Why inspection work without NAT?

We are the only ones with this behavior (version 8.4.1)?

If you have any ideas, thank you for your help!

Hi,

Would you please answer the following questions? I know this is suppose to work on this version as well, but I want to analyze some data:

Where is the server located?

Were is the client located?

What are the security levels for the interfaces?

Can you get the logs when the connection doesnt work?

Would you please get a packet capture with all TCP between the client and the server?

Cheers

Mike.

Mike

Hello Mike,

Thank you for the interest.

Here our answer :

Where is the server located?

The server is behind our ASA 5580 connected on an Vlan interface.

Were is the client located?

The client comes from Internet.

What are the security levels for the interfaces?

All our interaces are in security level 100.

Can you get the logs when the connection doesnt work?

We have no log when the connection doesnt work.

Would you please get a packet capture with all TCP between the client and the server?

sh capture ftp

48 packets captured

   1: 00:00:19.577011 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: S 2847225137:2847225137(0) win 5840
   2: 00:00:19.577225 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: S 1447625788:1447625788(0) ack 2847225138 win 5792
   3: 00:00:19.605635 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625789 win 92
   4: 00:00:19.607527 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625789:1447625799(10) ack 2847225138 win 46
   5: 00:00:19.637860 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625799 win 92
   6: 00:00:26.124779 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225138:2847225154(16) ack 1447625799 win 92
   7: 00:00:26.125039 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: . ack 2847225154 win 46
   8: 00:00:26.125054 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625799:1447625833(34) ack 2847225154 win 46
   9: 00:00:26.152518 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625833 win 92
  10: 00:00:29.892226 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225154:2847225170(16) ack 1447625833 win 92
  11: 00:00:29.914823 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625833:1447625856(23) ack 2847225170 win 46
  12: 00:00:29.941601 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625856 win 92
  13: 00:00:29.943173 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225170:2847225176(6) ack 1447625856 win 92
  14: 00:00:29.943447 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625856:1447625875(19) ack 2847225176 win 46
  15: 00:00:30.011428 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625875 win 92
  16: 00:00:32.052746 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225176:2847225182(6) ack 1447625875 win 92
  17: 00:00:32.053097 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625875:1447625921(46) ack 2847225182 win 46
  18: 00:00:32.082500 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625921 win 92
  19: 00:00:32.083629 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: S 2327685571:2327685571(0) win 5840
  20: 00:00:32.083796 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: S 1457888673:1457888673(0) ack 2327685572 win 5792
  21: 00:00:32.109781 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457888674 win 92
  22: 00:00:32.111505 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
  23: 00:00:32.287186 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625875:1447625921(46) ack 2847225182 win 46
  24: 00:00:32.314757 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625921 win 92
  25: 00:00:32.340695 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
  26: 00:00:32.755072 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625875:1447625921(46) ack 2847225182 win 46
  27: 00:00:32.781865 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625921 win 92
  28: 00:00:32.803287 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
  29: 00:00:32.803806 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
  30: 00:00:32.803867 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: . 1457888674:1457889998(1324) ack 2327685572 win 46
  31: 00:00:32.803898 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: P 1457889998:1457890049(51) ack 2327685572 win 46
  32: 00:00:32.803898 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: F 1457890049:1457890049(0) ack 2327685572 win 46
  33: 00:00:32.842241 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457889998 win 137
  34: 00:00:32.842973 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457890049 win 137
  35: 00:00:32.882019 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457890050 win 137
  36: 00:00:32.882232 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625960:1447625984(24) ack 2847225188 win 46
  37: 00:00:33.038007 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
  38: 00:00:33.508793 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
  39: 00:00:33.729484 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
  40: 00:00:34.448508 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
  41: 00:00:35.581695 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
  42: 00:00:36.327955 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
  43: 00:00:39.281632 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
  44: 00:00:40.087809 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
  45: 00:00:46.688517 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
  46: 00:00:47.607512 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
  47: 00:01:01.505497 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
  48: 00:01:02.647030 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46

Our customers are impacted by this problem and all worked well before the update.

Thank you so much for you help.

Best regards,

Hi,

Would it be possible for you to get the capture on a pcap format? I want to take a look at the payload of the packets, from what I can see, there is a secondary connection being opened

  19: 00:00:32.083629 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: S 2327685571:2327685571(0) win 5840
  20: 00:00:32.083796 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: S 1457888673:1457888673(0) ack 2327685572 win 5792
  21: 00:00:32.109781 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457888674 win 92

Makes me thing that this can be the data channel but not sure. In order to download them do the following:

Enable HTTP server on the interface where the management station is


HTTP server enable

Enable access via HTTP to that host

HTTP x.x.x.x y.y.y.y.y inside

And then put the following url

https:///capture//pcap

Also, if you can please take a capture of ASP drop just to make sure that the ASA is not dropping anything:

capture asp type asp-drop all

If you can get the logs using ASDM or a syslog server that would be great.

Mike.

Mike

Hi Mike,

Thank you, in attachment you find the pcap file.

Thanks for your answer.

Best regards,

Hello,

Based on the captures it seems that the server is sending again the "Entering to passive mode message" which is causing the retransmissions. However, I can see the data channel being opened. If you try to do the command list or try to pull a file, does it work?

Let me know.

Mike

Mike

Mike,

We observed many log :

<163>%ASA-3-210005: LU allocate connection failed

Can there be a relationship between the log and our FTP connection problem?

Thanks

Hello,

Not really, since the connection is estsblished with no problems. we may need to do in deep troubleshooting on this case. Clearly we are missing packets on the connection, however, I am unsure if the data channel worked fine. I can see that when you did the listing of the directory it completely. So my big question is, what is it that is not working? Is it polling a file?

If it is so, please take a captures on the server, inside and outside of the firewall and get them on pcap format.

By any change, do you have a CSC module attached to this firewall?

Let me know.

Mike Rojas

Mike

I know that this has been dead for a while, but I have similar problems with passive FTP and 8.4.1 for the ASA. Since upgrading to this version, passive FTP drops consantly from some servers. I have identified that it is an issue with IPS on the firewall. With my issue, the firewall is creating out of order packets. Cisco TAC has been working on it for weeks and has no idea.

I know that a new version of the ASA software just came out today, and I am planning on upgrading it tonight. I have had nothing but issues with the 8.4.1 version. Garbage if you ask me.

I have had the following issues:

1. FTP dropping issues

2. IPSEC L2L VPN tunnel drops. packets get dropped at random. , although a small percent. TAC has not been able to track down the problem.

3. A lot of asp drops. TAC as of yet unable to determine why.

All of these issues are not major by themselves, but after people started reporting issues within a few days, I reviewed my log server and found that the problems maifested themselves the second that I switched over to 8.0.3. My config has been verified 3 seperate times by TAC and has no issues.

I was about to downgrade to a previous version before 8.4.2 was released today. I will see if that corrects the issues.

Pls. provide case numbers if you have them. Unless TAC pointed out documented defects that were resolved in 8.4.2, the probelms that you are seeing in 8.4.1 might still be there in 8.4.2.

-KS

Thanks a lot Kureli, you are right. Maybe more eyes could help to determine what the problem is, upgrading may not be the desire path cuz the issue may remain.  Maybe taking a look at the documentation on the case will help us to check and see what the root cause can be.

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: