https://community.cisco.com/t5/network-security/asa-firewall-blocking-scp-copy-between-the-servers/m-p/2604502#M197610 <P>The problem isn't going to be be a layer 1-4 issue since you establish the connection, but it drops sporadically. I would run a network capture on the firewall to see if the host is sending a reset. If that doesn't prove useful, I would run a capture on the nfs host and see if it's doing something strange like port hopping.</P><P>You will likely find your answer in the capture on the nfs host since you aren't likely hitting the conn timeouts in your config. SCP&nbsp;has no RFC, so &nbsp;the protocol implementations may vary depending on the library being used between devices.</P><P>I have run into issues with SCP between hosts that were caused by library bugs between hosts, so you may have ran into something similar.&nbsp;</P><P>Good luck!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 27 Jan 2015 19:24:32 GMT united001 2015-01-27T19:24:32Z https://community.cisco.com/t5/network-security/asa-firewall-blocking-scp-copy-between-the-servers/m-p/2604499#M197607 <P>Good day all,</P><P>We are experiencing challenges related to <SPAN style="color: black; font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;; font-size: 11pt; mso-fareast-font-family: &quot;Times New Roman&quot;; mso-ansi-language: EN-ZA; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;">SCP copy between the servers. I have reviewed the configurations applied on our Firewalls and I'm not able to detect any abnormalties on the configuration applied.</SPAN></P><P><SPAN style="color: black; font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;; font-size: 11pt; mso-fareast-font-family: &quot;Times New Roman&quot;; mso-ansi-language: EN-ZA; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;">I'm not sure if increasing the MTU size will make a difference. I have attached the output setting for our rules currently applied.</SPAN></P><P><SPAN style="color: black; font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;; font-size: 11pt; mso-fareast-font-family: &quot;Times New Roman&quot;; mso-ansi-language: EN-ZA; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;">#######################################################################################################</SPAN></P><P>mtu OUTSIDE 1500<BR />mtu INSIDE 1500<BR />mtu Monitor-Port-Channel-104 1500<BR />monitor-interface OUTSIDE<BR />monitor-interface INSIDE<BR />monitor-interface Monitor-Port-Channel-104<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />route OUTSIDE 0.0.0.0 0.0.0.0 10.15.2.129 1<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />aaa authentication ssh console LOCAL<BR />aaa authentication enable console LOCAL<BR />http server enable<BR />http 0.0.0.0 0.0.0.0 OUTSIDE<BR />no snmp-server location<BR />no snmp-server contact<BR />telnet timeout 5<BR />ssh 0.0.0.0 0.0.0.0 OUTSIDE<BR />ssh timeout 30<BR />no threat-detection statistics tcp-intercept<BR />username admin password 76QP4zi7MB2mshOI encrypted<BR />!<BR />class-map inspection_default<BR />&nbsp;match default-inspection-traffic<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />&nbsp;parameters<BR />&nbsp; message-length maximum client auto<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map<BR />&nbsp; inspect ftp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect h323 ras<BR />&nbsp; inspect ip-options<BR />&nbsp; inspect netbios<BR />&nbsp; inspect rsh<BR />&nbsp; inspect rtsp<BR />&nbsp; inspect skinny&nbsp;<BR />&nbsp; inspect esmtp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect tftp<BR />&nbsp; inspect sip&nbsp;<BR />&nbsp; inspect xdmcp<BR />!<BR />service-policy global_policy global</P><P>####################################################################################################################</P><P>&nbsp;</P><P>Any assistance will be grately appreciated.</P> Tue, 12 Mar 2019 05:23:44 GMT https://community.cisco.com/t5/network-security/asa-firewall-blocking-scp-copy-between-the-servers/m-p/2604499#M197607 ashvaldo 2019-03-12T05:23:44Z https://community.cisco.com/t5/network-security/asa-firewall-blocking-scp-copy-between-the-servers/m-p/2604500#M197608 <P>Do you have basic connectivity between the servers (ie. ping between the servers)? Just remember to disable windows firewall or any other locally installed firewall when testing with ping.</P><P>Have you run a packet tracer to see if the SCP packet is allowed through the firewall? &nbsp;By default SCP uses port TCP 22.</P><P><STRONG>packet-tracer input &lt;ingress interface&gt; tcp &lt;source IP&gt; 12345 &lt;destination IP&gt; 22 detailed</STRONG></P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Mon, 26 Jan 2015 09:43:29 GMT https://community.cisco.com/t5/network-security/asa-firewall-blocking-scp-copy-between-the-servers/m-p/2604500#M197608 Marius Gunnerud 2015-01-26T09:43:29Z https://community.cisco.com/t5/network-security/asa-firewall-blocking-scp-copy-between-the-servers/m-p/2604501#M197609 <P>Good day Marius,</P><P>&nbsp;</P><P>The host are able to ping and connect to each other vai telnet. The concern is when we try to do the SCP connection when it fails. The host are IBM p570 and the connectivity problem exist when performing and NFS mount. The connection is established and after a short while the connection is lost resulting in the ORACLE Database hanging.</P><P>The only device between the host are the CISCO ASA Firewalls and TIPPINGPOINT. We have checked&nbsp;both ASA and TIPPINGPOINT devices and the result remain unchanged.</P><P>Thanks so much the feedback received thus far.</P> Mon, 26 Jan 2015 12:29:31 GMT https://community.cisco.com/t5/network-security/asa-firewall-blocking-scp-copy-between-the-servers/m-p/2604501#M197609 ashvaldo 2015-01-26T12:29:31Z https://community.cisco.com/t5/network-security/asa-firewall-blocking-scp-copy-between-the-servers/m-p/2604502#M197610 <P>The problem isn't going to be be a layer 1-4 issue since you establish the connection, but it drops sporadically. I would run a network capture on the firewall to see if the host is sending a reset. If that doesn't prove useful, I would run a capture on the nfs host and see if it's doing something strange like port hopping.</P><P>You will likely find your answer in the capture on the nfs host since you aren't likely hitting the conn timeouts in your config. SCP&nbsp;has no RFC, so &nbsp;the protocol implementations may vary depending on the library being used between devices.</P><P>I have run into issues with SCP between hosts that were caused by library bugs between hosts, so you may have ran into something similar.&nbsp;</P><P>Good luck!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 27 Jan 2015 19:24:32 GMT https://community.cisco.com/t5/network-security/asa-firewall-blocking-scp-copy-between-the-servers/m-p/2604502#M197610 united001 2015-01-27T19:24:32Z