huge files are not transferring - csc-ssm, cisco asa

secureIT · ‎07-13-2011

Hi Netpro Team,

I am using csc-ssm module in Cisco ASA 5520 firewall, with the csc version as 6.3.1172.0. I have a public Ftp server and when i ever i transfer the zipped files more than 50 MB or 70 MB or more than that, it fails. I used to upload by clicking the ftp site and copy past the file to the location. After a certain point of time, the download fails with the below error on the explorer.

An error occured copying a file to the FTP server. Make sure tou have permission to put file on the server.

Details:

The operation timedout

Firewall log is below.

ABCFTP1|21|10.120.110.162|1257|Teardown TCP connection 48091783 for Internet:ABCFTP1/21 to XYZ:10.120.110.162/1257 duration 0:00:27 bytes 656 TCP FINs .

-- When i remove the service policy from the firewall, and try to transfer the files, it goes through without any problem. ena

-- Pls check the attached screenshot of the ftp settings in CSC-ssm. There is no problem with downloading files from the server.

varrao · ‎07-13-2011

Check if you have this option enabled :

You need to check the action specified for large file handling for more than 50 MB, try checking the option for enable deferred scanning.

Thanks,

Varun

Thanks,
Varun Rao

secureIT · ‎07-13-2011

Thanks for the update Varun.

In my thread itself there is an attachement, where i have already enabled it for 75MB large file handling and enabled deferred scanning for 10MB.

pls suggest me at the earliest...

varrao · ‎07-13-2011

Hi Rajesh,

Please enabled the deferred scanning to 1 MB instead of 10 MB and check if that makes some difference.

Thanks,

Varun

Thanks,
Varun Rao

secureIT · ‎07-13-2011

Hi Varun,

i shall do the changes accordingly... could you let me know any other settings to be changed and checked on priority...

regards

Rajesh

varrao · ‎07-13-2011

Do you have any logs or debugs when you face this issue??? Those woudl also be helpful

Varun

Thanks,
Varun Rao

secureIT · ‎07-13-2011

This is the only log i saw in the log window of ASA.

ABCFTP1|21|10.120.110.162|1257|Teardown TCP connection 48091783 for Internet:ABCFTP1/21 to XYZ:10.120.110.162/1257 duration 0:00:27 bytes 656 TCP FINs

Can u pls let me know what all are the logs reqd if not the above...the commands also would be helpful.

--Rajesh

secureIT · ‎07-14-2011

Hi All,

Pls find the below FIN timeout while the copying was got disconnected automatically..

6__jul 7 2011__12:15:50__302014__abc_ftp1__21__10.120.110.162__1181__Teardown TCP connection 48081758 for Internet:abc_ftp1/21 to interface_dmz:10.120.110.162/1181 duration 0:11:35 bytes 590 FIN Timeout

6__jul 7 2011__12:15:26__302013__10.120.110.162__1265__abc_ftp1__21__Built outbound TCP connection 48095714 for Internet:abc_ftp1/21 (abc_ftp1/21) to interface_dmz:10.120.110.162/1265 (EXT_NATed_interface_dmz/47374)

6__jul 7 2011__12:13:26__303002__10.120.110.162__1259__abc_ftp1__21__FTP connection from interface_dmz:10.120.110.162/1259 to Internet:abc_ftp1/21, user ibsftp Stored file 2_1_1_hotfix_36_rollup.zip

6__jul 7 2011__12:13:25__302013__10.120.110.162__1261__abc_ftp1__22882__Built outbound TCP connection 48093156 for Internet:abc_ftp1/22882 (abc_ftp1/22882) to interface_dmz:10.120.110.162/1261 (EXT_NATed_interface_dmz/60551)

6__jul 7 2011__12:13:24__302014__abc_ftp1__34886__10.120.110.162__1260__Teardown TCP connection 48093107 for Internet:abc_ftp1/34886 to interface_dmz:10.120.110.162/1260 duration 0:00:00 bytes 853 TCP FINs

6__jul 7 2011__12:13:23__302013__10.120.110.162__1260__abc_ftp1__34886__Built outbound TCP connection 48093107 for Internet:abc_ftp1/34886 (abc_ftp1/34886) to interface_dmz:10.120.110.162/1260 (EXT_NATed_interface_dmz/14139)

6__jul 7 2011__12:13:19__302013__10.120.110.162__1259__abc_ftp1__21__Built outbound TCP connection 48093016 for Internet:abc_ftp1/21 (abc_ftp1/21) to interface_dmz:10.120.110.162/1259 (EXT_NATed_interface_dmz/52582)

6__jul 7 2011__12:12:47__302014__abc_ftp1__21__10.120.110.162__1257__Teardown TCP connection 48091783 for Internet:abc_ftp1/21 to interface_dmz:10.120.110.162/1257 duration 0:00:27 bytes 656 TCP FINs

6__jul 7 2011__12:12:19__302013__10.120.110.162__1257__abc_ftp1__21__Built outbound TCP connection 48091783 for Internet:abc_ftp1/21 (abc_ftp1/21) to interface_dmz:10.120.110.162/1257 (EXT_NATed_interface_dmz/50080).

CAN SOMEONE HELP ME....

secureIT · ‎07-14-2011

Hi Varun,

Could you please check the above logs..........

FIN Timeout --> Force termination after 10 minutes awaiting the last ACK or after half-closed timeout. this is the meaning.

Can you pls let me know what could have gone wrong.

varrao · ‎07-14-2011

Hi Rajesh,

Did you try the enable deferred scanning for 1 MB??

Varun

Thanks,
Varun Rao

secureIT · ‎07-14-2011

Hi Varun,

Thanks for the update!!!

I shall check this and update you in 1hr....

if i configure it for 1MB, all files exceeding 1MB data would be placed in the deferred scanning right and if any virus is there in the data, the server would be affect as well right ??

varrao · ‎07-14-2011

No Rajesh, deferred scanning means, it would download 1 mB of data and then scan it and send it to across, if you do not have deferred scanning enabled, then CSC would first download the complete 75 MB first and then scan the file and send it.

Thanks,

Varun

Thanks,
Varun Rao

jyothydas · ‎07-14-2011

Varun, the info on CSC states differently.

Does this mean, it caches and then scans?

varrao · ‎07-14-2011

Hi Jyothdas,

Deferred scanning mean if any files size is greater than 1 MB, the CSC module would scan the file as it gets downloaded and send it to the client machine, it would not wait for the complete file to be downloaded and then scanned, yes it might not scan in detail and thats why you ahve the warning, but for large files, it fasters the process.

Thanks,

Varun

Thanks,
Varun Rao

secureIT · ‎07-14-2011

Hi Varun,

Enabling The deferred scan wasn't successful, as it was failing. Any alternate ways ?