Upload to DMZ fails from inside interface - Page 2

joeclarktx · ‎09-07-2010

I have an ASA 5510 running 8.2(2) with all an outside, inside and dmz port. Have a server in the dmz running an uploading application. I have no problem uploading files from outside the network to the dmz server, but when uploading from the inside is when I have issues. I am able to upload a 250MB PSD file but the application fails when trying to upload a 100MB FLV file. Again, both these files will upload just fine from an outside connection and when sending from within the DMZ. We have tried other types of files and a smaller FLV with some success, but it seems that when I try to upload a compressed video file that is over say 30MB, the upload fails...again from the outside it works just fine with any file that I throw at it.

I have tried natting the traffic from inside to dmz and tried without nat. I have been on the phone with Cisco TAC and they have gone over my config and tell me that this should work. There are no errors on the ASA. We have have looked at the application and there are no errors either. This seems like the TCP connection gets interrupted.

Has anyone had any issues uploading files to a server in their DMZ from the Inside interface, but from any other connection it works fine? I know this is probably something simple and I am just over analyzing it, so any help will be greatly appreciated.

Thanks in advance.

joeclarktx · ‎09-08-2010

this is the second file...too large for one post

joeclarktx · ‎09-08-2010

And this is a failed 96MB FLV file. the captures are a lot smaller and I don't see the drops like before.

joeclarktx · ‎09-09-2010

Hey Mike,

I have tried all the solutions that were suggested and what I could find on the Internet. I have added a second NIC to the server and gave it an internal address and the uploads work like they are supposed to. I really don't know what else to try.

Joe

mirober2 · ‎09-09-2010

Hi Joe,

Were you able to setup the ASP drop captures that Sachin suggested? If so, did you see any packets from the transfer being dropped?

If not, try to setup this capture:

capture drop type asp drop all

Then, do 'clear asp drop' to clear the drop counters, start the transfer, and then do 'show asp drop' and 'show cap drop' to see if any of the packets from the upload are being dropped by the ASA.

-Mike

mirober2 · ‎09-09-2010

Also, it's odd that only FLV files are failing. Do you have any IDS/IPS devices in the network that would be inspecting these packets? Any HTTP proxies that would be inline with these transfers?

-Mike

joeclarktx · ‎09-09-2010

Yes, i do have an IPS on this ASA.

No HTTP proxies

mirober2 · ‎09-09-2010

Hi Joe,

Have you tried disabling the IPS temporarily and see if the issue continues? If it's an AIP module, you can use the 'no ips inline' or 'no ips promiscuous' command inside the active policy-map. Try that and let us know if the issue remains without the IPS being active.

-Mike

joeclarktx · ‎09-09-2010

I've taken the IPS out of the mix and still have the same result.