topic Re: ftp through ASA stuck @ Opening data connection in Network Security

ftp through ASA stuck @ Opening data connection

born.jason — Mon, 11 Mar 2019 19:33:20 GMT

hi,

i have a problem with an ASA and connect from outside to an inside ftp server. The connection stuck at Opening data connection....

[R] 227 Entering Passive Mode (<external ip>,198,49).
[R] Opening data connection IP: <external ip> PORT: 50737
[R] QUIT
[R] 221 Have a nice day.
[R] Logged off: <external ip>

I have configured an ACL for FTP and FTP-DATA and activate inspect rule.

Any suggestions?

Thanks and regards

Jason

Re: ftp through ASA stuck @ Opening data connection

manish arora — Mon, 10 Jan 2011 22:30:17 GMT

Can you please post sh service policy inspect ftp ?

Also, are you using Port Forwarding NAT for your ftp server ?

Manish

Re: ftp through ASA stuck @ Opening data connection

Kureli Sankar — Tue, 11 Jan 2011 00:40:42 GMT

Make sure to have "inspect ftp" under the "sh run policy-map" output. If not pls. add it and try again.

conf t

policy-map global_policy

class inspection_default

inspect ftp

-KS

Re: ftp through ASA stuck @ Opening data connection

born.jason — Tue, 11 Jan 2011 12:47:51 GMT

Hi,

i`m not using port forwarding nat for this server. Here are the config for this:

ciscoasa# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
inspect icmp error
inspect ftp
class decrement-ttl-class
set connection decrement-ttl
!

and here the NAT Rule and ACL:

nat (vlan106,outside) source static obj-172.16.6.10 obj-external_ip dns description ftp1

access-list global_access extended permit tcp any object obj-172.16.6.10 object-group vlan106-Services-ftp1

and in the service group vlan106-Services-ftp1 is the following:

object-group service vlan106-Services-ftp1 tcp
port-object eq ftp
port-object eq ftp-data

Is there a misconfig?

Re: ftp through ASA stuck @ Opening data connection

Kureli Sankar — Tue, 11 Jan 2011 13:07:14 GMT

nat (vlan106,outside) source static obj-172.16.6.10 obj-external_ip dns

The above line is all you need.

Now can you try to remove it as add it like this?

conf t

no nat (vlan106,outside) source static obj-172.16.6.10 obj-external_ip dns

nat (vlan106,outside) 1 source static obj-172.16.6.10 obj-external_ip dns

Everything else looks good. Pls. check the logs and see what that says during the problem.

conf t

logging on

logging buffered 7

exit

sh logg | i 172.16.6.10

-KS

Re: ftp through ASA stuck @ Opening data connection

born.jason — Tue, 11 Jan 2011 15:09:52 GMT

hmmm same situation.

It stops at opening data connection and after 1-2 minutes the connection is established but with no folder content. And if i try to connect from the ftp server to another ftp server (it doesn`t matter what ftp, the same with any ftp server) i have the same situation and cannot established a connection... password und user ok bt no folder content...

any suggestion or do you need more information?

Re: ftp through ASA stuck @ Opening data connection

Kureli Sankar — Tue, 11 Jan 2011 15:12:53 GMT

need to see the logs per my previous posting.

-KS

Re: ftp through ASA stuck @ Opening data connection

born.jason — Tue, 11 Jan 2011 15:34:54 GMT

here is the asdm log, look at the bold....

6|Jan 11 2011|16:28:16|302013||60516|172.16.6.10|21|Built inbound TCP connection 28718781 for outside:/60516 (/60516) to Vlan106:172.16.6.10/21 (/21)

6|Jan 11 2011|16:27:57|302014||35091|172.16.6.10|56532|Teardown TCP connection 28718723 for outside:/35091 to Vlan106:172.16.6.10/56532 duration 0:00:21 bytes 0 Parent flow is closed

6|Jan 11 2011|16:27:57|302014||44914|172.16.6.10|21|Teardown TCP connection 28718703 for outside:/44914 to Vlan106:172.16.6.10/21 duration 0:00:43 bytes 507 Flow closed by inspection

4|Jan 11 2011|16:27:57|507003||44914|172.16.6.10|21|tcp flow from outside:/44914 to Vlan106:172.16.6.10/21 terminated by inspection engine, reason - inspector drop reset.

4|Jan 11 2011|16:27:57|406002|||||FTP port command different address: (192.168.5.10) to 172.16.6.10 on interface outside

6|Jan 11 2011|16:27:53|106015|172.16.6.10|21||28746|Deny TCP (no connection) from 172.16.6.10/21 to /28746 flags FIN PSH ACK on interface Vlan106

6|Jan 11 2011|16:27:53|106015|172.16.6.10|21||28746|Deny TCP (no connection) from 172.16.6.10/21 to /28746 flags PSH ACK on interface Vlan106

6|Jan 11 2011|16:27:45|302014||23620|172.16.6.10|56530|Teardown TCP connection 28718706 for outside:/23620 to Vlan106:172.16.6.10/56530 duration 0:00:30 bytes 0 SYN Timeout

6|Jan 11 2011|16:27:36|302013||35091|172.16.6.10|56532|Built inbound TCP connection 28718723 for outside:/35091 (/35091) to Vlan106:172.16.6.10/56532 (/56532)

6|Jan 11 2011|16:27:15|302013||23620|172.16.6.10|56530|Built inbound TCP connection 28718706 for outside:/23620 (/23620) to Vlan106:172.16.6.10/56530 (/56530)

6|Jan 11 2011|16:27:13|302013||44914|172.16.6.10|21|Built inbound TCP connection 28718703 for outside:/44914 (/44914) to Vlan106:172.16.6.10/21 (/21)

This is what i see in the ftp client. I t trys 2 times with passive mode and changed then to port mode (active mode?):

[R] 227 Entering Passive Mode (,220,210).
[R] Opening data connection IP: PORT: 56530
[R] Data Socket Error: Connection timed out
[R] List Error
[R] PASV
[R] 227 Entering Passive Mode (,220,212).
[R] Opening data connection IP: PORT: 56532
[R] Data Socket Error: Connection timed out
[R] List Error
[R] PASV mode failed, trying PORT mode.
[R] Listening on PORT: 49734, Waiting for connection.
[R] PORT 192,168,5,10,194,70
[R] Connection lost:
[R] List Error

Re: ftp through ASA stuck @ Opening data connection

Kureli Sankar — Tue, 11 Jan 2011 15:54:02 GMT

302014||44914|172.16.6.10|21|Teardown TCP connection 28718703 for outside:
ip>/44914 to Vlan106:172.16.6.10/21 duration 0:00:43 bytes 507 Flow closed by inspection*

507003||44914|172.16.6.10|21|tcp flow from outside:/44914 to 
Vlan106:172.16.6.10/21 terminated by inspection engine, reason - inspector drop reset.*

406002|||||FTP port command different address: (192.168.5.10) to 172.16.6.10 on interface 
outside*

Well it clearly says that inspection closed this flow.

I would download filezila client and server and test with that. http://filezilla-project.org/
active ftp - client sends the port command and sever sources from port 20 to this port.
passive ftp - server sends the port command the the client opens a new connection to it.

-KS

Re: ftp through ASA stuck @ Opening data connection

born.jason — Tue, 11 Jan 2011 16:06:16 GMT

hmmm but i`ve tested different ftp servers from the inside all the same..... hmmm hmmm

do you mean i should setup a new ftp server inside, nat to outside and test with filezilla client from outside?

Re: ftp through ASA stuck @ Opening data connection

Kureli Sankar — Tue, 11 Jan 2011 16:56:27 GMT

It doesn't matter. client on the inside or outside.

client on the inside makes more sense, because you don't have to configure static translation.

Use two laptops and install filezilla server on one and client on the other.

Let me know.

-KS

Re: ftp through ASA stuck @ Opening data connection

born.jason — Wed, 12 Jan 2011 10:19:42 GMT

if i try to connect from a inside host to the ftp server it works.

if i try for example give my laptop a external ip start a ftp server on the laptop and connect from outside to THIS ftp server it works fine, without problems.

The only differents between the inside ftp server is the ip range and vlan and the type of ftp server, one 2008 IIS FTP and one Win7 Filezilla Server.

Any suggestions?

Re: ftp through ASA stuck @ Opening data connection

Kureli Sankar — Wed, 12 Jan 2011 13:21:19 GMT

So filezila works fine as an ftp server on the inside.

When you use Microsoft 2008 IIS ftp server on the inside it fails.

Can you ftp to this same IIS ftp server from another inside host? Does this work? If not I'd reach out to Microsoft.

This has nothing to do with the IP range according to what the logs show. FTP inspection did not like something in the packet that it saw.

To troubleshoot this further I'd suggest opening a TAC case with us. We would need the following:

1. captures taken on the inside and outside of the firewall while accessing this IIS FTP server.

2. syslogs (debug level from the time of testing)

3. wiresharp captures taken on the IIS server itself

All of the above have to be taken simulataneously.

-KS

Re: ftp through ASA stuck @ Opening data connection

born.jason — Wed, 12 Jan 2011 14:09:58 GMT

i have no service contract to open a TAC case.

I will explain the network:

ASA Inside Host:

192.168.100.10 (Filezilla FTP Server with NATTET external IP) -> if i connect from outside to this FTP server everything working fine. If i connect from inside the host to outside ftp, the connection stuck. (data connection could not be opened, folder content)

ASA Subinterface (Vlan 106 172.16.6.0/24) Host:

172.16.6.10 ( IIS FTP Server with NATTET external IP) - if i connect from outside to this server the connection stuck. If i connect from inside the host to outside ftp, the connection stuck. (data connection could not be opened, folder content)

ASA Subinterface (Vab 109 172.16.9.0/24) Host:

172.16.9.10 ( Filezilla FTP Server with NATTET external IP) - if i connect from outside to this FTP server everything working fine. If iconnect from inside the host to outside ftp, connection stuck. (data connection could not be opened, folder content)

make this sense?

Could i send the running config as pm? I don`t want to publish the config because of privacy....

Re: ftp through ASA stuck @ Opening data connection

born.jason — Wed, 12 Jan 2011 14:26:48 GMT

If i connect from inside (vlan 109) to outside FTP Server the asa log says:

tcp flow from Vlan109:172.16.9.10/1218 to outside:/21 terminated by inspection engine, reason - inspector drop reset.

FTP port command different address: (192.168.5.10 <- this is the IP from my external home client where the ftp server is running) to 172.16.9.10 on interface outside

what does that mean and how can i solve this ?

Re: ftp through ASA stuck @ Opening data connection

Kureli Sankar — Thu, 13 Jan 2011 03:26:03 GMT

Here is the link for the syslog that you are seeing:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4773005

I believe you are running into a known issue:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk24509

what code are you running on this ASA?

Post the output of

sh run policy-map

sh run service-policy

sh service-policy flow tcp host 172.16.9.10 host external ftp server eq 21

-KS

Re: ftp through ASA stuck @ Opening data connection

born.jason — Thu, 13 Jan 2011 10:21:38 GMT

I`m running ASA 8.3(1)

sh run policy:
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
inspect icmp error
inspect dns
inspect ftp
!

sh run service-policy
service-policy global_policy global

sh service-policy flow tcp host 172.16.9.10 host external ftp server eq 21

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Match: default-inspection-traffic
      Action:
        Input flow: inspect ftp
    Class-map: class-default
      Match: any
      Action:

Re: ftp through ASA stuck @ Opening data connection

Kureli Sankar — Mon, 17 Jan 2011 00:25:35 GMT

Hello,

Sorry. I just saw the config that you sent over.

You are using global access-list as well as interface acl. Auto nat and manual nat. Object-groups in the global ACL. It makes it very hard to read the config. Being on the box makes our life a lot easier.

Inside Host: 192.168.x.10 - outbound breaks - inbound works - I don't see a translation for it. Not sure how inbound works.

Vlan 106 Host:172.16.6.10 - outbound breaks - inbound breaks (sub-interface)

Vlan 109 Host:172.16.9.10 - outbound breaks - inbound works (sub-interface)

You did all the above tests with filezilla?

The configuration looks correct. Like I mentioned previously this will be a very involved troubleshooting.

If you do not have smartnet, I suggest purchasing a single case. It is worth it.

This is a good reason why should purchase smartnet.

We would have to spend a few hours on the box. Gathering all what I had mentioned before.

-KS

Re: ftp through ASA stuck @ Opening data connection

born.jason — Tue, 18 Jan 2011 19:31:17 GMT

Ok, What is best practice? Only acl configs on global or better on the interface? The same for NAT. I mean i test some things and some times it works with auto nat and sometimes with manual nat that why i use both.

Re: ftp through ASA stuck @ Opening data connection

csco10865546 — Mon, 24 Jan 2011 09:55:00 GMT

Hi Sankar,

I dont know if you are able to assist as i am having a similar issue.

I had issues in the past connecting to external ftp sites so i created an inspection rule on my wan interfaces and ask any staff trying to connect to any ftp site to send me the ip address so i can add under the inspection rule and this has always worked for me.

I had to do this because we also have ftp sites internally that people try to connect to from outside too.

But lately ,i have done this for an external ftp site and it connects but doesnt list directories.

The log message is

terminated by inspection engine,reason -inspector drop reset.

Below is the internal host trying to connect to the ftp server service policy command output :

External ftp server is 81.144.145.6.

# sh service-policy flow tcp host x.x.x.x host 81.144.145.6 eq ftp

Global policy:

Service-policy: global_policy

Class-map: cmap

Match: access-list TCP

Access rule: permit tcp any any

Action:

Input flow: set connection advanced-options tmap

Class-map: netflow-export-class

Match: access-list netflow-export

Access rule: permit ip any any

Action:

Output flow: flow-export event-type all destination 10.120.3.226 10.120 .16.220

Class-map: class-default

Match: any

Action:

Output flow:

Interface MAN_CORE_TO_WAN:

Service-policy: STV_IPS_POLICY

Class-map: STV_IPS_CLASS

Match: access-list STV_IPS_ACL

Access rule: permit ip any host 81.144.145.6

Match: default-inspection-traffic

Action:

Input flow: inspect ftp

Class-map: class-default

Match: any

Action:

Output flow:

Interface MAN_CORE_TO_WAN_ELXSI:

Service-policy: STV_IPS_POLICY

Class-map: STV_IPS_CLASS

Match: access-list STV_IPS_ACL

Access rule: permit ip any host 81.144.145.6

Match: default-inspection-traffic

Action:

Input flow: inspect ftp

Class-map: class-default

Match: any

Action:

Output flow:

Interface MAN_CORE-TO-WAN-THUS:

Service-policy: STV_IPS_POLICY

Class-map: STV_IPS_CLASS

Match: access-list STV_IPS_ACL

Access rule: permit ip any host 81.144.145.6

Match: default-inspection-traffic

Action:

Input flow: inspect ftp

Class-map: class-default

Match: any

Action:

I just cant understand why it has worked for tens of external ftp sites and it doesnt work for this particular one.

Cheers