Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
1
Helpful
2
Replies

Upgrade 7.6 -> 7.7 stopped media and ftp, is inspection the culprit ??

Go to solution
Ditter
Level 4
Level 4

‎07-14-2025 06:57 AM

Hi to all,

after upgrading from 7.6 to 7.7 RTP traffic as well as FTP stopped working. 

I disabled media inspection with flexconfig and media started working again.

Now our users complain about problems with ftp.

I suppose that if i disable ftp inspection it will start to work (as with RTP).

But is that possible?  A minor upgrade from 7.6 to 7.7 caused this inspection problem?

Can you please post your global policy from your FTDs to see if inspection is also active in these versions?

My point is that if rtp as well as ftp inspection is also active prior to 7.7 upgrade , then the upgrade also caused some extra implication...

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect netbios
inspect tftp
inspect ip-options UM_STATIC_IP_OPTIONS_MAP
class class_snmp
inspect snmp
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
!

My FTDs run 7.4.2.3 (Build 4)


> show version
---------------------[ ftd-1 ]----------------------
Model : Cisco Firepower 2140 Threat Defense (77) Version 7.4.2.3 (Build 4)
UUID : 5857ad62-0bf5-11ed-b5a5-a5352e00b8f4
LSP version : lsp-rel-20250710-1707
VDB version : 408
----------------------------------------------------

 

Thanks,

Ditter.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
wajidhassan
Level 4
Level 4

‎07-16-2025 08:49 AM

You're absolutely right to suspect that FTP inspection in FTD 7.7 is causing your issues—this isn't just theoretical; earlier versions had documented bugs tied to FTP inspection, and it's likely that the upgrade introduced a quirk in the inspection engine.

FTP Inspection in FTD
Known FTP inspection bugs pre-7.7
FTD 6.2.x had a documented issue (CSCve45948) where FTP control channel worked but data channel wouldn't; requiring a pre-filter workaround.

There was also a Denial-of-Service flaw (CVE-2018-15390) in the FTP inspection engine; Cisco recommended disabling inspect ftp when FTP file policies were used.

These examples show that FTP inspection in FTD has been brittle historically.

Your Situation: Impact of 7.7 Upgrade
You observed RTP issues after upgrading to 7.7, resolved by disabling media inspection—indicating the newer inspection engine is more aggressive or stricter.

Now you're seeing FTP failures. Given the history, it's highly plausible inspect ftp is likewise broken in your environment.

Yes, the minor 7.6 → 7.7 upgrade very likely introduced changes in inspection logic that are now impacting functionality.

Suggested Next Steps
Disable FTP inspection via FlexConfig, similar to your RTP workaround:

text

policy-map global_policy
class inspection_default
no inspect ftp
Test FTP functionality (passive and active modes). If restoring works, this confirms the inspection engine is at fault.

Monitor Cisco’s bug tracker and release notes for FTD 7.7.x fixes relevant to FTP inspection.

Plan to re-enable inspection once the bug is resolved—bypassing inspection can expose you to protocol misuse or threat evasion.

Policy Confirmation
Here’s your policy versus mine (running FTD 7.4.2.3 Build 4):

text

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect netbios
inspect tftp
inspect ip-options UM_STATIC_IP_OPTIONS_MAP
class class_snmp
inspect snmp
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
!
(Copied from your initial message)

My environment includes inspect ftp in the global policy, so FTP inspection is indeed active by default—and your 7.7 behavior indicates that something changed in that inspect engine.

Conclusion
Yes, disabling inspect ftp is likely to bring back FTP functionality.

Yes, your minor upgrade did introduce this inspection issue—history supports that Cisco's FTP ALG has had persistent bugs that manifest in newer builds.

Yes, your global policy aligns with best practice defaults, and the 7.7 version appears to have faulty inspect behavior beyond just RTP.

Yes, your global policy aligns with best practice defaults, and the 7.7 version appears to have faulty inspect behavior beyond just RTP.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
wajidhassan
Level 4
Level 4

‎07-16-2025 08:49 AM

You're absolutely right to suspect that FTP inspection in FTD 7.7 is causing your issues—this isn't just theoretical; earlier versions had documented bugs tied to FTP inspection, and it's likely that the upgrade introduced a quirk in the inspection engine.

FTP Inspection in FTD
Known FTP inspection bugs pre-7.7
FTD 6.2.x had a documented issue (CSCve45948) where FTP control channel worked but data channel wouldn't; requiring a pre-filter workaround.

There was also a Denial-of-Service flaw (CVE-2018-15390) in the FTP inspection engine; Cisco recommended disabling inspect ftp when FTP file policies were used.

These examples show that FTP inspection in FTD has been brittle historically.

Your Situation: Impact of 7.7 Upgrade
You observed RTP issues after upgrading to 7.7, resolved by disabling media inspection—indicating the newer inspection engine is more aggressive or stricter.

Now you're seeing FTP failures. Given the history, it's highly plausible inspect ftp is likewise broken in your environment.

Yes, the minor 7.6 → 7.7 upgrade very likely introduced changes in inspection logic that are now impacting functionality.

Suggested Next Steps
Disable FTP inspection via FlexConfig, similar to your RTP workaround:

text

policy-map global_policy
class inspection_default
no inspect ftp
Test FTP functionality (passive and active modes). If restoring works, this confirms the inspection engine is at fault.

Monitor Cisco’s bug tracker and release notes for FTD 7.7.x fixes relevant to FTP inspection.

Plan to re-enable inspection once the bug is resolved—bypassing inspection can expose you to protocol misuse or threat evasion.

Policy Confirmation
Here’s your policy versus mine (running FTD 7.4.2.3 Build 4):

text

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect netbios
inspect tftp
inspect ip-options UM_STATIC_IP_OPTIONS_MAP
class class_snmp
inspect snmp
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
!
(Copied from your initial message)

My environment includes inspect ftp in the global policy, so FTP inspection is indeed active by default—and your 7.7 behavior indicates that something changed in that inspect engine.

Conclusion
Yes, disabling inspect ftp is likely to bring back FTP functionality.

Yes, your minor upgrade did introduce this inspection issue—history supports that Cisco's FTP ALG has had persistent bugs that manifest in newer builds.

Yes, your global policy aligns with best practice defaults, and the 7.7 version appears to have faulty inspect behavior beyond just RTP.

Yes, your global policy aligns with best practice defaults, and the 7.7 version appears to have faulty inspect behavior beyond just RTP.

0 Helpful

Go to solution
Ditter
Level 4
Level 4

‎07-17-2025 03:33 AM

@wajidhassan Thanks for the so detailed and articulated reply. With such comments and suggestions one should be very grateful being part of this community.  

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card