Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cannot Download From FTP Site

I can connect and browse the subfolders but when ever I try to download anything IE 7 just hangs. I am behind a ASA 5510. when I try to download the same file from my home PC it starts the download right away, which is why I think its my firewall. What do I need on the firewall to allow the download?

Community Member

Re: Cannot Download From FTP Site

Try to check your Inspect Policy on your ASA.  make sure that inspect ftp is in there.  I hope this helps.


Cisco Employee

Re: Cannot Download From FTP Site


Few things we need to consider about SLOW downloads from your FTP server (which I ASSUME is out on the internet) for clients behind the firewall.

Was any s/w upgrade or h/w change done to the box when you noticed such a behavior ?

Since you are able to connect to the FTP site, most probably  it will have nothing to do with your inspect FTP command on the box.

What you need to do is to setup captures on the box for interesting traffic and then analyse it using wireshark network analyser, to check for :

Increased MSS sizes being used for TCP transmission across the ASA. By default ASA has MSS of 1380 bytes, so if any greater segment sizes are coming to the ASA, then it will have to break them up into several PDU's which would mean a lot of reassembling will be done. This could slow down downloads.

Increased TCP MSS segments can be allowed on ASA, using advaced TCP options in MPF.

Check the asp drop counters on firewall to check for o-o-o packets (out of order) and try to increase the queue-limit for allowing such kinds of packets and montior if that helps.

Bottom line, best way to troubleshoot latency issues for downloads are packet captures. Here is a  link to help you setup captures



Community Member

Re: Cannot Download From FTP Site

Also check forthe following

1. Any filter rules configured on ASA.

2. If you have any SSM modules check for alerts (means AIP, CSC).

3. Fragmentation issue, check you have permitted ICMP unreachable message on ASA, otherwise it will casue PMTUD (path mtu discovery)process to fail.


Community Member

Re: Cannot Download From FTP Site

Turns out to be a problem with CSC. Waiting for a tech specialized in this area to look into

it for me. Thanks for the advice!

CreatePlease to create content