https://community.cisco.com/t5/network-security/sftp-server-access-problem-through-asa/m-p/4281943#M1077812 <P>Easiest way to tell if the firewall is affecting the traffic is to look at the packet captures of the INSIDE and OUTSIDE interfaces, attempt your connection to the external SFTP server, then look at the captures. If you see packets missing in either direction, then you know something is being filtered by the firewall. Easiest way to kick this off is using the ASDM packet capture wizard but you could do it via command line as well. I personally have not had issues passing SCP, SFTP, or SSH through my ASA but your mileage may vary. Please let us know what you find or if you need any further help.</P> Fri, 29 Jan 2021 05:34:01 GMT TJ-20933766 2021-01-29T05:34:01Z https://community.cisco.com/t5/network-security/sftp-server-access-problem-through-asa/m-p/4281708#M1077787 <P>Hello,</P><P>&nbsp;</P><P>We're having a problem accessing an outside SFTP server and suspect the problem has to do with the ASA. The connection is unexpectedly dropped.</P><P>&nbsp;</P><P>I seem to remember a while back having similar issues, but can not remember the solution.</P><P>&nbsp;</P><P>Is there any special configuration that needs to be implemented to allow clients to access outside SFTP servers from inside the network?</P><P>&nbsp;</P><P>Thanks</P> Thu, 28 Jan 2021 20:45:48 GMT https://community.cisco.com/t5/network-security/sftp-server-access-problem-through-asa/m-p/4281708#M1077787 Chris Mickle 2021-01-28T20:45:48Z https://community.cisco.com/t5/network-security/sftp-server-access-problem-through-asa/m-p/4281804#M1077791 <P>We would need more information, for example: is the connection dropped after a period of idle time? if yes, how long was the idle time before the connection dropped?</P> <P>by default the ASA will drop idle connections after 1 hour of idle time.&nbsp; If this is happening to you then you can set the value to 0 which will leave the connection open indefinitely.</P> <P>for example:</P> <P>access-list sftp-timeout extended permit tcp 10.10.10.0 255.255.255.0 host 193.212.212.212 eq 22</P> <P>class-map sftp-timeout</P> <P>&nbsp;match access-list sftp-timeout</P> <P>policy-map global_policy</P> <P>&nbsp;class sftp-timeout</P> <P>&nbsp; &nbsp;set connection timeout idle 0</P> Thu, 28 Jan 2021 23:03:55 GMT https://community.cisco.com/t5/network-security/sftp-server-access-problem-through-asa/m-p/4281804#M1077791 Marius Gunnerud 2021-01-28T23:03:55Z https://community.cisco.com/t5/network-security/sftp-server-access-problem-through-asa/m-p/4281826#M1077792 The connection fails almost immediately. I can see it connect initially then it fails with unexpected error. I seem to remember something about the ASA not being able to inspect the data traffic because the connection is over SSH, but I’ve been unable to figure out how to make it work.<BR /> Thu, 28 Jan 2021 23:50:20 GMT https://community.cisco.com/t5/network-security/sftp-server-access-problem-through-asa/m-p/4281826#M1077792 Chris Mickle 2021-01-28T23:50:20Z https://community.cisco.com/t5/network-security/sftp-server-access-problem-through-asa/m-p/4281943#M1077812 <P>Easiest way to tell if the firewall is affecting the traffic is to look at the packet captures of the INSIDE and OUTSIDE interfaces, attempt your connection to the external SFTP server, then look at the captures. If you see packets missing in either direction, then you know something is being filtered by the firewall. Easiest way to kick this off is using the ASDM packet capture wizard but you could do it via command line as well. I personally have not had issues passing SCP, SFTP, or SSH through my ASA but your mileage may vary. Please let us know what you find or if you need any further help.</P> Fri, 29 Jan 2021 05:34:01 GMT https://community.cisco.com/t5/network-security/sftp-server-access-problem-through-asa/m-p/4281943#M1077812 TJ-20933766 2021-01-29T05:34:01Z