Hi Guys,

How did you get on with this?

I'm not sure if our problem is similar. Basically we have a client who has some scripts running on an internal machine which downlods updates from an external site via ftp. Since upgrading from the pix to ASA (using various versions of software, currently on 7.2(2) the ftp via command prompt hangs. Where as ftp via a browser works okay.

TAC was not able to determine the problem, but we found a work around. Basically, we had to shut off protocol inspection for the AS400 FTP sessions and then permit it for everyone else.

Yep we did that and it worked. we also have upgraded the s/w due to another bug.

Would you mind posting the portion of your config regarding bypassing the specific traffic, the policy map, and service policy? I spoke too soon when I said it was fixed. Thanks.

My issue is that even though I specifically say that only one subnet should get inspected via class-map and ACL, it appears that everything is still being inspected.

Hi Guys,

Our next plan of attack is to try the following:

http://www.ciscotaccc.com/security/showcase?case=K35419735

We'll let you know how it goes.

Wow,

We have the exact problem (upgrade to ASA from PIX) but the ftp connection is made, it's only when the user does a list (ls) on the remote system that their session gets terminated (RST-O)

We have another egress point still using a PIX so we tried the same thing and it works fine.

The big difference with ours is we have an SSM and our policy map directs all traffic to it, so I originally thought it was the IPS module, but now by what I'm reading, it's the ASA.

I'm going to open a TAC case on this as it seems to be rampant so they should get it fixed.

Bob

Did this work?

We're having this issue, too, and I haven't been able to solve it.