Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ftp dir list "hang" on asa 8.3

Anyone

I upgraded to 8.3.2 using ASDM 6.3.(4).

Got severel challanges with NAT and Access list statements. Think those are sorted out.

However I run an FTP server on the inside network, want any to access this. I can log in to the server from outside (so i guess the nat and access list are ok)

When I try to do an LIST on the ftp server I get a 425 Can't open data connection error from the server.

I also do an ftp inspect:

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect ip-options

Help please!

br

hkl

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ftp dir list "hang" on asa 8.3

Hello,

Hehehe, I noticed, but thats ok. Thanks so much for taking those captures. I can see that the server sends out the port 20 in order to establish the Data connection with the client, but the client never respond. Here is two things that we can try.

Would youp please open command prompt on the PC and try to open the ftp connection over there? ftp and once you are there just type list

If it doesnt work, download wireshark on that computer, start sniffing and check if the SYN packet on port 20 gets to the client from the server.

Hey, if you need clarification on anything just let me know ok?

Cheers.

Mike.

Mike
14 REPLIES
Cisco Employee

Re: ftp dir list "hang" on asa 8.3

It seems the data channel fails.

You are probably not translating the high data channel port active ftp would use. What does the "debug ftp" show you? And logs on the ASA?

PK

Re: ftp dir list "hang" on asa 8.3

pkampana wrote:

It seems the data channel fails.

You are probably not translating the high data channel port active ftp would use. What does the "debug ftp" show you? And logs on the ASA?

PK

pkampana, thanks for your response.

"deb ftp" from command line as in deb ftp client does not show anything, the logs on the asa (syslog) show no "deny's", se below:

Hmmm, seems I can't cut'n paste into this editor, se attached file for logs.

Thanks

hkl

Cisco Employee

Re: ftp dir list "hang" on asa 8.3

6          Nov 04 2010      07:06:54                        85.95.45.106     39154   192.168.1.50     20         Built inbound TCP connection 64482 for outside:85.95.45.106/39154 (85.95.45.106/39154) to inside:192.168.1.50/20 (62.89.40.36/20)

6          Nov 04 2010      07:06:53                        85.95.45.106     57354   192.168.1.50     21         Built inbound TCP connection 64481 for outside:85.95.45.106/57354 (85.95.45.106/57354) to inside:192.168.1.50/21 (62.89.40.36/21)

tell me that control and data connections are allowed. The problem probably resides somewhere else.

Do a capture on the ASA inside "capture capin interface inside match ip host 192.168.1.50 host 85.95.45.106", try the transfer and look at the packets "sh cap capin".

I hope it helps.

PK

Re: ftp dir list "hang" on asa 8.3

pkampana wrote:

6          Nov 04 2010      07:06:54                        85.95.45.106     39154   192.168.1.50     20         Built inbound TCP connection 64482 for outside:85.95.45.106/39154 (85.95.45.106/39154) to inside:192.168.1.50/20 (62.89.40.36/20)

6          Nov 04 2010      07:06:53                        85.95.45.106     57354   192.168.1.50     21         Built inbound TCP connection 64481 for outside:85.95.45.106/57354 (85.95.45.106/57354) to inside:192.168.1.50/21 (62.89.40.36/21)

tell me that control and data connections are allowed. The problem probably resides somewhere else.

Do a capture on the ASA inside "capture capin interface inside match ip host 192.168.1.50 host 85.95.45.106", try the transfer and look at the packets "sh cap capin".

I hope it helps.

PK

Hello again

Been away for some days, so looking back into this problem now.

See attached file for result of the capture, bit above my head, so much appreciated if you could advice.

br

hkl

Cisco Employee

Re: ftp dir list "hang" on asa 8.3

Hello,

Mike here, What type of FTP server are you running? Is it passive or active? On the show service policy, do you see the FTP inspection having any kind of drops?

Let me know.

Cheers

Mike

Mike
Cisco Employee

Re: ftp dir list "hang" on asa 8.3

This is active ftp with client on the outside. If you allow tcp 20 and 21 on the outside acl it should work without ftp inspection.

I would remove this server 192.168.1.50 temporarily and use a laptop or other PC with the same ip address 192.168.1.50 and install filezilla server on it. And see if it works.

You can get filezilla here: http://filezilla-project.org/download.php?type=server

Make sure it is set to active ftp. Verify here: http://support.tigertech.net/filezilla-passive

-KS

Re: ftp dir list "hang" on asa 8.3

kusankar wrote:

This is active ftp with client on the outside. If you allow tcp 20 and 21 on the outside acl it should work without ftp inspection.

I would remove this server 192.168.1.50 temporarily and use a laptop or other PC with the same ip address 192.168.1.50 and install filezilla server on it. And see if it works.

You can get filezilla here: http://filezilla-project.org/download.php?type=server

Make sure it is set to active ftp. Verify here: http://support.tigertech.net/filezilla-passive

-KS

Hello and thanks for the responce.

Port 20 and 21 is alowed. I tried to change the server to a vsftpd running on a linux, same result.

Seems that the link to set active/passive ftp in FileZilla is for the client not the server, the server options intf does not have a "tab" for active/passive.

hkl

Re: ftp dir list "hang" on asa 8.3

mayrojas wrote:

Hello,

Mike here, What type of FTP server are you running? Is it passive or active? On the show service policy, do you see the FTP inspection having any kind of drops?

Let me know.

Cheers

Mike

Hello Mike

Thanks for your responce.

Hello mike, thanks for your response.


I'm running a FileZilla server 0.9.37 (btw: everything worked fine before the upgrade to 8.3) Not really sure if the server is passive or active, there are only two settings in for passive mode in the server, defining external IP, and also specifying a custom port range.

anubis(config)# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!

anubis(config)# sh service-policy global

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 1079, drop 0, reset-drop 0
      Inspect: ftp, packet 470, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 49, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
anubis(config)#

Cisco Employee

Re: ftp dir list "hang" on asa 8.3

Hello Kristian,

Do you think that you can do the same capture that Panos Asked you on the outside, download them in pcap format and send them here? The only difference would be that instead of the private IP you will use the public IP of the server. Capture both sides inside and outside.

In order to download them, the only thing that you need to do is enable the http server on the ASA (HTTP server enable) and put the following URL on the web browser

https:///capture//pcap

For me, it seems like the data channel is not going out, take a look at this

  41: 08:02:48.680201 802.1Q vlan#1 P0 192.168.1.50.20 > 85.95.45.106.12607: S 2382230253:2382230253(0) win 65535

  44: 08:02:51.654629 802.1Q vlan#1 P0 192.168.1.50.20 > 85.95.45.106.12607: S 2382230253:2382230253(0) win 65535
  45: 08:02:57.691660 802.1Q vlan#1 P0 192.168.1.50.20 > 85.95.45.106.12607: S 2382230253:2382230253(0) win 65535

Is the Data channel that the server is trying to open.

Let me know if you are able to download the captures of if you need further explanation of how to do it.

Thanks.

Mike

Re: ftp dir list "hang" on asa 8.3

Thanks for helping me out here.

Attached 2 files

capture capout interface outside match ip host 62.89.40.36 host 85.95.45.106 (pcap)

capture capin interface inside match ip host 62.89.40.36 host 85.95.45.106 (pcap(2))

Hope this is the right cptures you look for.

Again, thanks

hkl

Re: ftp dir list "hang" on asa 8.3

Oops

Seems that only one file was attached, heres the next.

hkl

Cisco Employee

Re: ftp dir list "hang" on asa 8.3

Hello,

Hehehe, I noticed, but thats ok. Thanks so much for taking those captures. I can see that the server sends out the port 20 in order to establish the Data connection with the client, but the client never respond. Here is two things that we can try.

Would youp please open command prompt on the PC and try to open the ftp connection over there? ftp and once you are there just type list

If it doesnt work, download wireshark on that computer, start sniffing and check if the SYN packet on port 20 gets to the client from the server.

Hey, if you need clarification on anything just let me know ok?

Cheers.

Mike.

Mike

Re: ftp dir list "hang" on asa 8.3

Mike

I'm going to hang myself untill it realy hurts.

Your last post got me on the right track, I've already testet other ftp clients, but from the same client machine. So I logged into a Linux server I have lokated externaluy, and it worked fine.

Had to think a bit and realised I HATE WINDOWS FIREWALL, turned it of on the client machine and we are all set.

Thanks a lot to all of you who have wasted time on my stupidity.

hkl

Hopfully I learned something in the process.

Cisco Employee

Re: ftp dir list "hang" on asa 8.3

Hello,


Hehehhehehehe Yay! At least we had it working .... Next time you wont forget... It was a pleasure helping you....

Cheers.

Mike.

Mike
5908
Views
0
Helpful
14
Replies
CreatePlease login to create content