Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Can not connect to FTP Server

Hi, I am working in 1 organisation and we provide FTP access to customers.Many customers able to access FTP Server but few of them are not able to connect. these commands we usually configure on PIX-525.

object-group network Customer_FTP

name X.X.X.X ABC_FTP01

object-group network Customer_FTP

network-object host ABC_FTP01 (ABC is customer name)

the same commands we configure for every customer. but few of them are not able to connect to FTP Server.

How can I check, where is problem? IF it is in Firewall ,what commands I can use to troubleshoot

and if it is problem at customer end.

what is the cause

Please Help me

Thanks

13 REPLIES

Re: Can not connect to FTP Server

The system log is the best place to start for troubleshooting on the ASA. Also make sure the client FTP client is setup correctly (ie passive or active mode).

New Member

Re: Can not connect to FTP Server

how to check the system logs.

also client is trying to access from IE. though site is not at all opening, so how can I check whether its in active mode or passive mode

Re: Can not connect to FTP Server

show log will show you the system log. If you need to configure logging, you can enter these commands-

logging enable

logging buffer-size 8192

logging buffered debugging

IE Options for FTP-

http://compnetworking.about.com/cs/novellgroupwise/ht/setpassiveftpie.htm

New Member

Re: Can not connect to FTP Server

I would tend to think it is an active/passive issue. IE can be configured to use passive...I think it is under the advnaced setting, called Enable IE FTP folder view.....

Dave

New Member

Re: Can not connect to FTP Server

Hi,

I also think the same. I will access customer in next 1 hour. So I will check it.

But they are using Filezilla application also for FTP, they are not able to connect with Filezilla too.

IF it is an issue with IE Setting then also they should be able to connect with Filezilla FTP Application.

the complete status I can give in next 1 hour.

but please suggest any other thing if possible, cause I would like to check every possible Setting at customer end.

New Member

Re: Can not connect to FTP Server

Hi I checked it on the customer end. The problem is not Active or Passive.

I tried to log in from Filezilla/IE/Command prompt

but there is no luck

There is some other issue

Kidnly help

New Member

Re: Can not connect to FTP Server

From command line, do you get FTP login prompt?? Can you login?? If can login, does the 'DIR' command fail??

New Member

Re: Can not connect to FTP Server

from command line too I am not able to connect to the mentioned FTP Site

Silver

Re: Can not connect to FTP Server

The best thing to do this is to use a linux client and use tcpdump to look at the traffics behavior. This below will help you:

[Expert@rkv-cpfw]# tcpdump -nnni eth0 host 192.168.1.204 and not port 161 and not icmp

tcpdump: listening on eth0

12:57:04.241710 129.174.1.13.36717 > 192.168.1.204.21: S 2720628260:2720628260(0) win 5840 (DF)

12:57:04.242040 192.168.1.204.21 > 129.174.1.13.36717: S 291670884:291670884(0) ack 2720628261 win 5840 (DF)

12:57:04.242145 129.174.1.13.36717 > 192.168.1.204.21: . ack 1 win 46 (DF)

12:57:04.244285 192.168.1.204.21 > 129.174.1.13.36717: P 1:21(20) ack 1 win 1460 (DF)

12:57:07.260314 192.168.1.204.21 > 129.174.1.13.36717: P 78:97(19) ack 34 win 1460 (DF)

12:57:12.426199 129.174.1.13.36717 > 192.168.1.204.21: P 34:64(30) ack 97 win 46 (DF) [tos 0x10]

12:57:12.426686 192.168.1.204.21 > 129.174.1.13.36717: P 97:148(51) ack 64 win 1460 (DF)

12:57:12.426798 129.174.1.13.36717 > 192.168.1.204.21: . ack 148 win 46 (DF) [tos 0x10]

12:57:12.426842 129.174.1.13.36717 > 192.168.1.204.21: P 64:70(6) ack 148 win 46 (DF) [tos 0x10]

Switch to FTP Active mode and do an ls after that:

12:57:12.427192 192.168.1.204.20 > 129.174.1.13.61898: S 292770281:292770281(0) win 5840 (DF)

12:57:12.427277 129.174.1.13.61898 > 192.168.1.204.20: S 2717254501:2717254501(0) ack 292770282 win 5840 (DF)

12:57:12.427687 192.168.1.204.20 > 129.174.1.13.61898: . ack 1 win 1460 (DF)

12:57:12.427697 192.168.1.204.21 > 129.174.1.13.36717: P 148:187(39) ack 70 win 1460 (DF)

12:57:12.427701 192.168.1.204.21 > 129.174.1.13.36717: P 187:211(24) ack 70 win 1460 (DF)

12:57:12.427705 192.168.1.204.20 > 129.174.1.13.61898: F 1:1(0) ack 1 win 1460 (DF) [tos 0x8]

12:57:12.427857 129.174.1.13.61898 > 192.168.1.204.20: . ack 2 win 46 (DF)

12:57:12.427943 129.174.1.13.36717 > 192.168.1.204.21: . ack 211 win 46 (DF) [tos 0x10]

12:57:12.428083 129.174.1.13.61898 > 192.168.1.204.20: F 1:1(0) ack 2 win 46 (DF) [tos 0x8]

12:57:12.428435 192.168.1.204.20 > 129.174.1.13.61898: . ack 2 win 1460 (DF) [tos 0x8]

switch to FTP Passive mode:

12:57:14.207176 129.174.1.13.36717 > 192.168.1.204.21: P 70:76(6) ack 211 win 46 (DF) [tos 0x10]

12:57:14.207523 192.168.1.204.21 > 129.174.1.13.36717: P 211:263(52) ack 76 win 1460 (DF)

Perform an ls in Passive mode:

12:57:14.207736 129.174.1.13.51245 > 192.168.1.204.27915: S 2729670895:2729670895(0) win 5840 (DF)

12:57:14.208023 192.168.1.204.27915 > 129.174.1.13.51245: S 293569152:293569152(0) ack 2729670896 win 5840 (DF)

12:57:14.208075 129.174.1.13.51245 > 192.168.1.204.27915: . ack 1 win 46 (DF)

12:57:14.208138 129.174.1.13.36717 > 192.168.1.204.21: P 76:82(6) ack 263 win 46 (DF) [tos 0x10]

12:57:14.208522 192.168.1.204.21 > 129.174.1.13.36717: P 263:302(39) ack 82 win 1460 (DF)

12:57:14.208529 192.168.1.204.21 > 129.174.1.13.36717: P 302:326(24) ack 82 win 1460 (DF)

12:57:14.208532 192.168.1.204.27915 > 129.174.1.13.51245: F 1:1(0) ack 1 win 1460 (DF) [tos 0x8]

12:57:14.208643 129.174.1.13.36717 > 192.168.1.204.21: . ack 326 win 46 (DF) [tos 0x10]

12:57:14.208711 129.174.1.13.51245 > 192.168.1.204.27915: F 1:1(0) ack 2 win 46 (DF) [tos 0x8]

12:57:14.209023 192.168.1.204.27915 > 129.174.1.13.51245: . ack 2 win 1460 (DF) [tos 0x8]

12:57:15.457110 129.174.1.13.36717 > 192.168.1.204.21: P 82:88(6) ack 326 win 46 (DF) [tos 0x10]

12:57:15.457456 192.168.1.204.21 > 129.174.1.13.36717: P 326:340(14) ack 88 win 1460 (DF)

12:57:15.457608 129.174.1.13.36717 > 192.168.1.204.21: F 88:88(0) ack 340 win 46 (DF) [tos 0x10]

12:57:15.457709 192.168.1.204.21 > 129.174.1.13.36717: F 340:340(0) ack 88 win 1460 (DF)

12:57:15.457767 129.174.1.13.36717 > 192.168.1.204.21: . ack 341 win 46 (DF) [tos 0x10]

12:57:15.457958 192.168.1.204.21 > 129.174.1.13.36717: . ack 89 win 1460 (DF)

New Member

Re: Can not connect to FTP Server

I am not getting any logs on my firewall, even I tried to access through my IP which is not allowed for FTP. but I am not getting anylog for that.

but when I am opening ftp through IE I am not getting this page can not be displayed error but a blank page

while where th problem is occuring is getting "this page can not be displayed"

New Member

Re: Can not connect to FTP Server

Hi,

What code version are you running on the PIX?

Are you getting any ftp connections at all through the PIX?

Are you inspecting FTP traffic on the PIX?

You will need this enabled for it to work due to the dynamic nature of FTP.

Depending on the code version you will see either:

fixup protocol ftp

or

inspect ftp

Stu

New Member

Re: Can not connect to FTP Server

Hey, I am already getting FTP traffic for many customers, there are v few who are not able to login.

Also I have seen logs generated by Sh logging command but I dint find any entry for perticular FTP Site.

New Member

Re: Can not connect to FTP Server

Hey.....I dint mention that they are able to traceroute and able to ping to FTP Server

but not able to connect to FTP Server

410
Views
0
Helpful
13
Replies
CreatePlease to create content