One of our customers every now and then reports of a problem about the FTP connection hanging for tens of minutes. The storing and retrieving of files is done from a remote server thats behind a L2L VPN connection. The FTP transfers are done every 2-3minutes automatically.
They reported the same problem today and I checked the generated log from the syslog server.
Customer reported the problem start at 10:23 and ending at 10:49 when the FTP connection was re-established.
The last log at 10:23 I can see is the "Built" log message of the FTP data connection (TCP/20)
Mar 12 2012 10:23:46 <FW-NAME> : %ASA-6-302013: Built inbound TCP connection 32912183 for outside:x.x.x.x/3452 (x.x.x.x/3452) to inside:a.a.a.a/20 (b.b.b.b/20)
Yet when I check the log after this I can't see any mention of the above connection beeing "torn down" with the "Teardown" syslog message of
%ASA-6-302014. So there is no mention on the ASAs logs that the connection was ever torn down.
Why is this?
Does it have something to do with the FTP inspection and the "reset-drop" I see in the command output? Heres the current command output.
Customer-FW# sh service-policy inspect ftp
Inspect: ftp, packet 28565683, drop 0, reset-drop 96
Are the connections perhaps beeing torn down by ASAs inspection? What are the "reset-drop" events? Does the "reset-drop" event log any kind of log message? Just seems wierd that there is no log of the connection beeing torn down.
One Cisco document states the following about FTP inspection
During FTP inspection, the adaptive security appliance can drop packets silently. To see whether the adaptive security appliance has dropped any packets internally, enter the show service-policy inspect ftp command.
The ASA is running 8.2(2) sofware and is an ASA5520 model
Are you sure the ASA is tearing down the connection? If it is, you should definitely see a 302014 syslog. Double check the output of 'show conn' and see if the connection is still established when the customer reports the problem. Also, make sure the customer hasn't disabled 302014 messages in the output of 'show run log'.
You may also want to setup some packet captures and see if the firewall is dropping any packets when the problem is reported, or if the counters in 'show service-policy' are increasing:
I'm sure the connection is beeing torn down from the ASA but I can't see the log message on my syslog server. I was just wondering if the ASA was tearing down the connection do to the "inspect ftp" and not generating any log message while doing so. Even if ASA wasn't doing anything to the connection I'd assume I still should see somekind of message of the connection beeing torn down.
Usually when I'm informed of the problem with the FTP, it has usually revocered already. (The transfer are done automatically every 2 minutes) Last time the problem occured it seemed that the "reset-drop" counter handn't increased so it would seem that the "inspect ftp" isnt to blame in this situation.
I have taken several captures (actually have a capture running all the time with "circular-buffer") which have helped alot with the actual problem situation.
We are in control of the ASA and no log messages have been disabled. I'm beginning to think that either the syslog message hasn't reached the server or theres something wrong with the server itself. Maybe I should consider sending the logs with TCP instead of UDP.
PS. I had a similiar situation after I made the original post but in this case my syslog server was missing the "Built" message even if I was generating test traffic in real time. Seems really strange. I mean you'd expect some of the syslog messages to go through if the problem was with the syslog server connection or the server itself. Especially when you get the "Teardown" message for each of the test I did.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :