Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Router FW IOS - Failing Active FTP

Has anyone experienced issues of failing active FTP when running IP inspect on a router with FW IOS. The issue I m experiencing is that all passive ftp sessions work with the ip inspect ftp command, but active fails. The router actually sends the client a Fin to end the connection.

I also have another router that successfully allows active FTP, but it has a higher latency between the router and FTP server.

I am running IOS 12.2(15)T17 with the FW/IDS feature set.

wilsons5

1 REPLY
Silver

Re: Router FW IOS - Failing Active FTP

I suspect that this is because when the data traffic is initiated from the outside the necessary session is not created for the traffic to go through the router. We could see that the dynamic access-list was there of only a brief moment and then it disappeared, which is the correct behavior if the session was never established.

With the passive FTP both the data and control session is initiated from inside the router and that makes it easier for the firewall to create and maintain the sessions as well as opening the ACL.

There are two things that we could try and both are to see if we can possibly help the sessions to be created for the inbound connections.

1. Have the ip inspect going both in and out on the outside interface.

2. Configure ip inspect for TCP.

138
Views
0
Helpful
1
Replies