12-13-2010 05:58 AM - edited 03-11-2019 12:21 PM
Hi All ,
I m facing issue with two active FTP session from outside to inside , server is placed inside to firewall .While single FTP session is working fine with same config on f/w .
here are the logs which is captured the during the issue -
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.147/1353 to Outside:61.246.x.x/40548
%ASA-6-302013: Built outbound TCP connection 24753052 for Outside:169.254.x.x/1131 (169.254.92.140/1131) to Inside:10.240.8.147/1353 (61.246.223.2/40548)
%ASA-7-710005: TCP request discarded from 98.250.x.x/28973 to Outside:61.246.x.x/29122
%ASA-6-305012: Teardown dynamic TCP translation from Inside:10.240.8.166/4201 to Outside:61.246.x.x/37684 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.166/4416 to Outside:61.246.223.2/35035
%ASA-6-302013: Built outbound TCP connection 24753053 for Outside:169.254.206.12/1131 (169.254.206.x/1131) to Inside:10.240.8.166/4416 (61.246.223.2/35035)
Please suggest on above ,
thnx for help in advance
----------------
Madhu
12-13-2010 06:08 AM
Hi Madhu,
Thanks for posting, you mean that you connect an FTP client, and when you connect the second one it doesnt work is that correct? Do you use the same FTP client to connect?
On the logs I cannot see any teardown of the connection, only translations and I am not sure if that is one of the clients you are hooking up.
Please let us know some more details about this and we will be glad to help
Cheers
Mike
12-13-2010 08:54 PM
Hi Mike ,
yes , thts correct , i m using same client to connect both FTP configured in the same way , but one is working later one is not working .
I hv taken these logs while i m trying to connect from dailup connection to the ftp server which is inside to my f/w .
Ping is wotking from outside dailup connection to the ftp server .Both FTP servers are configured on diffrent machines .
logs ------
========
%ASA-6-305012: Teardown dynamic TCP translation from Inside:10.240.8.166/4197 to Outside:61.246.x.x/58052 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.32/4159 to Outside:61.246.x.x/49433
%ASA-6-302013: Built outbound TCP connection 24753042 for Outside:74.125.x.x/80 (74.125..x.x/80) to Inside:10.240.8.32/4159 (61.246.x.x/49433)
%ASA-6-305012: Teardown dynamic TCP translation from Inside:10.240.8.19/2651 to Outside:61.246.x.x/14308 duration 0:01:30
%ASA-6-30bound TCP connection 24753050 for Outside:169.254.x.x/1131 (169.254.x.x/1131) to Inside:10.240.8.166/4415 (61.246.x.x/17687)
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.147/1352 to Outside:61.246.x.x/38937
%ASA-6-302013: Built outbound TCP connection 24753051 for Outside:169.254.x.x/1131 (169.254.x.x/1131) to Inside:10.240.8.147/1352 (61.246.x.x/38937)
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.147/1353 to Outside:61.246.x.x/40548
%ASA-6-302013: Built outbound TCP connection 24753052 for Outside:169.254.x.x/1131 (169.254.x.x/1131) to Inside:10.240.8.147/1353 (61.246.x.x/40548)
%ASA-7-710005: TCP request discarded from 98.250.113.x/28973 to Outside:61.246.x.x/29122
%ASA-6-305012: Teardown dynamic TCP translation from Inside:10.240.8.166/4201 to Outside:61.246.x.x/37684 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from Inside:10.240.8.166/4416 to Outside:61.246.x.x/35035
%ASA-6-302013: Built outbound TCP connection 24753053 for Outside:169.254.x.x/1131 (169.254.x.x/1131) to Inside:10.240.8.166/4416 (61.246.x.x/35035)
CiscoASA#
=============
Thanx 4 your reply ........
Madhu
12-14-2010 05:04 AM
Hello,
I think the best thing that you can do at this point is to take a wireshark on the server and check when the clients try to connect and see how far they get. As far as the firewall concern, he does not seems to be dropping (based on this logs) the connection by an inspection or any configured rule.
Also you can set a capture on the ASA firewall with type asp to check if any packets regarding that connection are being dropped.
capture asp type asp drop-all
show cap | inc
Let me know if this helps
Mike
12-15-2010 04:15 PM
To capture, bring up the first FTP client session, then try to telnet from outside to port 21 on that server at the same time from the same machine, repeat after that from some other machine. I recommend you check Dynamic NAT table too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide