Thanks Paps.  I appled the class maps & rules you suggested and then applied them to my policy maps and all is fine... but here's the interesting thing.

they are running sftp on port 21 and I had the allowed in previous map, but it wasn't working and every time the kicked off a transfer it caused the router to crash.  bug?

I added the rule you suggested but used port 21 and all is good.  I am not sure why the router would crash.  do you think it has something to do with trying to inspect and encrypted packed on an allowed port?  new config.

access-list 150 permit tcp any any eq ftp

access-list 151 permit tcp any eq ftp any

class-map type inspect match-any sftp

match access-group 150

class-map type inspect match-all inside-outside-vpn-cmap

match access-group 111

class-map type inspect match-any sftp_return

match access-group 151

class-map type inspect match-any inside-outside-cmap

match protocol dns

match protocol http

match protocol https

match protocol ftp

match protocol icmp

match protocol tcp

match protocol pop3

match protocol udp

!

!

policy-map type inspect inside-outside-vpn-pmap

class type inspect sftp_return

  pass

class type inspect inside-outside-vpn-cmap

  inspect

class class-default

  drop

policy-map type inspect inside-outside-pmap

class type inspect sftp

  pass

class type inspect inside-outside-cmap

  inspect

class class-default

  drop

!

zone security outside

zone security inside

zone-pair security inside-outside source inside destination outside

service-policy type inspect inside-outside-pmap

zone-pair security outside-inside source outside destination inside

service-policy type inspect inside-outside-vpn-pmap

Hi James,

It seems the crash is related to inspecting encrypted traffic. But it could be for other reasons as well.

Here is a known issue though.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti67905

Would be best to open a TAC case to get to the root cause.

Thanks,

Paps