cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7254
Views
0
Helpful
9
Replies

Slow SSH FTP (SFTP) transfer issue

ALIAOF_
Level 6
Level 6

We are having an issue with SFTP slow transfers, here is the network setup

Laptop --> ASA --> CSS --> Server

Laptop = Inside Interface

Server = Security Level 50

Default gateway for the servers is the CSS.  When we try just FTP it is very fast.  When I put laptop on the same network as the servers SFTP is fast.  But when I plug  my laptop the way I explained above SFTP is very very slow.

We did another test:

Laptop --> CSS --> Server

Now in this scenario where the servers are no longer behind the firewall SFTP is also fast.  Doesn't make sense why when there is a firewall in the picture it is so slow because its not FTP and it shouldn't require any inspect statements or any other configuration.  Any ideas will be greatly appreciated.

9 Replies 9

david.tran
Level 4
Level 4

Just want to make sure we're talking about the same thing.  SFTP uses ssh transport mechanism.  It uses tcp port 22.

FTPs is completely something else. 

Are you using SFTP (similar to SCP) which uses tcp port 22 or something else?  If you're using SFTP try to transfer again using scp and see if it makes any differences.  The firewall does not know anything about this connection because it is an "encrypted" connection between y our laptop and the server.

That is correct I'm doing SFTP that uses SSH Port 22 not doing FTPS either. Using SCP doesn't make any difference either. 

I have tried multiple clients too.

Ok.  Mine setup is a the same as  yours with the following exception:

- I have a pair of Pix firewalls instead of ASA running version 8.0(4),

- Instead of CSS, I have F5 BigIP as the Load-balancer,

Both FTP and SFTP going across the the firewall without any issues.  On the 100M interface, I am getting about 95mbps with both FTP and SFTP.  Ofcourse, with SFTP, my server takes some CPU hits because of SSH encryption.

Hum yeah that is pretty much we have other than F5's.  Well also client is on a different network than the server and the default gateway for the servers is the CSS.  Client come in through the inside interface of the firewall and servers are behind a NATed interface. 

So the interface IP is 10.1.1.1 and servers are behind that interface as 10.1.2.xx.

Are you running any rate-limiting or QoS on the ASA?  what is the output of "show service-policy"

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 36305306, drop 3956, reset-drop 0

      Inspect: ftp, packet 203668, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 327, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: h323 ras _default_h323_map, packet 1, drop 1, reset-drop 0

      Inspect: rsh, packet 461, drop 0, reset-drop 0

      Inspect: rtsp, packet 331, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: esmtp _default_esmtp_map, packet 193239, drop 0, reset-drop 0

      Inspect: sqlnet, packet 3651, drop 0, reset-drop 0

      Inspect: skinny , packet 328, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: sunrpc, packet 294629, drop 678, reset-drop 1039

               tcp-proxy: bytes in buffer 0, bytes dropped 1348

      Inspect: xdmcp, packet 4363, drop 3720, reset-drop 0

      Inspect: sip , packet 696, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: netbios, packet 164768, drop 0, reset-drop 0

      Inspect: tftp, packet 1759067, drop 0, reset-drop 0

      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 

Hello Mohammand,

I am the engineer working on the case you have, the configuration looks good, the interfaces does not have any errors, the inspection policies are great. so but the next thing to troubleshoot to determine if this is te ASA indeed will be to conenct a PC to one ASA's interface ( directly connected) and then try to use the SFTP.

We could also do captures on the ASA on both interfaces inside and outside to determine what is going on!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Patrick0711
Level 3
Level 3

How are you connecting the laptop to the CSS?  Is it on the same network as the back end servers or is it on the front side network in front of the CSS?  Is the traffic destined to a VIP or is it destined to a back end server behind the CSS?

What does 'show perfmon' and 'show resource usage' show on the ASA during the transfer through the firewall?  Are you sure you're links aren't saturated?

We have tried to connect it to the same switch where the back end servers are connected and it works fine.  We also by passed the firewall and it works fine.  Its only when CSS is in between and we try to do the transfer to the Physical IP of the server it is slow.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: