Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bug in Pix OS 7.0 for ip inspect and ftp?

When upgrading from Pix OS 6.3.x to Pix 0S 7.x, Cisco says that the old fixup commands are translated into the new inspect and policy commands.

So if I had a line as:

fixup ftp

this is translated in something like:

class map inspection_default

match default-inspection_traffic

policy-map global_policy

class inspection_default

inspect ftp

!

service-policy global_policy global

(see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/pixupgrd.htm#wp1201896)

When I installed our new Pix with OS 7.0.4, I noted that the new protocol inspection seems not to work correctly for ftp.

When an internet user connects in passive mode to our internal ftp server and starts to upload a large file, two connections are opened: one to port 21 of the internal server and one to port 20 of the same server. During file transfer I can see that the byte count for connection to port 20 is increasing while byte count for connection to port 21 is not increasing and the idle time is growing. I believe this is a mistake and maybe a bug in Pix OS; in fact a user transferring a very large file can be disconnected during upload because of connection timeout on port 21. I could verify that it actually happens after 1 hour, the default global timeout for all tcp connections.

I tried downgrading PIX to OS 6.3.5 using "fixup protocol ftp" and so the ftp connections work without expiring the time out: the idle time count for connection on port 21 does not increase and stay to 0 during until the transfer completes.

It seems that there's no way to submit a bug to Cisco without a Smartnet contract and we haven't associated our contracts to our profile, so now I can only post what I discovered on this forum, hoping that someone could verify it and someone at Cisco could submit it to the right people.

If anyone wants to contact me for further information or suggestions I'll be glad to read answers to this post.

2 REPLIES
New Member

Re: Bug in Pix OS 7.0 for ip inspect and ftp?

I have the exact same problem. Since we have been running 7.0.4, users that try to FTP large files get disconnected quite frequently. I have a base 7.0.4 config that lets in FTP via an outside ACL.

It also seems to affect the users that have the longest route trip time to and from our FTP server.

Has anyone else experienced this?

thanks,

Damon

New Member

Re: Bug in Pix OS 7.0 for ip inspect and ftp?

Just to inform all forum readers that I opened a TAC case and a Cisco Technician is working to re-produce the issue in a lab environment.

128
Views
0
Helpful
2
Replies
CreatePlease to create content