Solved: FTP connection problem

Jouni Forss · ‎04-29-2011

Hi,

One of our companies customer has ran into problems with a software that transfers files with FTP. The situation is as follows

The customers DSL connection was before the start of the week going trough very old firewall equipment (PIX525 running old software) and it was at the start of the week that we moved the connection behind a new ASA 5585-X (8.4(1)) firewall in multiple context mode. The actual DSL connection is a L2 connection straight to the Firewall inside interface.

After this the customer hasnt been able to use his software which automatically connects to different banks with FTP and transfers files. So this is not a normal FTP Client but a software that in itself uses FTP for the file transfers. It seems to use active FTP.

I have configured the "inspect ftp" to the customer context. I have also made sure all access-list permits all the traffic.

When the customer uses the software and initiates the connection I can see the control port connection going up (Flags UOI) but I cant see the data connection forming. I can see the TCP/20 connection with "show conn" but it doesnt seem to be going UP. Also what confuses me is that I can see a TCP connection with the port TCP/0 on the firewall sometimes?

The customer has a private IP address range in the LAN and only PAT translation to outside IP for all users. NAT is configured as show below.

object network PAT-X-X-X-X
subnet x.x.x.x y.y.y.y

nat (inside,outside) dynamic interface

Ive though about testing the FTP connection by routing an additional IP towards the customers security context and assinging it to the users local IP and test the connection that way. Im not totally sure if it will help.

I can see no form of logg messages for these FTP connections that would tell me what the actual problem is. Also its pretty confusing that the connection sometimes goes trough and sometimes just hangs. Im wondering if the problem is because of the actual software as its not just a standard FTP Client software only. Also im wondering what could be the difference in replacing the PIX with the ASA. The setup regaring firewall configurations was pretty much the same in the old PIX also.

I've already configured packet capture on the firewall context and waiting for them to test the actual connections at some point. Probably next week.

Does anyone have any ideas why the FTP connections are failing at the moment after the firewall change?

Feel free to ask if I missed some crucial information.

- Jouni

Magnus Mortensen · ‎04-30-2011

This is a known issue with 8.4.1 and the 5585 and 5580 platforms and ACTIVE FTP. The bug is CSCto09465 and it is first fixed in 8.4.1.8. Please open a TAC case to get this version of code published to you.

Posted from my mobile device.

View solution in original post

Maykol Rojas · ‎04-29-2011

Jouni,

You have done your homework. What we need at this point is that packet capture. What are the flags on the port 20 that you saw? It would be crucial to have that packet capture to see what is going on.

Cheers

Mike Rojas

Mike

Magnus Mortensen · ‎04-30-2011

This is a known issue with 8.4.1 and the 5585 and 5580 platforms and ACTIVE FTP. The bug is CSCto09465 and it is first fixed in 8.4.1.8. Please open a TAC case to get this version of code published to you.

Posted from my mobile device.

Jouni Forss · ‎04-30-2011

Hi,

Big thank you for the response.

Will get in contact with our Cisco contacts at the start of the week to get the software.

- Jouni