cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2070
Views
0
Helpful
9
Replies

ASA 5515x ftp-data (20) tcp retransmission accesing ftp server

PvCr
Level 1
Level 1

Hi everyone,

I have a network behind a ASA5515X with Internet access.

When any PC (behind the 5515x) tries to connect to a remote FTP server, it is possible, but when the FTP client tries to list (LS) o execute DIR inside the FTP server, the command is send succesfully to the remote FTP server but then the connection is lost (can't open data channel).

I attached two files with info from PC-FTP-CLIENT (wireshark) and a capture from ASA5515X.

show conn add command shows me this info: (flags: SaAB) 

TCP WAN-INTERFACE 90.130.70.73:21 LAN-INTERFACE 172.16.X.77:54209, idle 0:00:03, bytes 240, flags UxIO
TCP WAN-INTERFACE 90.130.70.73:20 LAN-INTERFACE 172.16.X.77:54211, idle 0:00:03, bytes 0, flags SaAB

 

I appreciate your help.

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

Can you post the ASA config, is this working one broken or new one not working ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

The 5515x config is simple.

One dynamic NAT for LAN navigation:  nat (inside,outside) source dynamic LAN ONE-PUB-IP

IN/OUTSIDE ACLs are permiting IP (all traffic)

Inter/Intra interface are permiting traffic.

5515x is inspecting FTP globally.

One static default router to Internet.

Do you have "inspect ftp" configured under your policy-map?

 

policy-map global_policy
  class inspection_default

    inspect ftp

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Yes, the 5515x is inspecting ftp.

********************************

show service-policy flow tcp host PC-FTP-CLIENT host REMOTE-FTP-SERVER eq FTP

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Match: default-inspection-traffic
Action:
Input flow: inspect ftp
Class-map: class-default
Match: any
Action:
Output flow: Output flow: user-statistics accounting
Input flow: inspect ftp

*************************************

policy-map global_policy
class inspection_default
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect snmp
inspect icmp error
inspect sip
inspect h323 h225
inspect h323 ras
inspect ftp
class class-default
user-statistics accounting
inspect ftp
!
service-policy global_policy global

What version ASA are you running?

 

Are you using the FirePower module?

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

 

The 5515x has:

 

Cisco Adaptive Security Appliance Software Version 9.6(2)
Device Manager Version 7.6(2)150

sfr FirePOWER Services Software Module           ASA5515

sfr 0078.8847.5018 to 0078.8847.5018  N/A          N/A          6.1.0-330

sfr ASA FirePOWER                  Up               6.1.0-330

 Module status:

Application status UP

Status description: Normal Operation

Application version: 6.1.0-330

Data Plane Status Down

Status UP

I disabled shun, threat-detection basic-threat, threat-detection statistics access-list and threat-detection statistics tcp-intercept.

Could be a software BUG ??

 

Thanks for your help, regards.

I see your SFR module is showing up:

sfr ASA FirePOWER                  Up               6.1.0-330

So I am assuming you are redirecting traffic to the SFR module.  If so this is the problem.  Both FirePower and FTD have issues inspecting active FTP connections even though you have the inspect ftp configured.  This is a bug in SFR inspection.  You will need to either use passive FTP or explicitly allow ftp port tcp/20 from outside in, in SFR, or exclude FTP from being redirected to SFR module.

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

The SFR shows this:

Access Control Policy: Default Allow All Traffic

------------[ Current Device Settings ]-------------
Auto Application Bypass: Disabled
Bypass Threshold (ms): 3000

-----------------[ Traffic Status ]-----------------
Name : kvm_ivshmem
Transmitted Bytes (TX) : 0
Received Bytes (RX) : 0
Dropped Packets : 0

 

The SFR is using DNS, gateway and IP config that is not real according to our network addressing.

The data plane status of the SFR is DOWN.

I think SFR is not working at all.

Thanks for your help, regards.

 

 

If you check the policy map that is supposed to redirect traffic to SFR.  If the policy has been removed or  there is no "sfr fail-open" command or similar, then it is not in use.

 

show run policy-map

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card