Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1050
Views
0
Helpful
4
Replies

FTP packets being dropped

Edward Luna
Level 1
Level 1

‎06-05-2012 07:36 PM - edited ‎03-11-2019 04:15 PM

FTP access thru an ASA5510 to an ftp server on the private had been working fine.  Suddenly today there is no access from the outside but inside users have no problem.

I ran a packet trace with animation and the 5510 says the packets are being dropped by rule in the access list.  I changed nothing in the access list and ftp has been working all along.

I can include a copy of the running config if you require it but on the assumption that the full list will not be required I can verify the access list for ftp is as follows...

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq ftp

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq ftp-data

I realize I haven't given you much to go on but I should add that extensive configuration changes were made to the ASA5510 to configure for VPN access so it is possible that something happened during the VPN work but all other services that have exactly the same format access lists continue to function normally.  The only internal server I have lost outside access to is ftp.  The mail server and VPN continue to function normally.

Thanks

Ed

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-05-2012 08:20 PM

which rule does it say has been dropped in the packet tracer? and do you happen to have an access-list above the current 2 FTP rules that might drop the FTP connection?

can you connect to the ftp server and it fails on the data connection, or you can't even connect to your ftp server?

if you can share the config, that would help.

0 Helpful

Edward Luna
Level 1
Level 1
In response to Jennifer Halim

‎06-06-2012 05:02 AM

Hello Jennifer

According to the activity monitor on the FTP server, the initial connection is successful so I assume the failure is occurring on the data connection portion.

I will post the full access list as soon as I get to the office later today.

Thank you

Ed

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Edward Luna

‎06-06-2012 05:06 AM

AHh, in that case, maybe ftp inspection is somehow disabled and I assume that you are using passive FTP?

0 Helpful

Edward Luna
Level 1
Level 1
In response to Jennifer Halim

‎06-06-2012 05:25 AM

Yes... passive FTP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card