cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
663
Views
0
Helpful
1
Replies

ASA5515X FTP-DATA (20) TCP retransmission accesing FTP server

PvCr
Level 1
Level 1

Hi everybody,

I have a problem when any PC tries to list (ls) inside a FTP server.

All the PCs are behind a ASA5515X (Gateway (active/standby failover)).

Wireshark shows the info attached (Capture-from-PC.JPG):

source: FTP-SERVER_IP

destination: PC-CLIENT(5515X)

The firewall ASA 5515X shows the info attached (capture-from-ASA5515.txt)

The symtom is like the remote site (any FTP server) doesn't received response from the FTP client site (PC behind ASA5515).

The ASA shows this info:

CDC-INTRA-FW-01/pri/act# sh service-policy flow tcp host PC-FTP-CLIENT host FTP-SERVER eq ftp

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Match: default-inspection-traffic
Action:
Input flow: inspect ftp
Class-map: class-default
Match: any
Action:
Output flow: Output flow: user-statistics accounting
Input flow: inspect ftp

 

asp drop

Frame drop:
Flow is being freed (flow-being-freed) 142
Invalid TCP Length (invalid-tcp-hdr-length) 1
No valid adjacency (no-adjacency) 12904
No route to host (no-route) 22
Flow is denied by configured rule (acl-drop) 522
First TCP packet not SYN (tcp-not-syn) 95153
TCP failed 3 way handshake (tcp-3whs-failed) 1189
TCP RST/FIN out of order (tcp-rstfin-ooo) 8564
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 61
TCP SYNACK on established conn (tcp-synack-ooo) 18
TCP packet SEQ past window (tcp-seq-past-win) 338
TCP Out-of-Order packet buffer full (tcp-buffer-full) 437839
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 14409
TCP RST/SYN in window (tcp-rst-syn-in-win) 144
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 6141
TCP packet failed PAWS test (tcp-paws-fail) 561
Slowpath security checks failed (sp-security-failed) 9213
Expired flow (flow-expired) 1
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 109
Interface is down (interface-down) 6
Packet shunned (shunned) 4385
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 18810

Last clearing: 12:57:37 UTC Feb 1 2019 by enable_15

Flow drop:
Inspection failure (inspect-fail) 14

 

Can anyone help me please???

 

Note: excuse my typos.

1 Reply 1

PvCr
Level 1
Level 1

This is the Wireshark info (from PC-FTP-Client site) (info attached)

Review Cisco Networking for a $25 gift card