Hi Balaji,

The 5515x config is simple.

One dynamic NAT for LAN navigation:  nat (inside,outside) source dynamic LAN ONE-PUB-IP

IN/OUTSIDE ACLs are permiting IP (all traffic)

Inter/Intra interface are permiting traffic.

5515x is inspecting FTP globally.

One static default router to Internet.

Hi Marius,

Yes, the 5515x is inspecting ftp.

********************************

show service-policy flow tcp host PC-FTP-CLIENT host REMOTE-FTP-SERVER eq FTP

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Match: default-inspection-traffic
Action:
Input flow: inspect ftp
Class-map: class-default
Match: any
Action:
Output flow: Output flow: user-statistics accounting
Input flow: inspect ftp

*************************************

policy-map global_policy
class inspection_default
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect snmp
inspect icmp error
inspect sip
inspect h323 h225
inspect h323 ras
inspect ftp
class class-default
user-statistics accounting
inspect ftp
!
service-policy global_policy global

What version ASA are you running?

Are you using the FirePower module?

Hi Marius,

The 5515x has:

Cisco Adaptive Security Appliance Software Version 9.6(2)
Device Manager Version 7.6(2)150

sfr FirePOWER Services Software Module           ASA5515

sfr 0078.8847.5018 to 0078.8847.5018  N/A          N/A          6.1.0-330

sfr ASA FirePOWER                  Up               6.1.0-330

 Module status:

Application status UP

Status description: Normal Operation

Application version: 6.1.0-330

Data Plane Status Down

Status UP

I disabled shun, threat-detection basic-threat, threat-detection statistics access-list and threat-detection statistics tcp-intercept.

Could be a software BUG ??

Thanks for your help, regards.

I see your SFR module is showing up:

sfr ASA FirePOWER                  Up               6.1.0-330

So I am assuming you are redirecting traffic to the SFR module.  If so this is the problem.  Both FirePower and FTD have issues inspecting active FTP connections even though you have the inspect ftp configured.  This is a bug in SFR inspection.  You will need to either use passive FTP or explicitly allow ftp port tcp/20 from outside in, in SFR, or exclude FTP from being redirected to SFR module.

Hi Marius,

The SFR shows this:

Access Control Policy: Default Allow All Traffic

------------[ Current Device Settings ]-------------
Auto Application Bypass: Disabled
Bypass Threshold (ms): 3000

-----------------[ Traffic Status ]-----------------
Name : kvm_ivshmem
Transmitted Bytes (TX) : 0
Received Bytes (RX) : 0
Dropped Packets : 0

The SFR is using DNS, gateway and IP config that is not real according to our network addressing.

The data plane status of the SFR is DOWN.

I think SFR is not working at all.

Thanks for your help, regards.

If you check the policy map that is supposed to redirect traffic to SFR.  If the policy has been removed or  there is no "sfr fail-open" command or similar, then it is not in use.

show run policy-map