08-13-2002 12:56 PM
All,
I'm unable to initiate an ftp session to a DMZ'd server behind a CSS. I have been unable to ftp to the host since upgrading to PIX os 6.2(2). Previous to the pix upgrade I was able to ftp to the server using passive mode ftp. Now, the connection starts but after a few seconds the connection resets. Has anyone run into any similar problems? Ftp seems like the only service effected by the upgrade.....ssh and telnet are still working. Since I'm new to CSS administration, I haven't included much in the way of configuration figuring you would ask for the relevant information.
Thanks in advance
08-21-2002 11:22 AM
It's likely a PIX problem more than CSS since the problem happened with the 6.2x upgrade. I would start by looking at the debug log file off the PIX to see if the connection state is dropping and then capture that log with a show tech for the TAC. They may be aware of any or issues with your new version. Sometimes it's best to stay a version or two back on the PIX.
08-21-2002 12:30 PM
This message is from our firewall logs, logging isn't currently set at debug level, but I thought that this would be a good start......
Aug 21 15:04:01 [xx.xx.xx.xx.xx] Aug 21 2002 15:01:36: %PIX-4-406002: FTP port command different address: SERVER_VIP_IP(SERVER_RESERVE_DIP) to MY_IP_ADDR on interface cdmz
Aug 21 15:04:01 [xx.xx.xx.xx.xx] Aug 21 2002 15:01:36: %PIX-4-406002: FTP port command different address: SERVER_VIP_IP(SERVER_RESERVE_DIP) to MY_IP_ADDR on interface cdmz
When I look the error up I find the following.....
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#79165
Is there anyway to get around this problem without risking security? Also why would ssh work and not passive ftp?
Thanks again
08-26-2002 09:14 AM
Do you have a source group configured on your css with the same VIP address you use in your content rule? Is application ftp configured on your content rule?
08-26-2002 10:05 AM
No, I didn't have a source group!!!! Yes, there is currently a ftp application setup.....It as working before the pix upgrade. That's why I'm so confused. Well anyways, I've now added the source group and it works!!!!! Thanks so much everyone.
Joseph
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide