03-04-2011 10:33 AM - edited 03-11-2019 01:00 PM
Hi !
We have 2 ASA 5580 with a cluster active/standby configuration
We have updated to version 8.4.(1) since version 8.3(1) but since then it is impossible to establish the FTP connection in passive mode with NAT.
Before this update, all was OK.
Here our configuration :
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect http
inspect icmp
inspect icmp error
inspect sunrpc
inspect tftp
inspect pptp
inspect rtsp
inspect ftp
!
service-policy global-policy global
Do you know if it's a bug or you can fixed this problem ?
Thank you very much for your help.
Regards,
03-04-2011 11:49 AM
Have you checked your syslogs or checked the show service-policy for drops?
03-04-2011 03:24 PM
Thanks for your response.
We have no errors in syslog messages and "show service-policy" display :
Inspect: ftp, packet 650742, lock fail 0, drop 0, reset-drop 8
03-04-2011 03:35 PM
ok, there are some drop-resets on your service-policy that could be the cause. Is it possible for you to test the FTP connection and check the logs and the service-policy to see if the number increases?
03-05-2011 04:39 AM
Inspect: ftp, packet 771540, lock fail 0, drop 0, reset-drop 8
The reset-drop does not increase.
Why inspection work without NAT?
We are the only ones with this behavior (version 8.4.1)?
If you have any ideas, thank you for your help!
03-05-2011 09:03 AM
Hi,
Would you please answer the following questions? I know this is suppose to work on this version as well, but I want to analyze some data:
Where is the server located?
Were is the client located?
What are the security levels for the interfaces?
Can you get the logs when the connection doesnt work?
Would you please get a packet capture with all TCP between the client and the server?
Cheers
Mike.
03-05-2011 03:06 PM
Hello Mike,
Thank you for the interest.
Here our answer :
Where is the server located?
The server is behind our ASA 5580 connected on an Vlan interface.
Were is the client located?
The client comes from Internet.
What are the security levels for the interfaces?
All our interaces are in security level 100.
Can you get the logs when the connection doesnt work?
We have no log when the connection doesnt work.
Would you please get a packet capture with all TCP between the client and the server?
sh capture ftp
48 packets captured
1: 00:00:19.577011 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: S 2847225137:2847225137(0) win 5840
2: 00:00:19.577225 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: S 1447625788:1447625788(0) ack 2847225138 win 5792
3: 00:00:19.605635 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625789 win 92
4: 00:00:19.607527 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625789:1447625799(10) ack 2847225138 win 46
5: 00:00:19.637860 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625799 win 92
6: 00:00:26.124779 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225138:2847225154(16) ack 1447625799 win 92
7: 00:00:26.125039 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: . ack 2847225154 win 46
8: 00:00:26.125054 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625799:1447625833(34) ack 2847225154 win 46
9: 00:00:26.152518 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625833 win 92
10: 00:00:29.892226 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225154:2847225170(16) ack 1447625833 win 92
11: 00:00:29.914823 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625833:1447625856(23) ack 2847225170 win 46
12: 00:00:29.941601 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625856 win 92
13: 00:00:29.943173 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225170:2847225176(6) ack 1447625856 win 92
14: 00:00:29.943447 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625856:1447625875(19) ack 2847225176 win 46
15: 00:00:30.011428 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625875 win 92
16: 00:00:32.052746 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225176:2847225182(6) ack 1447625875 win 92
17: 00:00:32.053097 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625875:1447625921(46) ack 2847225182 win 46
18: 00:00:32.082500 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625921 win 92
19: 00:00:32.083629 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: S 2327685571:2327685571(0) win 5840
20: 00:00:32.083796 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: S 1457888673:1457888673(0) ack 2327685572 win 5792
21: 00:00:32.109781 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457888674 win 92
22: 00:00:32.111505 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
23: 00:00:32.287186 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625875:1447625921(46) ack 2847225182 win 46
24: 00:00:32.314757 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625921 win 92
25: 00:00:32.340695 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
26: 00:00:32.755072 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625875:1447625921(46) ack 2847225182 win 46
27: 00:00:32.781865 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: . ack 1447625921 win 92
28: 00:00:32.803287 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
29: 00:00:32.803806 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
30: 00:00:32.803867 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: . 1457888674:1457889998(1324) ack 2327685572 win 46
31: 00:00:32.803898 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: P 1457889998:1457890049(51) ack 2327685572 win 46
32: 00:00:32.803898 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: F 1457890049:1457890049(0) ack 2327685572 win 46
33: 00:00:32.842241 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457889998 win 137
34: 00:00:32.842973 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457890049 win 137
35: 00:00:32.882019 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457890050 win 137
36: 00:00:32.882232 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625960:1447625984(24) ack 2847225188 win 46
37: 00:00:33.038007 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
38: 00:00:33.508793 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
39: 00:00:33.729484 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
40: 00:00:34.448508 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
41: 00:00:35.581695 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
42: 00:00:36.327955 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
43: 00:00:39.281632 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
44: 00:00:40.087809 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
45: 00:00:46.688517 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
46: 00:00:47.607512 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
47: 00:01:01.505497 802.1Q vlan#832 P0 82.239.4.178.58805 > 10.34.4.37.21: P 2847225182:2847225188(6) ack 1447625921 win 92
48: 00:01:02.647030 802.1Q vlan#832 P0 10.34.4.37.21 > 82.239.4.178.58805: P 1447625921:1447625960(39) ack 2847225188 win 46
Our customers are impacted by this problem and all worked well before the update.
Thank you so much for you help.
Best regards,
03-05-2011 03:14 PM
Hi,
Would it be possible for you to get the capture on a pcap format? I want to take a look at the payload of the packets, from what I can see, there is a secondary connection being opened
19: 00:00:32.083629 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: S 2327685571:2327685571(0) win 5840
20: 00:00:32.083796 802.1Q vlan#832 P0 10.34.4.37.23061 > 82.239.4.178.48382: S 1457888673:1457888673(0) ack 2327685572 win 5792
21: 00:00:32.109781 802.1Q vlan#832 P0 82.239.4.178.48382 > 10.34.4.37.23061: . ack 1457888674 win 92
Makes me thing that this can be the data channel but not sure. In order to download them do the following:
Enable HTTP server on the interface where the management station is
HTTP server enable
Enable access via HTTP to that host
HTTP x.x.x.x y.y.y.y.y inside
And then put the following url
https://
Also, if you can please take a capture of ASP drop just to make sure that the ASA is not dropping anything:
capture asp type asp-drop all
If you can get the logs using ASDM or a syslog server that would be great.
Mike.
03-06-2011 12:09 PM
03-06-2011 12:35 PM
Hello,
Based on the captures it seems that the server is sending again the "Entering to passive mode message" which is causing the retransmissions. However, I can see the data channel being opened. If you try to do the command list or try to pull a file, does it work?
Let me know.
Mike
03-06-2011 01:59 PM
Mike,
We observed many log :
<163>%ASA-3-210005: LU allocate connection failed
Can there be a relationship between the log and our FTP connection problem?
Thanks
03-06-2011 02:13 PM
Hello,
Not really, since the connection is estsblished with no problems. we may need to do in deep troubleshooting on this case. Clearly we are missing packets on the connection, however, I am unsure if the data channel worked fine. I can see that when you did the listing of the directory it completely. So my big question is, what is it that is not working? Is it polling a file?
If it is so, please take a captures on the server, inside and outside of the firewall and get them on pcap format.
By any change, do you have a CSC module attached to this firewall?
Let me know.
Mike Rojas
06-20-2011 01:30 PM
I know that this has been dead for a while, but I have similar problems with passive FTP and 8.4.1 for the ASA. Since upgrading to this version, passive FTP drops consantly from some servers. I have identified that it is an issue with IPS on the firewall. With my issue, the firewall is creating out of order packets. Cisco TAC has been working on it for weeks and has no idea.
I know that a new version of the ASA software just came out today, and I am planning on upgrading it tonight. I have had nothing but issues with the 8.4.1 version. Garbage if you ask me.
I have had the following issues:
1. FTP dropping issues
2. IPSEC L2L VPN tunnel drops. packets get dropped at random. , although a small percent. TAC has not been able to track down the problem.
3. A lot of asp drops. TAC as of yet unable to determine why.
All of these issues are not major by themselves, but after people started reporting issues within a few days, I reviewed my log server and found that the problems maifested themselves the second that I switched over to 8.0.3. My config has been verified 3 seperate times by TAC and has no issues.
I was about to downgrade to a previous version before 8.4.2 was released today. I will see if that corrects the issues.
06-20-2011 04:20 PM
Pls. provide case numbers if you have them. Unless TAC pointed out documented defects that were resolved in 8.4.2, the probelms that you are seeing in 8.4.1 might still be there in 8.4.2.
-KS
06-20-2011 08:42 PM
Thanks a lot Kureli, you are right. Maybe more eyes could help to determine what the problem is, upgrading may not be the desire path cuz the issue may remain. Maybe taking a look at the documentation on the case will help us to check and see what the root cause can be.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide