Apologies...

First, my inspect ftp line should actually read

inspect ftp strict FTP_INSPECT_POLICY

The config I pasted in was the workaround I'm using.

Second, see the following output from Core FTP when attempting to connect, as well as the output from the show service-policy inspect ftp

Core FTP

Resolving ftp2.fincentric.com... 
Connect socket #1140 to 72.15.150.51, port 21...
220 Fincentric Secure FTP for WinSock ready... 
AUTH SSL 
234 AUTH command OK. Initializing SSL connection. 
SSL/TLS error - 0, SSL error - 1, error:00000001:lib(0):func(0):reason(1)  
Winsock error 10060 (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  ) 
SSL Connection not established
Connection Failed
disconnected

ASA show service-policy inspect ftp

tritcasa5510# show service-policy inspect ftp

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp strict FTP_INSPECT_POLICY, packet 17, drop 8, reset-drop 0
               Cmd not terminated drop          8
        class FTP_class_map
          reset log, packet 0

I'm not entirely sure what to make of the 8 drops and cmd not terminated drop counters.

From the error:
(A connection attempt failed because the connected party did not properly respond after a period of time,
or established connection failed because connected host has failed to respond.  ) 
Could it have been that there was no response from the server?

If on the other hand, FTP is behaving in a way that the ASA will not accept (FTP inspection), we can capture the traffic and check the reason:

access-list FTPin permit ip host x.x.x.x host y.y.y.y
access-list FTPin permit ip host y.y.y.y host x.x.x.x
capture capin access-list FTPin interface inside

access-list FTPout permit ip host x.x.x.x host y.y.y.y
access-list FTPout permit ip host y.y.y.y host x.x.x.x
capture capout access-list FTPout interface outside

Federico.

coto.fusionet wrote:
From the error: 
(A connection attempt failed because the connected party did not properly respond after a period of time,
or established connection failed because connected host has failed to respond.  )  
Could it have been that there was no response from the server?

If I change inspect ftp strict FTP_INSPECT_POLICY to simply inspect ftp, the connection works normally.

I will set up the capture and report back... I'm not familiar with what those commands do - Will this create a .cap file in the ASA's file system or something similar?

Yes, and you can view the capture on the ASA itself, but it's way better to export them to Wireshark.

Here's the explanation:

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/c1.html#wp2147322

Federico.

That link is apparently forbidden to me??

Thanks Federico, based on that link, I would tend to agree with you.  ASA FAQs also indicate that strict inspection is not supported with FTPS.

Unfortunately, this also forces me to disable my regexp filtering as I am unable to specify a policy-map name with the inspect ftp command unless I also specify the strict keyword.

Mike, you're right but if the problem is with this one site, you can specify the FTP inspection to apply to all destinations but this one...

Not sure if it will work for you, just a thought.

Federico.

I would be very interested as it does appear that only this one site is affected.  Unfortunately, looking at the config, it seems a little bit beyond my understanding of the ASA's MPF.  Any insight into that process you may have would be appreciated.