cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1633
Views
0
Helpful
4
Replies

Cannot Download From FTP Site

kencranmer
Level 1
Level 1

I can connect and browse the subfolders but when ever I try to download anything IE 7 just hangs. I am behind a ASA 5510. when I try to download the same file from my home PC it starts the download right away, which is why I think its my firewall. What do I need on the firewall to allow the download?

4 Replies 4

rmanapat
Level 1
Level 1

Try to check your Inspect Policy on your ASA.  make sure that inspect ftp is in there.  I hope this helps.

Russell

vilaxmi
Cisco Employee
Cisco Employee

Hello,

Few things we need to consider about SLOW downloads from your FTP server (which I ASSUME is out on the internet) for clients behind the firewall.

Was any s/w upgrade or h/w change done to the box when you noticed such a behavior ?

Since you are able to connect to the FTP site, most probably  it will have nothing to do with your inspect FTP command on the box.

What you need to do is to setup captures on the box for interesting traffic and then analyse it using wireshark network analyser, to check for :

Increased MSS sizes being used for TCP transmission across the ASA. By default ASA has MSS of 1380 bytes, so if any greater segment sizes are coming to the ASA, then it will have to break them up into several PDU's which would mean a lot of reassembling will be done. This could slow down downloads.

Increased TCP MSS segments can be allowed on ASA, using advaced TCP options in MPF.

Check the asp drop counters on firewall to check for o-o-o packets (out of order) and try to increase the queue-limit for allowing such kinds of packets and montior if that helps.

Bottom line, best way to troubleshoot latency issues for downloads are packet captures. Here is a  link to help you setup captures

https://supportforums.cisco.com/docs/DOC-1222

HTH

Vijaya

Also check forthe following

1. Any filter rules configured on ASA.

2. If you have any SSM modules check for alerts (means AIP, CSC).

3. Fragmentation issue, check you have permitted ICMP unreachable message on ASA, otherwise it will casue PMTUD (path mtu discovery)process to fail.

Dileep

Turns out to be a problem with CSC. Waiting for a tech specialized in this area to look into

it for me. Thanks for the advice!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: