Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ftp-identd to remote host dropped

We have an unusual situation where the return authentication requests (identd) from an ftp connection to a remote host are being reset (TCP Reset-I). At first glance it appears to be either a possible routing problem or the PIX is dropping the identd requests (see debug info below). Are there any additional commands necessary to allow for this type of ftp connection? What would 'No route to src from dst' indicate? A routing problem on a remote router?

I've already tried the obvious, allowing all ip from the remote ftp host, however, that and a clear xlate, didn't appear to resolve the issue.

Anyone else encounter this before?

Monitor Debug:

302001: Built outbound TCP connection 138 for faddr 201.101.101.152/21 gaddr 66.45.85.132/4315 laddr 192.168.20.38/4315

106023: Deny tcp src outside:201.101.101.152/2057 dst inside:66.45.85.132/113 by access-group "101"

106023: Deny tcp src outside:201.101.101.152/2057 dst inside:66.45.85.132/113 by access-group "101"

106023: Deny tcp src outside:201.101.101.152/2057 dst inside:66.45.85.132/113 by access-group "101"

302001: Built outbound TCP connection 179 for faddr 201.101.101.152/21 gaddr 66.45.85.132/4349 laddr 192.168.20.38/4349

302001: Built inbound TCP connection 180 for faddr 201.101.101.152/2073 gaddr 66.45.85.132/113 laddr 192.168.20.38/113

302002: Teardown TCP connection 180 faddr 201.101.101.152/2073 gaddr 66.45.85.132/113 laddr 192.168.20.38/113 duration 0:00:00 bytes 0 (TCP Reset-I)

Syslog debug

2003-04-04 15:56:08 Local0.Info 192.168.20.126 Apr 04 2003 16:54:14:

%PIX-6-302001: Built outbound TCP connection 21378 for faddr 201.101.101.152/21 gaddr 66.45.85.132/7334 laddr 192.168.20.136/1217 2003-04-04 15:56:08 Local0.Info 192.168.20.126 Apr 04 2003 16:54:14:

%PIX-6-110001: No route to 66.45.85.132 from 201.101.101.152

3 REPLIES
Silver

Re: ftp-identd to remote host dropped

This seems to be more of a routing problem.

The "deny" log messages for port 113 indicate that you have enabled "service resetinbound" feature, but I don't think that has any effect on a well-setup ftp server.

Can you post the routing table (show route)?

New Member

Re: ftp-identd to remote host dropped

Actually I don't have service resetinbound set. What is the difference between service resetinbound and service resetoutside?

The route table is the following:

.

Outside 0.0.0.0 0.0.0.0 [IP of access router] 1 OTHER STATIC

Outside [Net IP of Global Addr] 255.255.255.192 [IP of PIX Outside Int] 1 CONNECT STATIC

dmz 127.0.0.1 255.255.255.255 127.0.0.1 1 CONNECT STATIC

Inside 192.168.20.0 255.255.255.0 192.168.0.126 1 CONNECT STATIC

New Member

Re: ftp-identd to remote host dropped

I added the service resetinbound command, and that seemed to do the trick. It turns out, the destination ftp site is a wu-ftpd site, and they have identd enabled.

Thanks

280
Views
0
Helpful
3
Replies
CreatePlease login to create content