Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
0
Helpful
4
Replies

two active ftp session not working for ASA5510

madhusudhan s
Level 1
Level 1

‎12-13-2010 05:58 AM - edited ‎03-11-2019 12:21 PM

Hi All ,

       I m facing issue with two active FTP session from outside to inside , server is placed inside to firewall .While single FTP session is working fine with same config on f/w .

here are the logs which is captured the during the issue -

%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.147/1353 to Outside:61.246.x.x/40548
%ASA-6-302013: Built outbound TCP connection 24753052 for Outside:169.254.x.x/1131 (169.254.92.140/1131) to Inside:10.240.8.147/1353 (61.246.223.2/40548)
%ASA-7-710005: TCP request discarded from 98.250.x.x/28973 to Outside:61.246.x.x/29122
%ASA-6-305012: Teardown dynamic TCP translation from Inside:10.240.8.166/4201 to Outside:61.246.x.x/37684 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.166/4416 to Outside:61.246.223.2/35035
%ASA-6-302013: Built outbound TCP connection 24753053 for Outside:169.254.206.12/1131 (169.254.206.x/1131) to Inside:10.240.8.166/4416 (61.246.223.2/35035)

Please suggest on above ,

thnx for help in advance

----------------

Madhu

Labels:
0 Helpful
4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

‎12-13-2010 06:08 AM

Hi Madhu,

Thanks for posting, you mean that you connect an FTP client, and when you connect the second one it doesnt work is that correct? Do you use the same FTP client to connect?

On the logs I cannot see any teardown of the connection, only translations and I am not sure if that is one of the clients you are hooking up.                 

Please let us know some more details about this and we will be glad to help

Cheers

Mike

Mike
0 Helpful

madhusudhan s
Level 1
Level 1
In response to Maykol Rojas

‎12-13-2010 08:54 PM

Hi Mike ,

yes , thts correct , i m using same client to connect both FTP configured in the same way , but one is working later one is not working .

I hv taken these logs while i m trying to connect from dailup connection to the ftp server which is inside to my f/w .

Ping is wotking from outside dailup connection to the ftp server .Both FTP servers are configured on diffrent machines .

logs ------

========

%ASA-6-305012: Teardown dynamic TCP translation from Inside:10.240.8.166/4197 to Outside:61.246.x.x/58052 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.32/4159 to Outside:61.246.x.x/49433
%ASA-6-302013: Built outbound TCP connection 24753042 for Outside:74.125.x.x/80 (74.125..x.x/80) to Inside:10.240.8.32/4159 (61.246.x.x/49433)
%ASA-6-305012: Teardown dynamic TCP translation from Inside:10.240.8.19/2651 to Outside:61.246.x.x/14308 duration 0:01:30
%ASA-6-30bound TCP connection 24753050 for Outside:169.254.x.x/1131 (169.254.x.x/1131) to Inside:10.240.8.166/4415 (61.246.x.x/17687)
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.147/1352 to Outside:61.246.x.x/38937
%ASA-6-302013: Built outbound TCP connection 24753051 for Outside:169.254.x.x/1131 (169.254.x.x/1131) to Inside:10.240.8.147/1352 (61.246.x.x/38937)
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.147/1353 to Outside:61.246.x.x/40548
%ASA-6-302013: Built outbound TCP connection 24753052 for Outside:169.254.x.x/1131 (169.254.x.x/1131) to Inside:10.240.8.147/1353 (61.246.x.x/40548)
%ASA-7-710005: TCP request discarded from 98.250.113.x/28973 to Outside:61.246.x.x/29122
%ASA-6-305012: Teardown dynamic TCP translation from Inside:10.240.8.166/4201 to Outside:61.246.x.x/37684 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.166/4416 to Outside:61.246.x.x/35035
%ASA-6-302013: Built outbound TCP connection 24753053 for Outside:169.254.x.x/1131 (169.254.x.x/1131) to Inside:10.240.8.166/4416 (61.246.x.x/35035)
CiscoASA#

=============

Thanx 4 your reply ........

Madhu

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to madhusudhan s

‎12-14-2010 05:04 AM

Hello,

I think the best thing that you can do at this point is to take a wireshark on the server and check when the clients try to connect and see how far they get. As far as the firewall concern, he does not seems to be dropping (based on this logs) the connection by an inspection or any configured rule.

Also you can set a capture on the ASA firewall with type asp to check if any packets regarding that connection are being dropped.

capture asp type asp drop-all

show cap | inc

Let me know if this helps

Mike

Mike
0 Helpful

lcuevas1
Level 1
Level 1

‎12-15-2010 04:15 PM

To capture, bring up the first FTP client session, then try to telnet from outside to port 21 on that server at the same time from the same machine, repeat after that from some other machine. I recommend you check Dynamic NAT table too.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card