https://community.cisco.com/t5/application-networking/active-ftp-failing-on-ace-module/m-p/1416879#M29460 <HTML><HEAD></HEAD><BODY><P>It sounds like you probably didn't configure FTP INSPECT rule for this VIP.</P><P></P><P><A href="http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/appinsp.html#wp1310518">http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/appinsp.html#wp1310518</A></P><P></P><P></P><P><SPAN class="content"></SPAN></P><P class="pB1_Body1">The ACE performs the FTP command inspection process as follows:<SPAN style="color: black; font-style: normal; font-weight: bold;"> </SPAN></P><A name="wp1245951"></A><P class="pBu1_Bullet1">•<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />Prepares a dynamic secondary data connection. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be prenegotiated. The port is negotiated through the PORT or PASV commands.</P><P class="pBu1_Bullet1"></P><P class="pBu1_Bullet1">Thanks</P><P class="pBu1_Bullet1">Eric Rose</P><P></P></BODY></HTML> Fri, 18 Dec 2009 18:57:30 GMT Eric Rose 2009-12-18T18:57:30Z https://community.cisco.com/t5/application-networking/active-ftp-failing-on-ace-module/m-p/1416878#M29459 <P>I've setup FTP as show in the configuration examples.&nbsp; Passive FTP works fine but for some reason active FTP breaks.</P><P><BR />The client reported that he can authenticate to the FTP server with no problem.&nbsp; However when he issues a FTP command such as LIST the connection just hangs.&nbsp; Eventually he has to abort the connection.&nbsp; 10.24.32.75 is my source NAT address.</P><P></P><P>PORT 10,24,32,75,239,165</P><P>200 PORT command successful.</P><P>LIST</P><P>150 Opening ASCII mode data connection for /bin/ls.</P><P>425 Can't open data connection.</P><P></P><P>When I look at the sniff trace between the NAT and server I see the ftp server initiate the ftp-data connection on port 20.&nbsp; But then the ACE receives it and sends a reset back to the ftp server.</P><P></P><P>Anyone know of commands that can be executed that can show details as to why the connection gets reset by the ACE?</P><P></P><P>I have a TAC case opened but still waiting for an engineer to respond.&nbsp; Just thought I'd post to see if anyone else has experienced this.</P> Fri, 18 Dec 2009 17:17:50 GMT https://community.cisco.com/t5/application-networking/active-ftp-failing-on-ace-module/m-p/1416878#M29459 JeramyKoval 2009-12-18T17:17:50Z https://community.cisco.com/t5/application-networking/active-ftp-failing-on-ace-module/m-p/1416879#M29460 <HTML><HEAD></HEAD><BODY><P>It sounds like you probably didn't configure FTP INSPECT rule for this VIP.</P><P></P><P><A href="http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/appinsp.html#wp1310518">http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/appinsp.html#wp1310518</A></P><P></P><P></P><P><SPAN class="content"></SPAN></P><P class="pB1_Body1">The ACE performs the FTP command inspection process as follows:<SPAN style="color: black; font-style: normal; font-weight: bold;"> </SPAN></P><A name="wp1245951"></A><P class="pBu1_Bullet1">•<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />Prepares a dynamic secondary data connection. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be prenegotiated. The port is negotiated through the PORT or PASV commands.</P><P class="pBu1_Bullet1"></P><P class="pBu1_Bullet1">Thanks</P><P class="pBu1_Bullet1">Eric Rose</P><P></P></BODY></HTML> Fri, 18 Dec 2009 18:57:30 GMT https://community.cisco.com/t5/application-networking/active-ftp-failing-on-ace-module/m-p/1416879#M29460 Eric Rose 2009-12-18T18:57:30Z https://community.cisco.com/t5/application-networking/active-ftp-failing-on-ace-module/m-p/1416880#M29461 <HTML><HEAD></HEAD><BODY><P>I triple checked that part of our configuration and made sure the inspect-ftp command was configured.<SPAN style="background-color: #f8fafd;">&nbsp; </SPAN></P></BODY></HTML> Fri, 18 Dec 2009 19:58:58 GMT https://community.cisco.com/t5/application-networking/active-ftp-failing-on-ace-module/m-p/1416880#M29461 JeramyKoval 2009-12-18T19:58:58Z https://community.cisco.com/t5/application-networking/active-ftp-failing-on-ace-module/m-p/1416881#M29462 <HTML><HEAD></HEAD><BODY><P>We'll need to see your config and the sniffer trace.</P><P></P><P>G.</P></BODY></HTML> Mon, 21 Dec 2009 19:42:38 GMT https://community.cisco.com/t5/application-networking/active-ftp-failing-on-ace-module/m-p/1416881#M29462 Gilles Dufour 2009-12-21T19:42:38Z