Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
0
Helpful
1
Replies

Passive FTP through 2 FWSM contexts via VRF instance

Mel Popple
Level 1
Level 1

‎03-27-2012 09:36 AM - edited ‎03-11-2019 03:47 PM

Hi,

I'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)

CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER

At the moment we can make the control connection but when we issue commands the connection times out.

Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.

The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.

We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.

Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).

Any help gratefully received as it is doing my nut in.

Mel

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎04-07-2012 08:56 AM

Hi Mel,

Are the interfaces between CONTEXT_1 and CONTEXT_2 on the same VLAN? If so, this could be related to:

CSCtw82050 - FWSM: FTP inspection breaks data channel sourced from another context

Assuming you're not using NAT for the FTP client or server, you could permit all TCP traffic between the client and the server through the ACLs and disable FTP inspection to workaround the above bug.

-Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card