Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Super Bronze

FTP inspection - "show service-policy inspect ftp" - "reset-drop"

Hi,

One of our customers every now and then reports of a problem about the FTP connection hanging for tens of minutes. The storing and retrieving of files is done from a remote server thats behind a L2L VPN connection. The FTP transfers are done every 2-3minutes automatically.

They reported the same problem today and I checked the generated log from the syslog server.

Customer reported the problem start at 10:23 and ending at 10:49 when the FTP connection was re-established.

The last log at 10:23 I can see is the "Built" log message of the FTP data connection (TCP/20)

Mar 12 2012 10:23:46 <FW-NAME> : %ASA-6-302013: Built inbound TCP connection 32912183 for outside:x.x.x.x/3452 (x.x.x.x/3452) to inside:a.a.a.a/20 (b.b.b.b/20)

Yet when I check the log after this I can't see any mention of the above connection beeing "torn down" with the "Teardown" syslog message of

%ASA-6-302014. So there is no mention on the ASAs logs that the connection was ever torn down.

Why is this?

Does it have something to do with the FTP inspection and the "reset-drop" I see in the command output? Heres the current command output.

Customer-FW# sh service-policy inspect ftp

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: ftp, packet 28565683, drop 0, reset-drop 96

Are the connections perhaps beeing torn down by ASAs inspection? What are the "reset-drop" events? Does the "reset-drop" event log any kind of log message? Just seems wierd that there is no log of the connection beeing torn down.

One Cisco document states the following about FTP inspection

During FTP inspection, the adaptive security  appliance can drop packets silently. To see whether the adaptive  security appliance has dropped any packets internally, enter the show service-policy inspect ftp command. 

The ASA is running 8.2(2) sofware and is an ASA5520 model

- Jouni

2 REPLIES
Cisco Employee

FTP inspection - "show service-policy inspect ftp" - "reset-dro

Hi Jouni,

Are you sure the ASA is tearing down the connection? If it is, you should definitely see a 302014 syslog. Double check the output of 'show conn' and see if the connection is still established when the customer reports the problem. Also, make sure the customer hasn't disabled 302014 messages in the output of 'show run log'.

You may also want to setup some packet captures and see if the firewall is dropping any packets when the problem is reported, or if the counters in 'show service-policy' are increasing:

https://supportforums.cisco.com/docs/DOC-1222

-Mike

Super Bronze

Re: FTP inspection - "show service-policy inspect ftp" - "reset

Hi,

I'm sure the connection is beeing torn down from the ASA but I can't see the log message on my syslog server. I was just wondering if the ASA was tearing down the connection do to the "inspect ftp" and not generating any log message while doing so. Even if ASA wasn't doing anything to the connection I'd assume I still should see somekind of message of the connection beeing torn down.

Usually when I'm informed of the problem with the FTP, it has usually revocered already. (The transfer are done automatically every 2 minutes) Last time the problem occured it seemed that the "reset-drop" counter handn't increased so it would seem that the "inspect ftp" isnt to blame in this situation.

I have taken several captures (actually have a capture running all the time with "circular-buffer") which have helped alot with the actual problem situation.

We are in control of the ASA and no log messages have been disabled. I'm beginning to think that either the syslog message hasn't reached the server or theres something wrong with the server itself. Maybe I should consider sending the logs with TCP instead of UDP.

PS. I had a similiar situation after I made the original post but in this case my syslog server was missing the "Built" message even if I was generating test traffic in real time. Seems really strange. I mean you'd expect some of the syslog messages to go through if the problem was with the syslog server connection or the server itself. Especially when you get the "Teardown" message for each of the test I did.

2588
Views
0
Helpful
2
Replies
CreatePlease login to create content