Cisco Support Community
Community Member

FTP Timeouts

I have a vendor who's application uses ftp to communicate to/from a workstation on our network. The process is started on our workstation as a scheduled job. Looking at the log, a connection is being made (authenticated), but during the transfer of a test file, it's timing out. Naturally, they're saying that it's our problem (firewall). Correct me if I'm wrong, but isn't all traffic allowed out by default unless otherwise changed? Suggestions?


Re: FTP Timeouts

I have a feeling you are running into an issue where your PIX is running out of out-of-order packet buffers. To test if this is the issue, do a show asp drop. If the "TCP Out-of-0rder packet buffer full" lines is rapidly growing you have run out of out-of-order packet buffers (which is likely causing the problem). If you are running an ASA, you can resolve this issue, but not if you are using a PIX. Cisco has yet to decide when they will extend the fix to PIXs. Basically the "fix" just increases the number of buffers for out-of-order packets on ASAs. Let me know if you have an ASA and I will send you the commands to make the change.

Please rate if this helps.



Community Member

Re: FTP Timeouts

You mentioned firewall but I am not sure which Cisco product or software level. My suggestions will be general.

Does your server initiate both the control and data connection? Does your firewall have ftp fixup or inspect enabled? Having ftp fixup or inspect enabled assists the firewall in knowing how to handle the ftp communication. FTP can start on port 21 and switch to port 20. Fixup/inspect understands and can handle this change automatically. Make sure their side also can handle any port changes.

If you are using PIX/ASA 6.2, 6.3 or 7.x code you can capture the data communication. I would set your access-list to permit ip and a second access-list to permit ip . This will allow you to see the data packets arriving and leaving your firewall. Make sure you test both interfaces (inside and outside). If you see a data packet leave your firewall but their server not respond then: something blocked the traffic before it got to their server, their server didn?t handled the data/respond, or their server?s response was blocked before getting back to you.

You may also want to test your ftp communications manually. See if you can log in, see directory and file structure, get and put small files versus large files. Remembering that I am not sure how you are connected, the problem might be with MTU. A small file (text doc with a couple characters) might pass but the large batch file fails.

Lastly or really first, make you have your systems and theirs logging at the highest level (debug for Cisco).

Hope some of this helps. Make sure you understand all command suggestions before issuing any on a production environment.

Community Member

Re: FTP Timeouts

Thanks for both responses.

Didn't realize I didn't offer any more info than I did....we're running a PIX 515E, with 6.3(5) as the software version. We do have ftp fixup enabled, but not familiar with the inspect. I will read through this again (and the accompanying link) and post back the results. I should note that this is taking place at a remote location and here at the host, I've been able to successfully ftp files. One of my first thoughts was that the issue was maybe a bandwidth problem...packets getting dropped...not sure.

Community Member

Re: FTP Timeouts

I'm getting ready to give this a shot and have a question. I've noticed before that when using access lists, that an

interface can only accept one access list at a time. Given that I'm running PIX 515E with 6.3(5) software version, is that

true? I ask because, this is what I've determined would be the configuration should be:

conf t


access-list outside permit tcp host eq ftp


static (inside,outside) tcp ftp ftp netmask 0 0


capture sungard access-list outside packet-length 68 interface inside

I have the access list named 'outside' which coincides with our current

access list. This also means that ALL traffic that comes in through the

access list will be captured, which filters can take care of.

Any thoughts on any of this?

CreatePlease to create content