Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Intermittant active FTP through ASA 5500 7.2(2)

I am experiencing intermittant FTP through an ASA 5500 running 7.2(2). Has anyone seen this issue or heard of it. no changes are being made to the firewall access-list during this time. Counters on the ACLs only go up occasionally when FTP is working on both 20 data and 21 control ports.

9 REPLIES
New Member

Re: Intermittant active FTP through ASA 5500 7.2(2)

Did you ever find out an answer? I am experiencing similar problems.

New Member

Re: Intermittant active FTP through ASA 5500 7.2(2)

Hi Guys,

How did you get on with this?

I'm not sure if our problem is similar. Basically we have a client who has some scripts running on an internal machine which downlods updates from an external site via ftp. Since upgrading from the pix to ASA (using various versions of software, currently on 7.2(2) the ftp via command prompt hangs. Where as ftp via a browser works okay.

New Member

Re: Intermittant active FTP through ASA 5500 7.2(2)

TAC was not able to determine the problem, but we found a work around. Basically, we had to shut off protocol inspection for the AS400 FTP sessions and then permit it for everyone else.

New Member

Re: Intermittant active FTP through ASA 5500 7.2(2)

Yep we did that and it worked. we also have upgraded the s/w due to another bug.

New Member

Re: Intermittant active FTP through ASA 5500 7.2(2)

Would you mind posting the portion of your config regarding bypassing the specific traffic, the policy map, and service policy? I spoke too soon when I said it was fixed. Thanks.

My issue is that even though I specifically say that only one subnet should get inspected via class-map and ACL, it appears that everything is still being inspected.

New Member

Re: Intermittant active FTP through ASA 5500 7.2(2)

Hi Guys,

Our next plan of attack is to try the following:

http://www.ciscotaccc.com/security/showcase?case=K35419735

We'll let you know how it goes.

New Member

Re: Intermittant active FTP through ASA 5500 7.2(2)

Wow,

We have the exact problem (upgrade to ASA from PIX) but the ftp connection is made, it's only when the user does a list (ls) on the remote system that their session gets terminated (RST-O)

We have another egress point still using a PIX so we tried the same thing and it works fine.

The big difference with ours is we have an SSM and our policy map directs all traffic to it, so I originally thought it was the IPS module, but now by what I'm reading, it's the ASA.

I'm going to open a TAC case on this as it seems to be rampant so they should get it fixed.

Bob

New Member

Re: Intermittant active FTP through ASA 5500 7.2(2)

Did this work?

We're having this issue, too, and I haven't been able to solve it.

New Member

Re: Intermittant active FTP through ASA 5500 7.2(2)

Hi,

I just saw on another thread in this forum the same issue that was blamed on the Microsoft CLI Ftp client not really going into passive mode when you set it. It still uses active.

I tested with a "real" ftp client and FTP works properly every time.

I hope this helps...

246
Views
0
Helpful
9
Replies
CreatePlease login to create content