cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14086
Views
0
Helpful
35
Replies

ASA 8.4(1) ftp passive problem with NAT

gdelavenne
Level 1
Level 1

Hi !

We have 2 ASA 5580 with a cluster active/standby configuration

We have updated to version 8.4.(1) since version 8.3(1) but since then it is impossible to establish the FTP connection in passive mode with NAT.

Before this update, all was OK.

Here our configuration :

class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
  inspect dns
  inspect http
  inspect icmp
  inspect icmp error
  inspect sunrpc
  inspect tftp
  inspect pptp
  inspect rtsp
  inspect ftp
!
service-policy global-policy global

Do you know if it's a bug or you can fixed this problem ?

Thank you very much for your help.

Regards,

35 Replies 35

r.robins
Level 1
Level 1

Hi All,

I too have hit this problem with ASA 5520 running 8.4.1 in transparent mode.

Does anyone have any idea what the fix is for this, if there is a fix at all.

Hi,

Same thing, there is no issue reported with FTP and ASA 5520, please paste the configuration and get the captures as described earlier.

Mike

Mike

Already had a case open with TAC and provided config and captures.

Took so long that we had to put a workround in and it difficult to replicate now.

TAC case SR 617830879 - We would like to see if their is a resolution to this issue so we can take out the workround in place.

Sorry that I never posted any packet captures, but when troubleshooting was being done on the ASA with cisco, it caused all sorts of other problems, so work was halted until the weekend.

Well here is what I have found. to try and resolve this, since it was dragged on for 3 weeks with not even knowing what is causing the problem, I gave up on our TAC ticket and decided to try the new software 8.4.2.

Well that was a big mistake. I dont know if anyone else is having issues, but it is a complete disaster. It may fix FTP issues with the 5580, but it broke all FTP on my 5510. Active and passive FTP were broken on all external servers. Now instead of just a few ftp servers not working, none of them work.

Also to top it off, our 50 Mbps connection started running at 1/5 of that speed. Looking at the outside router with netflow, the ASA was supplying 10Mbps max. Again I dont know if I am a unique case, but what a piece of garbage update. Again, my config has been reviewed for the past 3 weeks by Cisco and has been declared fine.

So now 8.4.1  and 8.4.2 are working horribly, so I downgrade to 8.3.2. Guess what? Everything works perfectly now. FTP has no issues. What used to be running at 10Kbps and timing out constantly now runs at 1 MBps, 800x the speed isnt a bad improvement. I get no out of order packets. the speed issues for all IP transfers that were there is 8.4.2, are gone.

Overall, I am very displeased with how this was handled. Cisco went back and forth with me that the firewall was not supposed to do that, and so it could not be the firewall. Well that is why I am calling support, the firewall is doing something that it is not supposed to. I provided many packet captures and for some reason no one could figure anything out.

After 3 weeks of degraded service and wasting probably around 20-30 hours on this, I am not going to persue it. I will stick with the older version until a version that works properly is released.

Mike thanks for the offer and I wish that I had seen this post earlier, but I cant waste more time on this. I offered Cisco TAC all the captures that I have and the config if they want to try and troubleshoot their bugs.

Ryan,

Fair enough. I am sorry you did not get the desired support, Ill check what I can do from here.

Mike

Mike

I  have same issue, and I am using 5510 with version 8.4.(4) 9, I am trying to ftp intervlan and I get same Problem, has any one find a solution for it yet?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: