topic Re: ASA 8.4(1) ftp passive problem with NAT in Network Security

ASA 8.4(1) ftp passive problem with NAT

gdelavenne — Mon, 11 Mar 2019 20:00:57 GMT

Hi !

We have 2 ASA 5580 with a cluster active/standby configuration

We have updated to version 8.4.(1) since version 8.3(1) but since then it is impossible to establish the FTP connection in passive mode with NAT.

Before this update, all was OK.

Here our configuration :

class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect http
inspect icmp
inspect icmp error
inspect sunrpc
inspect tftp
inspect pptp
inspect rtsp
inspect ftp
!
service-policy global-policy global

Do you know if it's a bug or you can fixed this problem ?

Thank you very much for your help.

Regards,

Re: ASA 8.4(1) ftp passive problem with NAT

PAUL GILBERT ARIAS — Fri, 04 Mar 2011 19:49:22 GMT

Have you checked your syslogs or checked the show service-policy for drops?

Re: ASA 8.4(1) ftp passive problem with NAT

gdelavenne — Fri, 04 Mar 2011 23:24:10 GMT

Thanks for your response.

We have no errors in syslog messages and "show service-policy" display :

Inspect: ftp, packet 650742, lock fail 0, drop 0, reset-drop 8

Re: ASA 8.4(1) ftp passive problem with NAT

PAUL GILBERT ARIAS — Fri, 04 Mar 2011 23:35:03 GMT

ok, there are some drop-resets on your service-policy that could be the cause. Is it possible for you to test the FTP connection and check the logs and the service-policy to see if the number increases?

Re: ASA 8.4(1) ftp passive problem with NAT

gdelavenne — Sat, 05 Mar 2011 12:39:17 GMT

Inspect: ftp, packet 771540, lock fail 0, drop 0, reset-drop 8

The reset-drop does not increase.

Why inspection work without NAT?

We are the only ones with this behavior (version 8.4.1)?

If you have any ideas, thank you for your help!

Re: ASA 8.4(1) ftp passive problem with NAT

Maykol Rojas — Sat, 05 Mar 2011 17:03:00 GMT

Hi,

Would you please answer the following questions? I know this is suppose to work on this version as well, but I want to analyze some data:

Where is the server located?

Were is the client located?

What are the security levels for the interfaces?

Can you get the logs when the connection doesnt work?

Would you please get a packet capture with all TCP between the client and the server?

Cheers

Mike.

Re: ASA 8.4(1) ftp passive problem with NAT

gdelavenne — Sat, 05 Mar 2011 23:06:05 GMT

Hello Mike,

Thank you for the interest.

Here our answer :

Where is the server located?

The server is behind our ASA 5580 connected on an Vlan interface.

Were is the client located?

The client comes from Internet.

What are the security levels for the interfaces?

All our interaces are in security level 100.

Can you get the logs when the connection doesnt work?

We have no log when the connection doesnt work.

Would you please get a packet capture with all TCP between the client and the server?

sh capture ftp

48 packets captured

   1: 00:00:19.577011 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: S 2847225137:2847225137(0) win 5840
   2: 00:00:19.577225 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: S 1447625788:1447625788(0) ack 2847225138 win 5792
   3: 00:00:19.605635 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625789 win 92
   4: 00:00:19.607527 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625789:1447625799(10) ack 2847225138 win 46
   5: 00:00:19.637860 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625799 win 92
   6: 00:00:26.124779 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225138:2847225154(16) ack 1447625799 win 92
   7: 00:00:26.125039 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: . ack 2847225154 win 46
   8: 00:00:26.125054 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625799:1447625833(34) ack 2847225154 win 46
   9: 00:00:26.152518 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625833 win 92
10: 00:00:29.892226 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225154:2847225170(16) ack 1447625833 win 92
11: 00:00:29.914823 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625833:1447625856(23) ack 2847225170 win 46
12: 00:00:29.941601 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625856 win 92
13: 00:00:29.943173 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225170:2847225176(6) ack 1447625856 win 92
14: 00:00:29.943447 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625856:1447625875(19) ack 2847225176 win 46
15: 00:00:30.011428 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625875 win 92
16: 00:00:32.052746 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225176:2847225182(6) ack 1447625875 win 92
17: 00:00:32.053097 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625875:1447625921(46) ack 2847225182 win 46
18: 00:00:32.082500 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625921 win 92
19: 00:00:32.083629 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: S 2327685571:2327685571(0) win 5840
20: 00:00:32.083796 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: S 1457888673:1457888673(0) ack 2327685572 win 5792
21: 00:00:32.109781 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457888674 win 92
22: 00:00:32.111505 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
23: 00:00:32.287186 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625875:1447625921(46) ack 2847225182 win 46
24: 00:00:32.314757 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625921 win 92
25: 00:00:32.340695 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
26: 00:00:32.755072 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625875:1447625921(46) ack 2847225182 win 46
27: 00:00:32.781865 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625921 win 92
28: 00:00:32.803287 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
29: 00:00:32.803806 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
30: 00:00:32.803867 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: . 1457888674:1457889998(1324) ack 2327685572 win 46
31: 00:00:32.803898 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: P 1457889998:1457890049(51) ack 2327685572 win 46
32: 00:00:32.803898 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: F 1457890049:1457890049(0) ack 2327685572 win 46
33: 00:00:32.842241 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457889998 win 137
34: 00:00:32.842973 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457890049 win 137
35: 00:00:32.882019 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457890050 win 137
36: 00:00:32.882232 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625960:1447625984(24) ack 2847225188 win 46
37: 00:00:33.038007 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
38: 00:00:33.508793 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
39: 00:00:33.729484 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
40: 00:00:34.448508 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
41: 00:00:35.581695 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
42: 00:00:36.327955 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
43: 00:00:39.281632 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
44: 00:00:40.087809 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
45: 00:00:46.688517 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
46: 00:00:47.607512 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
47: 00:01:01.505497 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
48: 00:01:02.647030 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46

Our customers are impacted by this problem and all worked well before the update.

Thank you so much for you help.

Best regards,

Re: ASA 8.4(1) ftp passive problem with NAT

Maykol Rojas — Sat, 05 Mar 2011 23:14:11 GMT

Hi,

Would it be possible for you to get the capture on a pcap format? I want to take a look at the payload of the packets, from what I can see, there is a secondary connection being opened

19: 00:00:32.083629 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: S 2327685571:2327685571(0) win 5840
20: 00:00:32.083796 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: S 1457888673:1457888673(0) ack 2327685572 win 5792
21: 00:00:32.109781 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457888674 win 92

Makes me thing that this can be the data channel but not sure. In order to download them do the following:

Enable HTTP server on the interface where the management station is

HTTP server enable

Enable access via HTTP to that host

HTTP x.x.x.x y.y.y.y.y inside

And then put the following url

https:///capture//pcap

Also, if you can please take a capture of ASP drop just to make sure that the ASA is not dropping anything:

capture asp type asp-drop all

If you can get the logs using ASDM or a syslog server that would be great.

Mike.

Re: ASA 8.4(1) ftp passive problem with NAT

gdelavenne — Sun, 06 Mar 2011 20:09:55 GMT

Hi Mike,

Thank you, in attachment you find the pcap file.

Thanks for your answer.

Best regards,

Re: ASA 8.4(1) ftp passive problem with NAT

Maykol Rojas — Sun, 06 Mar 2011 20:35:23 GMT

Hello,

Based on the captures it seems that the server is sending again the "Entering to passive mode message" which is causing the retransmissions. However, I can see the data channel being opened. If you try to do the command list or try to pull a file, does it work?

Let me know.

Mike

Re: ASA 8.4(1) ftp passive problem with NAT

gdelavenne — Sun, 06 Mar 2011 21:59:56 GMT

Mike,

We observed many log :

<163>%ASA-3-210005: LU allocate connection failed

Can there be a relationship between the log and our FTP connection problem?

Thanks

Re: ASA 8.4(1) ftp passive problem with NAT

Maykol Rojas — Sun, 06 Mar 2011 22:13:22 GMT

Hello,

Not really, since the connection is estsblished with no problems. we may need to do in deep troubleshooting on this case. Clearly we are missing packets on the connection, however, I am unsure if the data channel worked fine. I can see that when you did the listing of the directory it completely. So my big question is, what is it that is not working? Is it polling a file?

If it is so, please take a captures on the server, inside and outside of the firewall and get them on pcap format.

By any change, do you have a CSC module attached to this firewall?

Let me know.

Mike Rojas

Re: ASA 8.4(1) ftp passive problem with NAT

ryan.palamara — Mon, 20 Jun 2011 20:30:23 GMT

I know that this has been dead for a while, but I have similar problems with passive FTP and 8.4.1 for the ASA. Since upgrading to this version, passive FTP drops consantly from some servers. I have identified that it is an issue with IPS on the firewall. With my issue, the firewall is creating out of order packets. Cisco TAC has been working on it for weeks and has no idea.

I know that a new version of the ASA software just came out today, and I am planning on upgrading it tonight. I have had nothing but issues with the 8.4.1 version. Garbage if you ask me.

I have had the following issues:

1. FTP dropping issues

2. IPSEC L2L VPN tunnel drops. packets get dropped at random. , although a small percent. TAC has not been able to track down the problem.

3. A lot of asp drops. TAC as of yet unable to determine why.

All of these issues are not major by themselves, but after people started reporting issues within a few days, I reviewed my log server and found that the problems maifested themselves the second that I switched over to 8.0.3. My config has been verified 3 seperate times by TAC and has no issues.

I was about to downgrade to a previous version before 8.4.2 was released today. I will see if that corrects the issues.

Re: ASA 8.4(1) ftp passive problem with NAT

Kureli Sankar — Mon, 20 Jun 2011 23:20:21 GMT

Pls. provide case numbers if you have them. Unless TAC pointed out documented defects that were resolved in 8.4.2, the probelms that you are seeing in 8.4.1 might still be there in 8.4.2.

-KS

Re: ASA 8.4(1) ftp passive problem with NAT

Maykol Rojas — Tue, 21 Jun 2011 03:42:58 GMT

Thanks a lot Kureli, you are right. Maybe more eyes could help to determine what the problem is, upgrading may not be the desire path cuz the issue may remain. Maybe taking a look at the documentation on the case will help us to check and see what the root cause can be.

Mike

Re: ASA 8.4(1) ftp passive problem with NAT

ryan.palamara — Tue, 21 Jun 2011 14:00:12 GMT

yes, the issue was not corrected by the software upgrade.

The ticket open on this is 618020667.

ASA 8.4(1) ftp passive problem with NAT

dporod — Tue, 21 Jun 2011 14:49:24 GMT

We also seem to be running into this problem with a 5585x 8.4.1 with IPS. One server works and the other does not. The non-working servers is NATed to an internal number, the working server is not.

Re: ASA 8.4(1) ftp passive problem with NAT

Maykol Rojas — Tue, 21 Jun 2011 16:11:44 GMT

Dprod,

Please verify if you are not hitting the following defect CSCto09465. Ryan, I checked on the case and the captures were taken only on port 21. I have asked this question before, what is it that does not work? What happens when you try to pull a file?

Mike

Re: ASA 8.4(1) ftp passive problem with NAT

dporod — Tue, 21 Jun 2011 16:26:04 GMT

Hi, we are running into CSCto09465 also, my understanding is that CSCto09465 applies to active ftp. We also seem to have issues with passive ftp.

Re: ASA 8.4(1) ftp passive problem with NAT

Maykol Rojas — Tue, 21 Jun 2011 16:54:39 GMT

Hi,

Ok, can you take captures and paste them here as pcap format? I want you to take the captures with IP instead of just the control channel of FTP.

******* Capture configuration ******

{Enable GUI interface:}

http 0 0 inside

http server enable

{For outside interface:}

access-list capture1 permit ip host host

{For inside interface:}

access-list capture2 permit ip host host

capture tcpin access-list capture1 interface outside

capture tcpout access-list capture2 interface inside

****** To download the files then… *****

Open the browser

https:///capture/tcpin/pcap

https:///capture/tcpout/pcap

Note:

Username: blank = no name

Password: {enable password}

********* To delete them *********

clear access-list capture1

clear access-list capture2

no capture tcpin

no capture tcpout

********** End *********

Let me know.

Mike