Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1573
Views
0
Helpful
1
Replies

ASA 5540 + FTP over Implicit TLS/SSL Client

cyr0nk0r1
Level 1
Level 1

‎01-04-2012 08:50 AM - edited ‎03-11-2019 03:10 PM

I am having the EXACT same problem as this user:

https://supportforums.cisco.com/thread/2012079

Error:   GnuTLS error -53: Error in the push function.

Response:   425 Can't open data connection.

Error:   Failed to retrieve directory listing

Response:   421 Connection timed out.

However I am using implicit instead of explicit. Here are the outputs of items that have been requested in the other thread.

I have turned on logging via

conf t
logging buffered 7
exit
sh logg | i x.x.x.x

and the result is

Jan 04 2012 09:42:24: %ASA-6-305011: Built dynamic TCP translation from inside:10.128.4.11/58789 to outside:207.x.x.x/24151
Jan 04 2012 09:42:24: %ASA-6-302013: Built outbound TCP connection 145140575 for outside:65.x.x.x/990 (65.x.x.x/990) to inside:10.128.4.11/58789 (207.x.x.x/24151)
Jan 04 2012 09:42:24: %ASA-6-302014: Teardown TCP connection 145138677 for outside:65.x.x.x/990 to inside:10.128.4.11/58784 duration 0:01:38 bytes 2852 TCP FINs
Jan 04 2012 09:42:24: %ASA-6-305012: Teardown dynamic TCP translation from inside:10.128.4.11/58780 to outside:207.x.x.x/55136 duration 0:02:30
Jan 04 2012 09:42:25: %ASA-6-305011: Built dynamic TCP translation from inside:10.128.4.11/58790 to outside:207.x.x.x/37847
Jan 04 2012 09:42:25: %ASA-6-302013: Built outbound TCP connection 145140619 for outside:65.x.x.x/5025 (65.x.x.x/5025) to inside:10.128.4.11/58790 (207.x.x.x/37847)
Jan 04 2012 09:42:25: %ASA-6-302014: Teardown TCP connection 145140619 for outside:65.x.x.x/5025 to inside:10.128.4.11/58790 duration 0:00:00 bytes 123 TCP Reset-I
Jan 04 2012 09:42:25: %ASA-6-305012: Teardown dynamic TCP translation from inside:10.128.4.11/58781 to outside:207.x.x.x/47832 duration 0:02:30

207.x.x.x is the external IP of my ASA

65.x.x.x is the FTP server

show run policy-map

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!

show run service-policy

service-policy global_policy global
Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎01-09-2012 05:40 AM

Hello,

In your case it looks like the data channel is being built correctly, but then the host on the inside interface sends a TCP reset to close the connection:

Jan 04 2012 09:42:25: %ASA-6-302014: Teardown TCP connection 145140619 for outside:65.x.x.x/5025 to inside:10.128.4.11/58790 duration 0:00:00 bytes 123 TCP Reset-I

I would start by checking the logs on the inside host and find out why it sends the reset. Captures can also help confirm who is sending the reset.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card