Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
1
Replies

Router FW IOS - Failing Active FTP

wilsons5
Level 1
Level 1

‎02-16-2006 05:05 AM - edited ‎03-09-2019 01:57 PM

Has anyone experienced issues of failing active FTP when running IP inspect on a router with FW IOS. The issue I m experiencing is that all passive ftp sessions work with the ip inspect ftp command, but active fails. The router actually sends the client a Fin to end the connection.

I also have another router that successfully allows active FTP, but it has a higher latency between the router and FTP server.

I am running IOS 12.2(15)T17 with the FW/IDS feature set.

wilsons5

Labels:
0 Helpful
1 Reply 1

b.hsu
Level 5
Level 5

‎02-22-2006 06:59 AM

I suspect that this is because when the data traffic is initiated from the outside the necessary session is not created for the traffic to go through the router. We could see that the dynamic access-list was there of only a brief moment and then it disappeared, which is the correct behavior if the session was never established.

With the passive FTP both the data and control session is initiated from inside the router and that makes it easier for the firewall to create and maintain the sessions as well as opening the ACL.

There are two things that we could try and both are to see if we can possibly help the sessions to be created for the inbound connections.

1. Have the ip inspect going both in and out on the outside interface.

2. Configure ip inspect for TCP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents