hi,

i posted an ASA ping tcp 21 on my last post.

here's the linux output. does it normal FTP?

sorry i'm a linux noob.

[johnl@~]$ service vsftpd status
vsftpd (pid 1592) is running...

[johnl@ ~]$ rpm -qa | grep ftp
ftp-0.17-54.el6.x86_64
vsftpd-2.2.2-13.el6_6.1.x86_64

[johnl@~]$ ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)

hi,

what do u mean by SFTP only? does SFTP only runs on linux server per output given?

i'm not the admin of the said server. please advise what needs to be done in order for normal FTP to work.

hi,

but FTP is working. which output are you looking?

[johnl@svr01 ~]$ ftp svr01
Connected to svr01 (10.1.1.14).
220 (vsFTPd 2.2.2)
Name (svr01:john): john
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,111,0,14,90,196).
150 Here comes the directory listing.
-rw-------    1 558      558          1155 Mar 25 05:15 FGL1.lic
-rw-------    1 558      558      38338560 Mar 25 03:24 asa917-20-smp-k8.bin
226 Directory send OK.

hi marvin,

thanks for jumping in! i'm beginning to suspect a bug code here.

the 5515-x A/S pair currently runs on 9.1(7)4.

i plan to upgrade the FW pair o 9.1.7.20 to patch the recent SSL VPN vulnerability (CVE-2018-0101).

does this mean i can only upgrade via USB method since FTP is not properly working due to the '(No more processes)'

which specific bug did i run per the link you gave?

@johnlloyd_13, 

It's not a bug so much as it is a documented behavior. However since you are running 9.1(7)4 already it shouldn't affect you.

Can you try copying any other file onto the ASA via ftp - like some random small text file just to verify ftp is working at all? That will rule out any intermediate device that is possibly breaking the ftp data channel. (The login and ls is ftp control channel.)

If the small file ftp works ok then maybe it is a bug that's not public-facing. I'd try perhaps one of the recommended code releases like the latest interim of 9.4, 9.6 or 9.8. Or if you really really want the latest 9.1.(7) interim then open a TAC case. (Though they may tell you to go with the recommended release as well.)

hi marvin,

i tried with a small txt file (11KB) but still getting the same FTP response/error.

i raised a TAC case to see what they could find.

i might ask a remote tech to plug a USB stick as last resort.

It's just an educated guess but it sounds like something between your ftp server and the device is running an Application Layer Gateway (ALG = Juniper term as I have seen this issue on both ScreenOS and JunOS-based Juniper firewalls) that's preventing successful ftp data channel communications.

hi marvin,

just finished troubleshooting with TAC today and observe the same thing when we did some packet captures. notice it only uses dynamic port and FTP port 21. this is passive FTP correct?

183: 22:19:45.681162       802.1Q vlan#1235 P0 10.23.24.2.17535 > 10.1.1.4.21: S 3620565586:3620565586(0) win 32768 <mss 1460,nop,nop,timestamp 4138936578 0> 
184: 22:19:45.705316       802.1Q vlan#1235 P0 10.1.1.4.35630 > 10.23.24.2.22: . ack 437914409 win 65535 
185: 22:19:45.706277       802.1Q vlan#1235 P0 10.1.1.4.35630 > 10.23.24.2.22: . ack 437914461 win 65535 
186: 22:19:45.706292       802.1Q vlan#1235 P0 10.1.1.4.21 > 10.23.24.2.17535: S 1557221194:1557221194(0) ack 3620565587 win 14480 <mss 1380,nop,nop,timestamp 4181033265 4138936578> 
187: 22:19:45.706308       802.1Q vlan#1235 P0 10.23.24.2.17535 > 10.1.1.4.21: . ack 1557221195 win 32768 <nop,nop,timestamp 4138936603 4181033265> 
188: 22:19:45.735283       802.1Q vlan#1235 P0 10.1.1.4.21 > 10.23.24.2.17535: P 1557221195:1557221215(20) ack 3620565587 win 14480 <nop,nop,timestamp 4181033293 4138936603> 
189: 22:19:45.735313       802.1Q vlan#1235 P0 10.23.24.2.17535 > 10.1.1.4.21: . ack 1557221215 win 32768 <nop,nop,timestamp 4138936632 4181033293> 
190: 22:19:45.735405       802.1Q vlan#1235 P0 10.23.24.2.17535 > 10.1.1.4.21: P 3620565587:3620565599(12) ack 1557221215 win 32768 <nop,nop,timestamp 4138936633 0> 
191: 22:19:45.760321       802.1Q vlan#1235 P0 10.1.1.4.21 > 10.23.24.2.17535: . ack 3620565599 win 14480 <nop,nop,timestamp 41810333

i only noticed our linux server is using ACTIVE FTP (passive mode off) after tshooting was already done. could this be the culprit? do you know if linux server can be tweaked to support PASSIVE FTP?

[john@~]$ ftp
ftp> passive
Passive mode off.

It could  be, I'm not sure about that.

Can you just try an FTP server like filezilla (free) on your laptop? Or are you limited to using a Linux jump server for the remote environment?

unfortunately i'm only limited to this linux server.