Problem with FTP file transfer over site-to-site VPN tunnel
We are using an ASA-5520 running 9.1(7) (very soon to be replaced by a Firepower), and we're having a problem with a vendor using an existing VPN tunnel to transfer files via FTP. The files in general are quite small, e.g. a few KB, and these transfer just fine. The files a couple hundred KB to MB fail on transfer, and the user gets an error similar to the following:
Error: Critical file transfer error after transferring 524,288 bytes in 1 second.
The receive file size is set to "0", and the owner of the server (based on the file size and logs) doesn't believe it's a server-related issue. There are various timeout set on the firewall, but these are standard, and we're not having other file size problems.
Does anyone have an idea of what I might check out? Thank you.
Are you using active FTP or Passive FTP. Just make sure that data channel ports are allowed. If the file size after disconnect is zero, it seems that data channel isn't established.
You can also run wireshark on the server to confirm if actual data transfer is happening or not. This helps to isolate data channel establishment.
Additionally, confirm if fragmentation is taking place or not. Fragmentation usually cause slow copying. This can be confirmed using wireshark by looking at receiving segments and see if you are receiving fragments. In this case, you need to tweak MSS/MTU.
Mohammed, thanks for your reply. FTP is passive, and the smaller files transfer just fine. I should be able to get the vendor to run a Wireshark, but I'll re-run the packet-capture on the ASA and see if I can discover something there as well. This firewall is underpowered for our organization, and it's slated to be replaced in a month. When I do run a packet capture, CPU goes up to around 95+%, and users complain about Internet speed slowing down significantly.
Cisco is happy to announce their Fall release, FTD 6.7/ASA 9.15.1/FXOS 2.9, which consists of 104 features across 24 initiatives, addressing technical debt while staying true to our five core investment areas: Ease of Use and Deployment, Unified Policy an...
Hi Team, I have one exclusion provided by internal team which is Is it right way to exclude ? *\Program Files\XYZ\* , as per Cisco Docs i see its not recommended because it will create performance issue when we use * at starting , So...
Central Log Management using Cisco Security Analytics and Logging, December 2nd at 8am-9:30am PT
Cisco Security Analytics and Logging is Cisco’s Central Log Management solution for Network Operations and Security Outcomes. It is delivered both as a c...