When upgrading from Pix OS 6.3.x to Pix 0S 7.x, Cisco says that the old fixup commands are translated into the new inspect and policy commands.

So if I had a line as:

fixup ftp

this is translated in something like:

class map inspection_default

match default-inspection_traffic

policy-map global_policy

class inspection_default

inspect ftp

!

service-policy global_policy global

(see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/pixupgrd.htm#wp1201896)

When I installed our new Pix with OS 7.0.4, I noted that the new protocol inspection seems not to work correctly for ftp.

When an internet user connects in passive mode to our internal ftp server and starts to upload a large file, two connections are opened: one to port 21 of the internal server and one to port 20 of the same server. During file transfer I can see that the byte count for connection to port 20 is increasing while byte count for connection to port 21 is not increasing and the idle time is growing. I believe this is a mistake and maybe a bug in Pix OS; in fact a user transferring a very large file can be disconnected during upload because of connection timeout on port 21. I could verify that it actually happens after 1 hour, the default global timeout for all tcp connections.

I tried downgrading PIX to OS 6.3.5 using "fixup protocol ftp" and so the ftp connections work without expiring the time out: the idle time count for connection on port 21 does not increase and stay to 0 during until the transfer completes.

It seems that there's no way to submit a bug to Cisco without a Smartnet contract and we haven't associated our contracts to our profile, so now I can only post what I discovered on this forum, hoping that someone could verify it and someone at Cisco could submit it to the right people.

If anyone wants to contact me for further information or suggestions I'll be glad to read answers to this post.