Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1777
Views
0
Helpful
6
Replies

Asa 5510. FTPS Explicit client fails at Init TLS stage

Guillermo Vitas
Level 1
Level 1

‎02-12-2013 01:56 PM - edited ‎03-11-2019 05:59 PM

Hello.

I have a problem when trying to access from a workstation on the internal network to an external FTP server using Explicit FTPS. After the server requires the client TLS Authentication the client inits TLS but the connection is closed by timeout.

I have disabled the FTP inspection on the firewall and I have opened some high ports from the Internet to the test workstation (ACL and NAT rules), but without results.

If I try to connect from a workstation to the FTP server using a direct Internet connection I can access the FTP server without problems, so I think the problem is in the ASA.

Some idea on how to solve the problem?

Regards

Labels:
0 Helpful
6 Replies 6

jocamare
Level 4
Level 4

‎02-19-2013 07:44 PM

Is the client working on passive or active mode?.

In case this is working on active mode, can you confirm that the client supports the CCC [clear channel command] command?

In case this is working on passive mode, it should work just fine.

0 Helpful

Guillermo Vitas
Level 1
Level 1
In response to jocamare

‎02-20-2013 01:19 PM

Hi.

Thanks for your response.

It fails on both modes. The fail is On a stage previus authentication and mode selection I think.

You can see the error at the image i attach. The image is froma a Wireshark capture.

Regards.

0 Helpful

jocamare
Level 4
Level 4
In response to Guillermo Vitas

‎02-20-2013 04:26 PM

Was this captured using passive or active mode? Let's try to use passive when testing.

Captures are useful, would it be possible for you to upload the actual capture?

Port 21 is used for the Control Connection and then uses the Data connection.

From the captures we can see that the three way handshake is is successfully established and the client sends a AUTH TLS request.

The server then responds back with a message 234 and is okay for the encryption mechanism.

After that the client also sends an encrypted response message, the server replies with aparently just an ackownledgement for none of the packets that were captured.

Have you tried to connect after removing the FTP inspection on the ASA?

0 Helpful

Guillermo Vitas
Level 1
Level 1
In response to jocamare

‎02-20-2013 11:35 PM

Hi Jocamare.

Thanks for your response.

The capture I sent was taken after disabling FTP inspection. I am not sure if using passive or active mode, I think was taken using passive mode. I will double check this and recapture traffic asap.

regards.

0 Helpful

Guillermo Vitas
Level 1
Level 1
In response to Guillermo Vitas

‎02-27-2013 07:42 AM

Hello.

Sorry by the huge delay on the response.

I have checked if client is in Passive or Active Mode. But on the client i can see the error before it enters in acttive or  passive mode.

The error arises on the credential interchange I think. But credentials are ok.

Any idea?

Regards

0 Helpful

jocamare
Level 4
Level 4
In response to Guillermo Vitas

‎02-27-2013 10:46 AM

Can you provide the configuration of the ASA and a packet capture of this traffic?

This looks like the server/client was not able to validate the certificate.

Can you confirm that they have the certs installed?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card