02-17-2009 12:42 PM - edited 03-11-2019 07:51 AM
Hi all,
I have some trouble and I have no idea now ...
I have the following network :
------------------------|-------------| <-Inside-> Cisco 1800 <--> Private VPN <--> FTP Server
FTP Client <-DMZ-> | ASA 5510 |
------------------------|-------------| <-Outside-> Modem/router <--> Internet
When I make a FTP connection, authentication is good (and slow) but I can't put any file.
The transfert begin but stop at 130 072 octets and I have a connection timeout.
If I remove the ASA 5510 like this :
FTP Client <--> Cisco 1800 <--> Private VPN <--> FTP Server
The authentication and transfert is Ok ...
People who maintain the Cisco 1800 say that they haven't any problem ...
The FTP Server is in Active Mode, my client too.
Static on ASA work because i can authenticating (tcp/21).
Ip inspect ftp is on (must be because we are in Active Mode).
I test a lot of thing but nothing better.
Access-list permit any for the test.
Finally, I sniff the network between the ASA and the 1800 and I don't have any ACK (I think) and I have a lot of TCP RETRANSMISSION.
Have you an idea to resolve my problem ...? Do you think this problem come from the ASA ?
Thanks a lot,
Fred
PS : I forget to do one thing ... fixed the speed and the duplex, I do it soon.
Sorry for my bad english ...
02-17-2009 01:27 PM
Your configuration contains the following items?
class-map inspection_default
match default-inspection-traffic
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
service-policy asa_global_fw_policy global
02-18-2009 01:35 AM
Yes, my configuration contains this items.
If I don't have the ASA, I have the following sequences (wireshark) :
ftp-data > 6049 [ACK] Seq=1 Ack=9577 Win=25992 Len=0 TSV=1675536326 TSER=23653399
FTP Data: 1368 bytes
FTP Data: 1368 bytes
ftp-data > 6049 [ACK] Seq=1 Ack=10945 Win=28728 Len=0 TSV=1675536334 TSER=23653399
FTP Data: 1368 bytes
FTP Data: 1368 bytes
With the asa :
ftp-data > 6051 [ACK] Seq=1 Ack=23353 Win=54720 Len=0 TSV=1675557559 TSER=23655526
FTP Data: 1368 bytes
FTP Data: 1368 bytes
[TCP Retransmission] FTP Data: 1368 bytes
[TCP Retransmission] FTP Data: 1368 bytes
ftp-data > 6051 [PSH, ACK] Seq=1 Ack=26089 Win=60192 Len=0
FTP Data: 1368 bytes
FTP Data: 1368 bytes
[TCP Retransmission] FTP Data: 1368 bytes
Finally, I have a connection timeout ...
02-23-2009 01:24 AM
A little update because I don't find any issue ...
If someone have a idea ... ?
03-23-2009 12:17 PM
I am seeing the same issue. Interested in response.
03-23-2009 06:05 PM
What version of ASA Code are you running? See following document
https://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn72.html
03-23-2009 06:08 PM
Following caveat from earlier post
CSCsc91450
Yes
FTP control channel timing out although data channel is active.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide