FTP from router based VPN

RVirdi · ‎05-18-2005

I have a VPN tunnel setup between a Cisco Concentrator and Cisco 1712 which is working well. Users behind the Cisco 1712 are trying to FTP to Symantec.com to update their antivirus which is not working at all. All other aspects are working well.

Please can anyone help

Richard Burts · ‎05-18-2005

I am not clear from your description whether the users can be successful with FTP to other sites and fail to the Symantec site or if they have problems with FTP to other sites. Can you clarify?

My first guess is that you may have an issue with MTU. File transfers will attempt the largest frame size that they think works. If Path MTU Discovery does not work (because some firewall is denying the ICMP messages that indicate fragmentation required but DF set) then the FTP will use 1500 frames but with the added headers for IPSec the frame is too large.

I suggest that you try the command:

ip tcp adjust-mss

if your version of IOS supports it which will set the max segment size to a lower value (for testing purposes I would suggest 1360). If your IOS does not support that then I suggest that you work with one of the user machines to specify a smaller frame size.

HTH

Rick

HTH

Rick

RVirdi · ‎05-19-2005

Hi Rick,

The problem is generic FTP they cannot FTP to anywhere at all, please find below part of the router config

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxx address 195.x.x.119 255.255.255.240

!

crypto ipsec transform-set LOC-SET esp-3des esp-md5-hmac

!

crypto map MY-MAP 10 ipsec-isakmp

set peer 195.x.x.119

set transform-set LOC-SET

match address INTERESTING-TRAFFIC

!

interface FastEthernet0

description outside link to ADSL rtr

ip address 218.x.x.226 255.255.255.248

ip access-group OUT-IN-ACL in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

fair-queu

no cdp enable

crypto map MY-MAP

!

interface FastEthernet1

no ip address

no cdp enable

!

interface FastEthernet2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

shutdown

no cdp enable

!

interface FastEthernet4

no ip address

no cdp enable

!

interface Vlan1

description Shanghai LAN INT

ip address 172.18.1.254 255.255.255.0

ip helper-address 172.29.48.14

ip helper-address 172.29.2.4

ip helper-address 172.29.48.15

no ip proxy-arp

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1360

!

interface Async1

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 218.x.x.225

ip tacacs source-interface Vlan1

no ip http server

ip http authentication local

no ip http secure-server

!

ip access-list extended INTERESTING-TRAFFIC

permit ip 172.18.1.0 0.0.0.255 172.16.0.0 0.15.255.255

ip access-list extended OUT-IN-ACL

permit esp any host 218.x.x.226

permit udp any host 218.x.x.226 eq isakmp

permit icmp any any

deny ip any any log

ip access-list extended nonat

deny ip 172.x.x.x.0.0.255 172.16.0.0 0.15.255.255

permit ip any any

Richard Burts · ‎05-19-2005

In my experience the ip tcp adjust-mss has taken care of MTU issues. If you are still having problems with the adjust-mss in the config then I believe it must not have been MTU and we need to look into other possibilities.

I assume from looking at the config that the FTP traffic is not going through the IPSec tunnel since the FTP destination address is not in 172.16.0.0 0.15.255.255. So the FTP traffic would go out the default route which is through interface FastEthernet0. I see that this interface has an inbound access list. This access list permits esp, isakmp, icmp, and denies everything else - which would include your FTP traffic.

I see that the access list does log the denied traffic. If you look in the logs do you see your FTP traffic?

HTH

Rick

HTH

Rick