Yes, it does.

I would check this reference. Are you using Active or Passive FTP?

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1234738

I would also issue a "clear asp drop" command in Priv-exec mode. Then start an FTP session and wait for the failure. Issue the "show asp drop" command and paste the output.

When the parent flow of a subordinating flow is closed, the subordinating flow is also closed. For example, an FTP data flow (subordinating flow) will be closed with this specific reason when its control flow (parent flow) is terminated. This reason is also given when a secondary flow (pin-hole) is closed by its controlling application. For example, when the BYE messaged is received, the SIP inspection engine (controlling application) will close the corresponding SIP RTP flows (secondary flow).

We are using Passive FTP.

The transmission starts and after 4400 bytes ends with the "Parent flow is closed" message.

Hi,

Try configuring a syslog server at level 6 to find out why the parent flow is being torn down. The message you want to watch out for is 302014. This message will give a specific reason for why the control channel is being torn down (i.e. resets, timeout, inspection, etc.) This will help identify the root cause of the issue.

-Mike

Hi,

I do a "clear asp drop" command and start an FTP session and wait for the failure then I do "show asp drop" command.

The result is in the attached file.

I'm curious about the outcome of this thread. I'm experiencing a very similar issue wherein uploads to an Internet FTP server fail from a LAN client. What I find from the logs is that the FTP server, from the Outside interface, is denied FTP commands back to the LAN client; even though FTP Inspect is enabled. Can someone continue the explanation, and diagnostic process, for the show asp drop command?

Thanks

Thanks! I've read through each post and find that in the option b) Passive Client [####WORKS####] FTP Inspection Required: NO scenario this applies to my configuration. Since we have FTP Inspect enabled to allow Internet customers access to FTP servers inbound (NAT to servers on the Inside Interface), then our Pasv clients on the LAN should be able to access Internet based FTP servers and perform Uploads and downloads Ad Nauseum. However, since the Uploads and Downloads fail (for LAN based clients on the Inside Interface to Internet based FTP servers on the Outside interface) and logging shows “Parent flow is closed”, or “Deny TCP no connection” from the FTP server with “FIN ACK on the Outside interface”, or “Deny TCP no connection” to the FTP server with “ACK on the Inside Interface”. I have to believe that further diagnostics need to be performed.

Your last line in the last post states, “If the above does not resolve issue,check client and server...issue is there.........>>>” would further indicate a need to “discover” what is happening. Which is why I was curious how to use the clear asp drop to continue trouble shooting this issue to point me to either server or client for additional discovery.

Looking forward to your response.

Thanks

could you post :

sh run policy-map

sh run class-map

sh run service-policy

command outputs.

Also,let me know what version you are running on asa ( will check for bugs accordingly. )

you won't find anything is asp drops as " f/w " did not drop these packets on it's own.

The server closed the conneciton.The child connections which remained were deleted as parent connection was closed.For outbound connecitons,it's the outside server which closes the conneciton.If this server is accessible from a location which is not behind ASA,we need to check ASA.Let me check the basics first,if needed,we'll delve into captures......

Regards,

Sushil

My pleasure and Thank you!

*** show run policy-map ***

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect esmtp

inspect pptp

inspect http

inspect dns

inspect icmp

inspect icmp error

inspect ftp

*** show run class-map ***

class-map inspection_default

match default-inspection-traffic

*** show run service-policy ***

service-policy global_policy global

*** ASA Version ***

ASA - 8.0(4)

ASDM - 6.1(3)

Thanks

Hi,

The config. is perfect.

The s/w code u r running does not have any known issues.

##

You mentioned you saw " parent flow is closed " message in the syslogs.

Before this log appears,there would be a teardown connection message...something like :

Teardown TCP connection 278 for

WAN:x.x.x.x/1868 to STORE-SERVER:y.y.y.y/21 duration 0:02:04

bytes 345 TCP Reset-O

This message will essentially tell us why the the connection was closed...." parent flow " message is just a follow up message which tells that the major connection ( control conn. ) is closed and data channel is now closed too.

Please look for this teardown and let me know what you see at the end.In the example above, RESET-O , is at the end of message which essentially mean that device on outside (server) sent a reset-bit set packet.In your case,it could be anything....let's find that out and you would know who the culprit is.

On a side note,make sure that there are no dropped packets on asa interfaces involved in communication.Sometime,few lost packets in ftp exchanges can result in teared connections.

Regards,

Sushil

Thank you for your assistance!

*** These show up before the "parent flow closed" message but no Reset-(X) ***

Teardown TCP connection 20440132 for Outside2_Current:External FTP Server/21 to Inside:Client Machine/1958 duration 0:02:39 bytes 488 TCP FINs

Teardown TCP connection 20436932 for Outside2_Current:External FTP Server/21 to Inside:Client Machine/1935 duration 0:00:24 bytes 478 TCP FINs

Teardown TCP connection 20434600 for Outside2_Current:External FTP Server/21 to Inside:Client Machine/1923 duration 0:00:22 bytes 469 TCP FINs

Teardown TCP connection 20432302 for Outside2_Current:External FTP Server/21 to Inside:Client Machine/1911 duration 0:00:23 bytes 472 TCP FINs

Teardown TCP connection 20431530 for Outside2_Current:External FTP Server/21 to Inside:Client Machine/1907 duration 0:00:25 bytes 470 TCP FINs

*** Then I occasionally see this: ***

Deny TCP (no connection) from Client Machine/1909 to External FTP Server/15423 flags ACK on interface Inside

*** and this: ***

Deny TCP (no connection) from Client Machine/1897 to External FTP Server/21 flags FIN ACK on interface Inside

I hope this helps! :)

Thanks for your help!

*** As a side note, not to stir things up, FTP to this server worked with the previous firewall in place, W _ _ _ _ G _ _ _ _. FTP has failed to this server since the ASA has been in place. ***