Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1717
Views
0
Helpful
1
Replies

FTD - troubleshooting FTP connections

igor.hamzic81
Level 1
Level 1

‎03-05-2021 03:35 AM

Hi all,

 

I had one of my customers complain that FTP transfer is stopping in the during when transferring large video files(few hundred MBs) and large amount of pictures when using a hotspot on a mobile device.

 

After troubleshooting with the customer came across the following lines using system support trace command(more logs in the attachment):

 

95.168.120.254-50366 - 192.168.254.12-21 6 AS 1-1 CID 0 Packet: TCP, ACK, RST, seq 564816442, ack 1311484036
95.168.120.254-50366 - 192.168.254.12-21 6 AS 1-1 CID 0 AppID: service FTP (165), application FTP Passive (4003)
95.168.120.254-50366 - 192.168.254.12-21 6 AS 1-1 CID 0 Firewall: allow rule, 'Migrated from CP Outside (4)', allow
95.168.120.254-50366 - 192.168.254.12-21 6 AS 1-1 CID 0 Snort id 5, NAP id 5, IPS id 3, Verdict PASS
95.168.120.254-50366 > 192.168.254.12-21 6 AS 1-1 I 5 Got end of flow event from hardware with flags 00038803. Rule Match Data: rule_id 268444845, rule_action 2 rev_id 4036378464, rule_flags 2
95.168.120.254-50366 > 192.168.254.12-21 6 AS 1-1 I 5 Logging EOF for event from hardware with rule_id = 268444845 ruleAction = 2 ruleReason = 0
95.168.120.254-50366 > 192.168.254.12-21 6 AS 1-1 I 5 : Received EOF, deleting the snort session.

95.168.120.254-50366 - 192.168.254.12-21 6 AS 1-1 CID 0 Session: deleting snort session, reason: timeout
95.168.120.254-50366 > 192.168.254.12-21 6 AS 1-1 I 5 deleting firewall session flags = 0x38803, fwFlags = 0x1114
95.168.120.254-50366 - 192.168.254.12-21 6 AS 1-1 CID 0 Session: deleted snort session using 0 bytes; protocol id:(6) : LWstate 0xf LWFlags 0xe007
95.168.120.254-50367 > 192.168.254.12-55025 6 AS 1-1 I 5 Got end of flow event from hardware with flags 00038803. Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 2
95.168.120.254-50367 > 192.168.254.12-55025 6 AS 1-1 I 5 Logging EOF for event from hardware with rule_id = 268444845 ruleAction = 2 ruleReason = 0
95.168.120.254-50367 > 192.168.254.12-55025 6 AS 1-1 I 5 : Received EOF, deleting the snort session.
95.168.120.254-50367 - 192.168.254.12-55025 6 AS 1-1 CID 0 Session: deleting snort session, reason: timeout
95.168.120.254-50367 > 192.168.254.12-55025 6 AS 1-1 I 5 deleting firewall session flags = 0x38803, fwFlags = 0x1154
95.168.120.254-50367 - 192.168.254.12-55025 6 AS 1-1 CID 0 Session: deleted snort session using 0 bytes; protocol id:(25) : LWstate 0xf LWFlags 0x6007

After looking at the logs it seems that the FTD is closing the sessions because of FTP transfer connections timing out. Later the control connections are closed but this time normally.

 

Am I reading this correctly?

 

If so is there some way besides traffic capture to see what is causing these timeouts?

0 Helpful
1 Reply 1

igor.hamzic81
Level 1
Level 1

‎03-05-2021 06:01 AM

Also a bit more information. On the firewall itself the connection timeouts are set to default:

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

 

So I'm a bit confused how a timeout is happening.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card