Showing results for 
Search instead for 
Did you mean: 


Problem with FTP file transfer over site-to-site VPN tunnel

We are using an ASA-5520 running 9.1(7) (very soon to be replaced by a Firepower), and we're having a problem with a vendor using an existing VPN tunnel to transfer files via FTP.  The files in general are quite small, e.g. a few KB, and these transfer just fine. The files a couple hundred KB to MB fail on transfer, and the user gets an error similar to the following:


Error: Critical file transfer error after transferring 524,288 bytes in 1 second.


The receive file size is set to "0", and the owner of the server (based on the file size and logs) doesn't believe it's a server-related issue. There are various timeout set on the firewall, but these are standard, and we're not having other file size problems.


Does anyone have an idea of what I might check out? Thank you.

Mohammed al Baqari
VIP Advisor



Are you using active FTP or Passive FTP. Just make sure that data channel ports are allowed. If the file size after disconnect is zero, it seems that data channel isn't established. 


You can also run wireshark on the server to confirm if actual data transfer is happening or not. This helps to isolate data channel establishment.


Additionally, confirm if fragmentation is taking place or not. Fragmentation usually cause slow copying. This can be confirmed using wireshark by looking at receiving segments and see if you are receiving fragments. In this case, you need to tweak MSS/MTU.



***** please remember to rate useful posts

Mohammed, thanks for your reply. FTP is passive, and the smaller files transfer just fine. I should be able to get the vendor to run a Wireshark, but I'll re-run the packet-capture on the ASA and see if I can discover something there as well. This firewall is underpowered for our organization, and it's slated to be replaced in a month. When I do run a packet capture, CPU goes up to around 95+%, and users complain about Internet speed slowing down significantly.