topic Re: Unable to FTP image to ASA 5515-X in Network Security

Unable to FTP image to ASA 5515-X

johnlloyd_13 — Fri, 21 Feb 2020 15:33:31 GMT

hi,

i'm trying to FTP an image to a 5515-x but getting error 'no more process'

per google, 'no more processes' is just saying 'file/directory not found'. but file is already on the linux server. the linux server is the only accessible remote server and i've used the same server for transfering license .lic files.

i tried playing around with the path file name but still getting the same error. can someone advise what can be wrong?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtb65688/?rfs=iqvred

5515-x# copy ftp://johnl:PW@10.1.1.14/home/johnl/asa917-20-smp-k8.bin disk0:

Accessing ftp://johnl:PW@10.1.1.14/asa917-20-smp-k8.bin...
%Error reading ftp://johnl:PW@10.1.1.14/asa917-20-smp-k8.bin (No more processes)

5515-x# ping tcp 10.1.1.14 21
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 10.1.1.14 port 21
from 10.23.24.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 25/26/31 ms

[johnl@ ~]$ ls -lh
total 37M
-rw-------. 1 johnl johnl 37M Mar 24 22:24 asa917-20-smp-k8.bin

^C[johnl@~]$ ping 10.23.24.2 <<< ASA MGMT IP
PING 10.23.24.2 (10.23.24.2) 56(84) bytes of data.
64 bytes from 10.23.24.2: icmp_seq=1 ttl=251 time=24.3 ms

Re: Unable to FTP image to ASA 5515-X

Mohammed al Baqari — Sun, 25 Mar 2018 05:35:39 GMT

Is FTP running on linux? From ASA try to ping tcp on FTP port and see if
its working

Re: Unable to FTP image to ASA 5515-X

johnlloyd_13 — Sun, 25 Mar 2018 09:34:05 GMT

hi,

i posted an ASA ping tcp 21 on my last post.

here's the linux output. does it normal FTP?

sorry i'm a linux noob.

[johnl@~]$ service vsftpd status
vsftpd (pid 1592) is running...

[johnl@ ~]$ rpm -qa | grep ftp
ftp-0.17-54.el6.x86_64
vsftpd-2.2.2-13.el6_6.1.x86_64

[johnl@~]$ ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)

Re: Unable to FTP image to ASA 5515-X

Mohammed al Baqari — Sun, 25 Mar 2018 10:16:39 GMT

Yes seems it needs SFTP only. If its not listening locally it can't be ASA
problem

Re: Unable to FTP image to ASA 5515-X

johnlloyd_13 — Sun, 25 Mar 2018 11:21:27 GMT

hi,

what do u mean by SFTP only? does SFTP only runs on linux server per output given?

i'm not the admin of the said server. please advise what needs to be done in order for normal FTP to work.

Re: Unable to FTP image to ASA 5515-X

Mohammed al Baqari — Sun, 25 Mar 2018 12:26:39 GMT

-##You need to install ftp app

Re: Unable to FTP image to ASA 5515-X

johnlloyd_13 — Sun, 25 Mar 2018 12:50:34 GMT

hi,

but FTP is working. which output are you looking?

[johnl@svr01 ~]$ ftp svr01
Connected to svr01 (10.1.1.14).
220 (vsFTPd 2.2.2)
Name (svr01:john): john
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,111,0,14,90,196).
150 Here comes the directory listing.
-rw------- 1 558 558 1155 Mar 25 05:15 FGL1.lic
-rw------- 1 558 558 38338560 Mar 25 03:24 asa917-20-smp-k8.bin
226 Directory send OK.

Re: Unable to FTP image to ASA 5515-X

Marvin Rhoads — Sun, 25 Mar 2018 13:32:03 GMT

What version of ASA software do you currently have? I ask because there was a change in the file structure as of 9.1(3). That change prevents you from successfully copying the new image (.bin file) - whether it is via sfp, scp, tftp, https (ASDM) or whatever method.

In order to upgrade from an older version to 9.1(3) or later (such as the 9.1(7) you are trying) you must first upgrade to an interim version as noted in the 9.1 release notes:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-763574

Re: Unable to FTP image to ASA 5515-X

johnlloyd_13 — Sun, 25 Mar 2018 13:45:09 GMT

hi marvin,

thanks for jumping in! i'm beginning to suspect a bug code here.

the 5515-x A/S pair currently runs on 9.1(7)4.

i plan to upgrade the FW pair o 9.1.7.20 to patch the recent SSL VPN vulnerability (CVE-2018-0101).

does this mean i can only upgrade via USB method since FTP is not properly working due to the '(No more processes)'

which specific bug did i run per the link you gave?

Re: Unable to FTP image to ASA 5515-X

Marvin Rhoads — Sun, 25 Mar 2018 14:03:41 GMT

@johnlloyd_13,

It's not a bug so much as it is a documented behavior. However since you are running 9.1(7)4 already it shouldn't affect you.

Can you try copying any other file onto the ASA via ftp - like some random small text file just to verify ftp is working at all? That will rule out any intermediate device that is possibly breaking the ftp data channel. (The login and ls is ftp control channel.)

If the small file ftp works ok then maybe it is a bug that's not public-facing. I'd try perhaps one of the recommended code releases like the latest interim of 9.4, 9.6 or 9.8. Or if you really really want the latest 9.1.(7) interim then open a TAC case. (Though they may tell you to go with the recommended release as well.)

Re: Unable to FTP image to ASA 5515-X

johnlloyd_13 — Mon, 26 Mar 2018 02:13:02 GMT

hi marvin,

i tried with a small txt file (11KB) but still getting the same FTP response/error.

i raised a TAC case to see what they could find.

i might ask a remote tech to plug a USB stick as last resort.

Re: Unable to FTP image to ASA 5515-X

Marvin Rhoads — Mon, 26 Mar 2018 08:30:18 GMT

It's just an educated guess but it sounds like something between your ftp server and the device is running an Application Layer Gateway (ALG = Juniper term as I have seen this issue on both ScreenOS and JunOS-based Juniper firewalls) that's preventing successful ftp data channel communications.

Re: Unable to FTP image to ASA 5515-X

johnlloyd_13 — Mon, 26 Mar 2018 08:35:49 GMT

hi marvin,

just finished troubleshooting with TAC today and observe the same thing when we did some packet captures. notice it only uses dynamic port and FTP port 21. this is passive FTP correct?

183: 22:19:45.681162       802.1Q vlan#1235 P0 10.23.24.2.17535 > 10.1.1.4.21: S 3620565586:3620565586(0) win 32768 <mss 1460,nop,nop,timestamp 4138936578 0> 
184: 22:19:45.705316       802.1Q vlan#1235 P0 10.1.1.4.35630 > 10.23.24.2.22: . ack 437914409 win 65535 
185: 22:19:45.706277       802.1Q vlan#1235 P0 10.1.1.4.35630 > 10.23.24.2.22: . ack 437914461 win 65535 
186: 22:19:45.706292       802.1Q vlan#1235 P0 10.1.1.4.21 > 10.23.24.2.17535: S 1557221194:1557221194(0) ack 3620565587 win 14480 <mss 1380,nop,nop,timestamp 4181033265 4138936578> 
187: 22:19:45.706308       802.1Q vlan#1235 P0 10.23.24.2.17535 > 10.1.1.4.21: . ack 1557221195 win 32768 <nop,nop,timestamp 4138936603 4181033265> 
188: 22:19:45.735283       802.1Q vlan#1235 P0 10.1.1.4.21 > 10.23.24.2.17535: P 1557221195:1557221215(20) ack 3620565587 win 14480 <nop,nop,timestamp 4181033293 4138936603> 
189: 22:19:45.735313       802.1Q vlan#1235 P0 10.23.24.2.17535 > 10.1.1.4.21: . ack 1557221215 win 32768 <nop,nop,timestamp 4138936632 4181033293> 
190: 22:19:45.735405       802.1Q vlan#1235 P0 10.23.24.2.17535 > 10.1.1.4.21: P 3620565587:3620565599(12) ack 1557221215 win 32768 <nop,nop,timestamp 4138936633 0> 
191: 22:19:45.760321       802.1Q vlan#1235 P0 10.1.1.4.21 > 10.23.24.2.17535: . ack 3620565599 win 14480 <nop,nop,timestamp 41810333

i only noticed our linux server is using ACTIVE FTP (passive mode off) after tshooting was already done. could this be the culprit? do you know if linux server can be tweaked to support PASSIVE FTP?

[john@~]$ ftp
ftp> passive
Passive mode off.

Re: Unable to FTP image to ASA 5515-X

Marvin Rhoads — Mon, 26 Mar 2018 13:18:45 GMT

It could be, I'm not sure about that.

Can you just try an FTP server like filezilla (free) on your laptop? Or are you limited to using a Linux jump server for the remote environment?

Re: Unable to FTP image to ASA 5515-X

johnlloyd_13 — Mon, 26 Mar 2018 22:01:31 GMT

unfortunately i'm only limited to this linux server.