Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Passive FTP through 2 FWSM contexts via VRF instance

Hi,

I'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)

CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER

At the moment we can make the control connection but when we issue commands the connection times out.

Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.

The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.

We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.

Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).

Any help gratefully received as it is doing my nut in.

Mel

  • Firewalling
Everyone's tags (3)
1 REPLY
Cisco Employee

Passive FTP through 2 FWSM contexts via VRF instance

Hi Mel,

Are the interfaces between CONTEXT_1 and CONTEXT_2 on the same VLAN? If so, this could be related to:

CSCtw82050 - FWSM: FTP inspection breaks data channel sourced from another context

Assuming you're not using NAT for the FTP client or server, you could permit all TCP traffic between the client and the server through the ACLs and disable FTP inspection to workaround the above bug.

-Mike

532
Views
0
Helpful
1
Replies
This widget could not be displayed.