Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2506
Views
0
Helpful
3
Replies

SFTP server access problem through ASA

Chris Mickle
Level 1
Level 1

‎01-28-2021 12:45 PM

Hello,

 

We're having a problem accessing an outside SFTP server and suspect the problem has to do with the ASA. The connection is unexpectedly dropped.

 

I seem to remember a while back having similar issues, but can not remember the solution.

 

Is there any special configuration that needs to be implemented to allow clients to access outside SFTP servers from inside the network?

 

Thanks

0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎01-28-2021 03:03 PM

We would need more information, for example: is the connection dropped after a period of idle time? if yes, how long was the idle time before the connection dropped?

by default the ASA will drop idle connections after 1 hour of idle time.  If this is happening to you then you can set the value to 0 which will leave the connection open indefinitely.

for example:

access-list sftp-timeout extended permit tcp 10.10.10.0 255.255.255.0 host 193.212.212.212 eq 22

class-map sftp-timeout

 match access-list sftp-timeout

policy-map global_policy

 class sftp-timeout

   set connection timeout idle 0

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Chris Mickle
Level 1
Level 1
In response to Marius Gunnerud

‎01-28-2021 03:50 PM

The connection fails almost immediately. I can see it connect initially then it fails with unexpected error. I seem to remember something about the ASA not being able to inspect the data traffic because the connection is over SSH, but I’ve been unable to figure out how to make it work.
0 Helpful

TJ-20933766
Spotlight
Spotlight

‎01-28-2021 09:34 PM

Easiest way to tell if the firewall is affecting the traffic is to look at the packet captures of the INSIDE and OUTSIDE interfaces, attempt your connection to the external SFTP server, then look at the captures. If you see packets missing in either direction, then you know something is being filtered by the firewall. Easiest way to kick this off is using the ASDM packet capture wizard but you could do it via command line as well. I personally have not had issues passing SCP, SFTP, or SSH through my ASA but your mileage may vary. Please let us know what you find or if you need any further help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card