Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
5
Helpful
4
Replies

ASA drops sftp connections

Go to solution
loc.nguyen
Level 1
Level 1

‎10-05-2022 09:01 AM

Hi,

We have a site to site vpn between our cisco firewall and Google cloud.

10.10.0.4 is on Google cloud

10.0.1.215 is behind our firewall.

10.10.0.4 can ping and ssh to 10.0.1.215 well.

On 10.10.0.4, there is a sftp client to pull data from 10.0.1.215 server. The sftp client has script to create few hundreds concurrent connections. The script runs good for 10 or 20 minutes then people report that it has slow network connection.

I checked our firewall. I see some  connection drops in asp-drop:

ftd-1# show cap asp
Target: MIPS
Hardware: FPR-2110
Cisco Adaptive Security Appliance Software Version 9.14(3)22
ASLR enabled, text region aaae698000-aab31a7704

502 packets captured

1: 15:35:06.088755 10.10.0.4.57200 > 10.0.1.215.22: . ack 4180850300 win 511 <nop,nop,timestamp 313693986 1864743318> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

2: 15:35:06.097605 10.10.0.4.57200 > 10.0.1.215.22: F 4103817424:4103817424(0) ack 4180850300 win 511 <nop,nop,timestamp 313693995 1864743318> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

3: 15:35:06.168616 10.10.0.4.57222 > 10.0.1.215.22: . ack 2029873916 win 511 <nop,nop,timestamp 313694066 1864743400> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

4: 15:35:06.173559 10.10.0.4.57222 > 10.0.1.215.22: F 1180685139:1180685139(0) ack 2029873916 win 511 <nop,nop,timestamp 313694071 1864743400> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

5: 15:35:06.344662 10.10.0.4.57276 > 10.0.1.215.22: . ack 421307266 win 511 <nop,nop,timestamp 313694242 1864743577> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

6: 15:35:06.412530 10.10.0.4.57310 > 10.0.1.215.22: . ack 996493539 win 511 <nop,nop,timestamp 313694310 1864743645> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

7: 15:35:06.476705 10.10.0.4.57318 > 10.0.1.215.22: . ack 4094221366 win 511 <nop,nop,timestamp 313694374 1864743707> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

8: 15:35:06.479696 10.10.0.4.57318 > 10.0.1.215.22: F 2635649531:2635649531(0) ack 4094221366 win 511 <nop,nop,timestamp 313694377 1864743707> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

9: 15:35:06.492970 10.10.0.4.57328 > 10.0.1.215.22: . ack 2992171379 win 511 <nop,nop,timestamp 313694390 1864743723> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

10: 15:35:06.495137 10.10.0.4.57328 > 10.0.1.215.22: F 3469705926:3469705926(0) ack 2992171379 win 511 <nop,nop,timestamp 313694393 1864743723> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

11: 15:35:06.640973 10.10.0.4.57380 > 10.0.1.215.22: . ack 2879026005 win 511 <nop,nop,timestamp 313694538 1864743872> Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000000aab061dcd0 flow (NA)/NA

Do you have an idea what I need to check further?

Thanks

Loc

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎10-05-2022 11:37 AM 

sysopt connection preserve-vpn-flows

I read before the to make TCP preserver over L2L VPN we need above command, 
review the command 

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎10-05-2022 11:37 AM 

sysopt connection preserve-vpn-flows

I read before the to make TCP preserver over L2L VPN we need above command, 
review the command 

Go to solution
loc.nguyen
Level 1
Level 1
In response to MHM Cisco World

‎10-05-2022 09:26 PM

Thanks, I made a change on my firewall. Let wait and see if it really works.

0 Helpful

Go to solution
loc.nguyen
Level 1
Level 1
In response to MHM Cisco World

‎10-11-2022 06:36 AM

It worked. FYI: below is the comment of a tester.

We tested the image script to download 300,000 images with 100 parallel processes multiple times but did not come across “Socket is closed” error after you adjusted the firewall setting.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎10-11-2022 10:16 AM

You are so so welcome friend 

0 Helpful
Customers Also Viewed These Support Documents