Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP fail accross ASA-5550 - Parent flow is closed message

I have a conection with a costumer to FTP data to a server, but the transfer fail after the "Parent flow is closed" message.

Anyone got any ideas?

  • Firewalling
21 REPLIES
New Member

Re: FTP fail accross ASA-5550 - Parent flow is closed message

Do you have FTP inspection turned on?

New Member

Re: FTP fail accross ASA-5550 - Parent flow is closed message

Yes, it does.

New Member

Re: FTP fail accross ASA-5550 - Parent flow is closed message

I would check this reference. Are you using Active or Passive FTP?

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1234738

New Member

Re: FTP fail accross ASA-5550 - Parent flow is closed message

I would also issue a "clear asp drop" command in Priv-exec mode. Then start an FTP session and wait for the failure. Issue the "show asp drop" command and paste the output.

When the parent flow of a subordinating flow is closed, the subordinating flow is also closed. For example, an FTP data flow (subordinating flow) will be closed with this specific reason when its control flow (parent flow) is terminated. This reason is also given when a secondary flow (pin-hole) is closed by its controlling application. For example, when the BYE messaged is received, the SIP inspection engine (controlling application) will close the corresponding SIP RTP flows (secondary flow).

New Member

Re: FTP fail accross ASA-5550 - Parent flow is closed message

We are using Passive FTP.

The transmission starts and after 4400 bytes ends with the "Parent flow is closed" message.

Re: FTP fail accross ASA-5550 - Parent flow is closed message

Hi,

Try configuring a syslog server at level 6 to find out why the parent flow is being torn down. The message you want to watch out for is 302014. This message will give a specific reason for why the control channel is being torn down (i.e. resets, timeout, inspection, etc.) This will help identify the root cause of the issue.

-Mike

New Member

Re: FTP fail accross ASA-5550 - Parent flow is closed message

Hi,

I do a "clear asp drop" command and start an FTP session and wait for the failure then I do "show asp drop" command.

The result is in the attached file.

New Member

Re: FTP fail accross ASA-5550 - Parent flow is closed message

I'm curious about the outcome of this thread. I'm experiencing a very similar issue wherein uploads to an Internet FTP server fail from a LAN client. What I find from the logs is that the FTP server, from the Outside interface, is denied FTP commands back to the LAN client; even though FTP Inspect is enabled. Can someone continue the explanation, and diagnostic process, for the show asp drop command?

Thanks

Silver

Re: FTP fail accross ASA-5550 - Parent flow is closed message

ALL YOU EVER WANTED TO KNOW ABOUT FTP AND ASA HANDLING FTP :

Various FTP forms:

1) Normal FTP

2) SFTP - SSH File Transfer Protocol

3) FTPS - FTP over SSL

i> Implicit FTPS

ii> Explicit FTPS

//// It has been assumed that FTP inspection is disabled on ASA in

scenarios below. ////

===========

Normal FTP:

===========

File Transfer Protocol (FTP) is a network protocol used to transfer data

from one computer to another through a network, such as the Internet.

-> Inbound FTP Scenarios:

Server----I(ASA)O----client

a) Passive Client [####FAILS####]

Client connects to server's public IP on port 21, authenticates. After

this client enters passive mode using PASV command. When server receives

PASV command, it generates a message in which client is informed about

the port it needs to connect to for data transfer. However, server uses

its own private IP address in the communication and because firewall is

not doing FTP inspection, it will not modify/translate the payload to

the public IP of server. Hence, client receives private IP address of

the server and is unable to connect for data connection.

Solution: Enable FTP inspection.

b) Active Client [####WORKS####]

Client connects to server public IP on port 21, authenticates. Then

client sends a PORT command. Server calculates the port to which it

needs to connect to the client and initiates the connection to the port

from source-port TCP/20 (ftp-data). Outbound connection works fine

because, by default outbound traffic is permitted on ASA.

FTP Inspection required: NO.

-> Outbound FTP Scenarios:

client----I(ASA)O----Server

a) Active Client [####FAILS####]

Client connects to server public IP on port 21, authenticates. Then

client sends a PORT command. However, PORT command is being sent using

clients private IP address and because firewall is not doing FTP

inspection, it will not modify/translate the payload to the public IP of

server , server receives a Private IP address of the Client. Due to

this, server is unable to initiate data connection to the Client and FTP

fails.

Solution: Enable FTP inspection.

b) Passive Client [####WORKS####]

Client connects to server public IP on port 21, authenticates. After

this client enters passive mode using PASV command. When server receives

PASV command, it generates a message in which client is informed about

the port it needs to connect to for data transfer. Client calculates

this port and initiates a outbound connection on this new port and

establishes SSL connection for data transfer. As this is an outbound

connection, everything works fine.

FTP Inspection required: NO.

Refer to following link for detailed explanation of Active/Passive FTP:

http://slacksite.com/other/ftp.html

check the next post..........

4878
Views
15
Helpful
21
Replies
This widget could not be displayed.