Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
5
Replies

Bug in ASA OS 7.0.64 for ip inspect and FTP?

popokitgoo
Level 1
Level 1

‎05-16-2007 12:40 PM - edited ‎03-11-2019 03:15 AM

Hello,

I have a frustrating problem with FTP across our ASA 5500 using OS 7.0.64.

When an internal user connects in active mode to an external ftp server and starts to download a large file, two connections are opened: one to port 21 of the FTP server and one to port 20 of the same server. During file transfer I can see that the byte count for connection to port 20 is increasing while byte count for connection to port 21 is not increasing and the idle time is growing. I believe this is a mistake and maybe a bug in the OS; in fact a user transferring a very large file can be disconnected during download because of connection timeout on port 21. The disconnect seems to consistently happen after 60 seconds into the FTP transfer.

Has anyone seen this problem before?

Labels:
0 Helpful
5 Replies 5

vitripat
Level 7
Level 7

‎05-16-2007 12:53 PM

You are hitting this bug - CSCsc91450

You may check the details of this bug on following link for bug toolkit:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

I would recommend upgrade to the latest code.

Hope that helps.

Regards,

Vibhor.

0 Helpful

popokitgoo
Level 1
Level 1
In response to vitripat

‎05-16-2007 02:46 PM

Hi,

Unfortunately, my FTP connection did not reach the global TCP timeout, which is set at 1 hour. The connection times out after 60 seconds every single time like clockwork. I checked all my configurations, but I do not have any idle-timeouts set for 60 seconds anywhere.

Thanks,

Richard

0 Helpful

vitripat
Level 7
Level 7
In response to popokitgoo

‎05-16-2007 03:00 PM

Is it possible to take a look at syslogs at the time your connection drops?

Regards,

Vibhor.

0 Helpful

popokitgoo
Level 1
Level 1
In response to vitripat

‎05-16-2007 03:56 PM

Hi,

I placed sniffers in front and behind the ASA and noticed the connection was being closed by the server and not the ASA. However, when we open an FTP transfer between the FTP server and a client in front of the ASA, the transfer completes without a problem. I am completely baffled at what I am seeing. Can you suggest any commands I can issue on the ASA that would help with troubleshooting?

Thanks for all the help.

Regards,

Richard

0 Helpful

vitripat
Level 7
Level 7
In response to popokitgoo

‎05-17-2007 01:39 AM

As I suggested earlier, we would need to look at syslogs at the time connection is built and torn down through ASA. Here are steps you can use to configure syslogging-

You can download a syslog server from following link, if required.

The name of the tool is Kiwi Syslog Server.

http://www.kiwisyslog.com/php/download.php?syslogd_kiwitools

Install the server on any system connected to PIX, and then reboot the server.

Now enter following commands on your PIX :

pix(config)# logging host [interface_name] [ip_address]

pix(config)# logging trap [level]

pix(config)# logging on

Along with the syslogs, I would recommend to collect packet captures on ASA interfaces through which connection is passing through. Here are steps you can use to collect captures-

access-list cpout permit tcp host host

access-list cpout permit tcp host host

capture cpo access-list cpout buffer 2000000 packet-length 1518 interface outside

access-list cpin permit tcp host host

access-list cpin permit tcp host host

capture cpi access-list cpdmz3 buffer 2000000 packet-length 1518 interface inside

I have assumed that client is on the inside interface.

Hope this information helps.

Regards,

Vibhor.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card