Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
5
Replies

FTP recent issue: does not connect anymore from the outside

mariocabrejo
Level 1
Level 1

‎07-20-2004 02:02 PM - edited ‎03-09-2019 08:08 AM

Hi all,

We had our FTP server working for a good time and since yesterday It does not work anymore. Whenever FTP from the inside network it does work, but does not work from the outside anymore.

Here is my syslog captured from the pix:

192.168.1.117/21 Internal IP address

A.B.C.D/21 External Global IP address

Jul 20 2004 17:17:44: %PIX-6-302013: Built inbound TCP connection 9826 for outside:4.239.240.40/4713 (4.239.240.40/4713) to inside:192.168.1.117/21 (A.B.C.D/21)

Jul 20 2004 17:18:05: %PIX-6-302013: Built inbound TCP connection 9884 for outside:4.239.240.40/4714 (4.239.240.40/4714) to inside:192.168.1.117/21 (A.B.C.D/21)

Jul 20 2004 17:20:06: %PIX-6-302013: Built inbound TCP connection 10098 for outside:4.239.240.40/4715 (4.239.240.40/4715) to inside:192.168.1.117/21 (A.B.C.D/21)

Jul 20 2004 17:20:17: %PIX-6-302013: Built inbound TCP connection 10136 for outside:4.239.240.40/4716 (4.239.240.40/4716) to inside:192.168.1.117/21 (A.B.C.D/21)

Jul 20 2004 17:17:17: %PIX-6-106015: Deny TCP (no connection) from 4.239.240.40/4698 to A.B.C.D/21 flags RST on interface outside

Jul 20 2004 17:17:17: %PIX-6-106015: Deny TCP (no connection) from 4.239.240.40/4697 to A.B.C.D/21 flags RST on interface outside

Any comments are appreciated.

Thanks

Mario

Labels:
0 Helpful
5 Replies 5

nkhawaja
Cisco Employee
Cisco Employee

‎07-20-2004 02:13 PM

what changed? any update on the server? or on the PIX? we seems to be missing a few in between syslog messages, so can't really say much.

Thanks

Nadeem

0 Helpful

mariocabrejo
Level 1
Level 1
In response to nkhawaja

‎07-21-2004 05:36 AM

Hi nkhawaja,

We did not change anything. When trying to connect from outside to the ftp, it get to the authentication part, after typing the right password it does authenticate because if you type a wrong one it prompts you again for the right password. After that it says "getting folder contents" and after 10 minutes: "FTP folder error, An error occurred opening that folder on the ftp server. Make sure you have permissions to access that folder."

I check into the access list on the pix and it increments the ftp access list. We have not change anything on the server or pix. I have even installed a new ftp server and same thing occurred on this new one.

Here is the other syslog that shows only my internal and global ip for the ftp server:

Jul 21 2004 09:07:11: %PIX-6-106015: Deny TCP (no connection) from 4.239.240.40/4718 to A.B.C.D/21 flags RST on interface outside

Jul 21 2004 09:07:11: %PIX-6-106015: Deny TCP (no connection) from 4.239.240.40/4717 to A.B.C.D/21 flags RST on interface outside

Jul 21 2004 09:07:16: %PIX-6-302013: Built inbound TCP connection 57037 for outside:4.239.240.40/4869 (4.239.240.40/4869) to inside:192.168.1.117/21 (A.B.C.D/21)

Jul 21 2004 09:07:16: %PIX-6-302014: Teardown TCP connection 57037 for outside:4.239.240.40/4869 to inside:192.168.1.117/21 duration 0:00:01 bytes 157 TCP FINs

Jul 21 2004 09:07:17: %PIX-6-302013: Built inbound TCP connection 57047 for outside:4.239.240.40/4870 (4.239.240.40/4870) to inside:192.168.1.117/21 (A.B.C.D/21)

Jul 21 2004 09:07:17: %PIX-6-302014: Teardown TCP connection 57047 for outside:4.239.240.40/4870 to inside:192.168.1.117/21 duration 0:00:01 bytes 157 TCP FINs

Jul 21 2004 09:07:27: %PIX-6-302013: Built inbound TCP connection 57111 for outside:4.239.240.40/4871 (4.239.240.40/4871) to inside:192.168.1.117/21 (A.B.C.D/21)

Jul 21 2004 09:07:28: %PIX-6-302013: Built inbound TCP connection 57114 for outside:4.239.240.40/4872 (4.239.240.40/4872) to inside:192.168.1.117/21 (A.B.C.D/21)

Jul 21 2004 09:12:47: %PIX-6-302014: Teardown TCP connection 57114 for outside:4.239.240.40/4872 to inside:192.168.1.117/21 duration 0:05:18 bytes 798 TCP Reset-O

Jul 21 2004 09:12:47: %PIX-6-302014: Teardown TCP connection 57111 for outside:4.239.240.40/4871 to inside:192.168.1.117/21 duration 0:05:19 bytes 580 TCP Reset-O

0 Helpful

davecs
Level 1
Level 1
In response to mariocabrejo

‎07-21-2004 10:28 PM

ok - it sounds like your config is missing a fixup for ftp

the PIX is allowing ftp (the command channel) - but your data channel is being dropped.

i cant remember the exact syntax - but do a show fixup and you can construct the command pretty easy.

let me know how u get on!

d.

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee

‎07-21-2004 08:23 AM

hi,

what is the version of PIX? what FTP server is it? is it set to "Passive" FTP? what syslog level you are set to? what are the timeout values "show timeout"

thanks

Nadeem

0 Helpful

mariocabrejo
Level 1
Level 1
In response to nkhawaja

‎07-22-2004 01:54 PM

Hi,

Got it working. I want to thank you for your support, unfortunately somebody did some permission changes on the virtual directories when I was not here. This ftp was a W2000 Server.

It looks like the pix was timing out and reseting the connection because I could not open any folders because of permission issues.

THanks Again

Mario

0 Helpful
Customers Also Viewed These Support Documents