cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2525
Views
0
Helpful
3
Replies

SFTP server access problem through ASA

Chris Mickle
Level 1
Level 1

Hello,

 

We're having a problem accessing an outside SFTP server and suspect the problem has to do with the ASA. The connection is unexpectedly dropped.

 

I seem to remember a while back having similar issues, but can not remember the solution.

 

Is there any special configuration that needs to be implemented to allow clients to access outside SFTP servers from inside the network?

 

Thanks

3 Replies 3

We would need more information, for example: is the connection dropped after a period of idle time? if yes, how long was the idle time before the connection dropped?

by default the ASA will drop idle connections after 1 hour of idle time.  If this is happening to you then you can set the value to 0 which will leave the connection open indefinitely.

for example:

access-list sftp-timeout extended permit tcp 10.10.10.0 255.255.255.0 host 193.212.212.212 eq 22

class-map sftp-timeout

 match access-list sftp-timeout

policy-map global_policy

 class sftp-timeout

   set connection timeout idle 0

--
Please remember to select a correct answer and rate helpful posts

The connection fails almost immediately. I can see it connect initially then it fails with unexpected error. I seem to remember something about the ASA not being able to inspect the data traffic because the connection is over SSH, but I’ve been unable to figure out how to make it work.

TJ-20933766
Spotlight
Spotlight

Easiest way to tell if the firewall is affecting the traffic is to look at the packet captures of the INSIDE and OUTSIDE interfaces, attempt your connection to the external SFTP server, then look at the captures. If you see packets missing in either direction, then you know something is being filtered by the firewall. Easiest way to kick this off is using the ASDM packet capture wizard but you could do it via command line as well. I personally have not had issues passing SCP, SFTP, or SSH through my ASA but your mileage may vary. Please let us know what you find or if you need any further help.

Review Cisco Networking for a $25 gift card