Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
14
Replies

Outgoing FTP Connection Fails

vdinenna71
Level 1
Level 1

‎08-02-2006 11:36 AM - edited ‎03-09-2019 03:47 PM

I'm using FileZilla to connect to a passive FTP server on some other LAN. Connection always fails. I used debug to trace and got this:

ftp: (192.168.1.51/17449 -> 72.3.177.105/21)

ftp: empty ack packet

tcpseq: rexmit packet seq=2703977631, snd_next=2703977632, window (2703977632-2704042751)

ftp: (192.168.1.51/17449 <- 72.3.177.105/21)

ftp: empty ack packet

tcpseq: rexmit packet seq=723827714, snd_next=723829195, window (723827714-723893259)

ftp: (192.168.1.51/24467 -> 72.3.177.105/21)

ftp: empty ack packet

ftp: (192.168.1.51/24467 <- 72.3.177.105/21)

ftp: empty ack packet

ftp: (192.168.1.51/24467 -> 72.3.177.105/21)

ftp: empty ack packet

User name & pass are correct because connection to the FTP site works from my PIX at home.

If I send a config file can someone look at it and see why connections are not estabilshing? It's probably due to the access-list or lack of an entry, but I don't know where.

We have our own internal FTP server which works fine from the outside.

Fixup 21 is running.

I connected to ftp.cisco.com with no problem.

Thanks for any help you can give,

Vince

Labels:
0 Helpful
14 Replies 14

Patrick Laidlaw
Level 4
Level 4

‎08-02-2006 03:42 PM

Vince,

Post away and we can help you out.

Patrick

0 Helpful

vdinenna71
Level 1
Level 1
In response to Patrick Laidlaw

‎08-03-2006 03:58 AM

Thanks Patrick. Here's the conf as of this morning.

Regards,

Vince

Preview file
13 KB
0 Helpful

Patrick Laidlaw
Level 4
Level 4
In response to vdinenna71

‎08-03-2006 08:49 AM

Vince,

Questions

This FTP site is it out on the internet or is it behind your PIX. Can you give us a brief description of where everything is logically located example:

FTPserver---Internet----PIX---CLIENT or

CLIENT---Internet---PIX---RTR---FTPserver

From your config and your post I'm guessing its out in the internet.

Patrick

0 Helpful

vdinenna71
Level 1
Level 1
In response to Patrick Laidlaw

‎08-03-2006 11:08 AM

I'm behind a PIX 515e; that's the config for it.

I'm trying to get to ftp.nitrosell.com. There is a user name and password for the site.

I don't know if the FTP server (ftp.nitrosell.com) is behind a router or firewall.

My setup:

My PC-> PIX515e-> ->FTP.nitrosell.com (supposedly it's passive FTP)

Again, this connection has been made from behind my PIX 501 at home. the FTP cleint is not the problem. I've connected from MS FTP client and others from outside my business' network.

Thanks,

Vince

0 Helpful

vdinenna71
Level 1
Level 1
In response to vdinenna71

‎08-03-2006 11:53 AM

Correction- There is a router on my network.

My setup:

My PC-> PIX515e-> Cisco 1700-> FTP.nitrosell.com (supposedly it's passive FTP)

The 1700 is not controlled by us, it's controlled by the ISP (AT&T) It's not suppose to block anything.

0 Helpful

Patrick Laidlaw
Level 4
Level 4
In response to vdinenna71

‎08-03-2006 12:32 PM

I don't see anything specifically that should be causing this problem. I'm sure you have tried other ftp sites but what was the results of using some other ftp program to connect to that server, and using filezilla to other ftp servers?

Patrick

0 Helpful

vdinenna71
Level 1
Level 1
In response to Patrick Laidlaw

‎08-04-2006 05:08 AM

Well, I have tried several FTP clients. I tried the Cisco FTP site with the client and it worked fine.

FileZilla was recommended by Nitrosell, the FTP host.

Can you recommend any FTP clients.

0 Helpful

vdinenna71
Level 1
Level 1
In response to Patrick Laidlaw

‎08-04-2006 05:40 AM

Have tried 3 other FTP clients, here is a log from one:

Status: Connecting to ftp.nitrosell.com ...

Trace: FtpControlSocket.cpp(921): OnConnect(0) OpMode=1 OpState=-1 caller=0x003ad224

Status: Connected with ftp.nitrosell.com. Waiting for welcome message...

Error: Timeout detected!

Trace: FtpControlSocket.cpp(1060): DoClose(0) OpMode=1 OpState=-1 caller=0x003ad224

Trace: FtpControlSocket.cpp(3882): ResetOperation(4100) OpMode=1 OpState=-1 caller=0x003ad224

Error: Unable to connect!

Status: Waiting to retry... (5 retries left)

Status: Connecting to ftp.nitrosell.com ...

Trace: FtpControlSocket.cpp(921): OnConnect(0) OpMode=1 OpState=-1 caller=0x003ad224

Status: Connected with ftp.nitrosell.com. Waiting for welcome message...

Error: Timeout detected!

Trace: FtpControlSocket.cpp(1060): DoClose(0) OpMode=1 OpState=-1 caller=0x003ad224

Trace: FtpControlSocket.cpp(3882): ResetOperation(4100) OpMode=1 OpState=-1 caller=0x003ad224

Error: Unable to connect!

Status: Waiting to retry... (4 retries left)

Status: Connecting to ftp.nitrosell.com ...

Trace: FtpControlSocket.cpp(921): OnConnect(0) OpMode=1 OpState=-1 caller=0x003ad224

Status: Connected with ftp.nitrosell.com. Waiting for welcome message...

0 Helpful

sorinbadea
Level 1
Level 1
In response to vdinenna71

‎08-04-2006 09:29 AM

try to create a global policy. here are the statements:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspection ftp

inspection icmp

service-policy global_policy global

Let me know if this helps

0 Helpful

vdinenna71
Level 1
Level 1
In response to sorinbadea

‎08-04-2006 09:59 AM

I just found out something that might make this more clear. I think it's a NAT problem. I read a few Cisco FTP troubleshooting docs and found some info that pointed me to NAT.

Our Web server has a global address that translated to an internal address, so I tested the Nitrosell FTP server from my web server and I got connected.

However, I don't know what to do about it without messing up the configuration. I don't have a PIX test environment.

What can I do to resolve this and not break my setup? Will the global policy help with this issue?

My config file is posted, Please advise.

Thanks for your help,

Vince

0 Helpful

scottmac
Level 10
Level 10
In response to vdinenna71

‎08-04-2006 11:03 AM

Have you tried it as a standard FTP? (i.e., not "passive")?

0 Helpful

vdinenna71
Level 1
Level 1
In response to scottmac

‎08-04-2006 11:14 AM

I've tried every which way. I tried active again just now and it didn't connect.

0 Helpful

scottmac
Level 10
Level 10
In response to vdinenna71

‎08-04-2006 12:24 PM

Are there any other paths out of your network to the Internet, and / or, are you using any proxies?

If the data was leaving from another path and returning via the PIX, the state engine would drop the traffic because it didn't see the original (outbound) requests.

Also, have you checked your PC for software firewalls (i.e., Black Ice or ZoneAlarm)?

Does the DOS command line FTP do the same thing?

Good Luck

Scott

0 Helpful

m-haddad
Level 5
Level 5
In response to scottmac

‎08-04-2006 02:20 PM

One advise to isolate the problem, try to connect your PC to the outside switch and get a free real IP from the subnet allocated by your ISP. Try to FTP, if it works than the problem is on the PIX and if not then the problem is from the router to ISP. If the FTP works from outside try to make a special global NAT On the pix for your pc from the inside and try to see if it works aswell.

Let me know if the above works,

0 Helpful
Customers Also Viewed These Support Documents