cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
877
Views
0
Helpful
4
Replies

pix - css - ftp

jinserra
Level 1
Level 1

All,

I'm unable to initiate an ftp session to a DMZ'd server behind a CSS. I have been unable to ftp to the host since upgrading to PIX os 6.2(2). Previous to the pix upgrade I was able to ftp to the server using passive mode ftp. Now, the connection starts but after a few seconds the connection resets. Has anyone run into any similar problems? Ftp seems like the only service effected by the upgrade.....ssh and telnet are still working. Since I'm new to CSS administration, I haven't included much in the way of configuration figuring you would ask for the relevant information.

Thanks in advance

4 Replies 4

thomas.chen
Level 6
Level 6

It's likely a PIX problem more than CSS since the problem happened with the 6.2x upgrade. I would start by looking at the debug log file off the PIX to see if the connection state is dropping and then capture that log with a show tech for the TAC. They may be aware of any or issues with your new version. Sometimes it's best to stay a version or two back on the PIX.

jinserra
Level 1
Level 1

This message is from our firewall logs, logging isn't currently set at debug level, but I thought that this would be a good start......

Aug 21 15:04:01 [xx.xx.xx.xx.xx] Aug 21 2002 15:01:36: %PIX-4-406002: FTP port command different address: SERVER_VIP_IP(SERVER_RESERVE_DIP) to MY_IP_ADDR on interface cdmz

Aug 21 15:04:01 [xx.xx.xx.xx.xx] Aug 21 2002 15:01:36: %PIX-4-406002: FTP port command different address: SERVER_VIP_IP(SERVER_RESERVE_DIP) to MY_IP_ADDR on interface cdmz

When I look the error up I find the following.....

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#79165

Is there anyway to get around this problem without risking security? Also why would ssh work and not passive ftp?

Thanks again

Do you have a source group configured on your css with the same VIP address you use in your content rule? Is application ftp configured on your content rule?

No, I didn't have a source group!!!! Yes, there is currently a ftp application setup.....It as working before the pix upgrade. That's why I'm so confused. Well anyways, I've now added the source group and it works!!!!! Thanks so much everyone.

Joseph

Review Cisco Networking for a $25 gift card