Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix - css - ftp

All,

I'm unable to initiate an ftp session to a DMZ'd server behind a CSS. I have been unable to ftp to the host since upgrading to PIX os 6.2(2). Previous to the pix upgrade I was able to ftp to the server using passive mode ftp. Now, the connection starts but after a few seconds the connection resets. Has anyone run into any similar problems? Ftp seems like the only service effected by the upgrade.....ssh and telnet are still working. Since I'm new to CSS administration, I haven't included much in the way of configuration figuring you would ask for the relevant information.

Thanks in advance

4 REPLIES
Silver

Re: pix - css - ftp

It's likely a PIX problem more than CSS since the problem happened with the 6.2x upgrade. I would start by looking at the debug log file off the PIX to see if the connection state is dropping and then capture that log with a show tech for the TAC. They may be aware of any or issues with your new version. Sometimes it's best to stay a version or two back on the PIX.

New Member

Re: pix - css - ftp

This message is from our firewall logs, logging isn't currently set at debug level, but I thought that this would be a good start......

Aug 21 15:04:01 [xx.xx.xx.xx.xx] Aug 21 2002 15:01:36: %PIX-4-406002: FTP port command different address: SERVER_VIP_IP(SERVER_RESERVE_DIP) to MY_IP_ADDR on interface cdmz

Aug 21 15:04:01 [xx.xx.xx.xx.xx] Aug 21 2002 15:01:36: %PIX-4-406002: FTP port command different address: SERVER_VIP_IP(SERVER_RESERVE_DIP) to MY_IP_ADDR on interface cdmz

When I look the error up I find the following.....

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#79165

Is there anyway to get around this problem without risking security? Also why would ssh work and not passive ftp?

Thanks again

New Member

Re: pix - css - ftp

Do you have a source group configured on your css with the same VIP address you use in your content rule? Is application ftp configured on your content rule?

New Member

Re: pix - css - ftp

No, I didn't have a source group!!!! Yes, there is currently a ftp application setup.....It as working before the pix upgrade. That's why I'm so confused. Well anyways, I've now added the source group and it works!!!!! Thanks so much everyone.

Joseph

155
Views
0
Helpful
4
Replies
CreatePlease login to create content