cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10284
Views
0
Helpful
6
Replies

FTP to 3850 fails, incorrect username/password

esa_fresa
Level 1
Level 1

When I attempt download a file from our public FTP server to any of our 3850's I get the below error message.

%Error opening ftp://*****:*****@11.22.33.44/cat3k_caa-universalk9.SPA.03.06.08.E.152-2.E8.bin (Incorrect Login/Password)

I'm using this command syntax to copy the file.

copy ftp://$USERNAME:$PASSWORD@11.22.33.44/cat3k_caa-universalk9.SPA.03.06.08.E.152-2.E8.bin flash:/cat3k_caa-universalk9.SPA.03.06.08.E.152-2.E8.bin

Troubleshooting steps taken...

1. FTP server is pingable.

2. Able to login to the FTP server from my PC using the same credentials

3. Tested using the "ip ftp username" and "ip ftp password" commands and then not specifying creds in the copy command. I receive the same error message.

4. No ACL's on the switches

5. Debug output below

1383852: .May  3 10:14:03.716 EDT: FTP: 220 Serv-U FTP Server v14.0 ready...
1383853: .May  3 10:14:03.717 EDT: FTP: ---> USER $USERNAME
1383854: .May  3 10:14:03.725 EDT: FTP: 220 Serv-U FTP Server v14.0 ready...
1383855: .May  3 10:14:03.725 EDT: FTP: ---> QUIT

6. We're currently running 3.4.4 on all our switches. There are a few bugs regarding FTP but I don't think any of them would give the symptoms we're experiencing. We do have "ip ftp passive" configured.

https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_rel_notes/asr1k_caveats_34s.html

 

As a last resort we can utilize TFTP but I'd really like to get FTP working. We have multiple switches all at different locations with no one on site, so easiest is probably we TFTP over the internet, which I've not had luck with in the past. I'm also just curious why this isn't working.

1 Accepted Solution

Accepted Solutions

esa_fresa
Level 1
Level 1

We ran a packet capture on the ftp server and tcp debugs on the switch. Both sides were saying the other one sent a tcp reset packet.

The issue turned out to be an IPS appliance sending (spoofing) RST packets to both the server and the client. 

View solution in original post

6 Replies 6

DarylBrooks
Level 1
Level 1
Which FTP server product are you using?

Most products, such as FileZilla, offer some sort of logging. If your product does it would be a good idea to check the reason for failure on there, that will also verify if a valid connection is being made.

chrihussey
VIP Alumni
VIP Alumni

Keep the config with the ftp username and password and try "no ip ftp passive".

Also, step through the FTP process:

!

copy ftp flash:

Address or name of remote host[]?11.22.33.44

Source filename []? cat3k_caa-universalk9.SPA.03.06.08.E.152-2.E8.bin

Destination filename [cat3k_caa-universalk9.SPA.03.06.08.E.152-2.E8.bin]

!

I've found that the passive option varies with some platforms and stepping through it has always worked best.

Hope this helps

 

rasmus.elmholt
Level 7
Level 7
You could try to configure the ip ftp username /ip ftp password and see if it works.

On a side note I would use SCP instead. It's secure and always able to connect if you have SSH access to the device.

esa_fresa
Level 1
Level 1

Thanks for the replies all.

@DarylBrooks Our FTP server doesn't provide verbose logging, so we're stuck with basically "Connection made, User name received, Connection closed". We ran a pcap and see the user name received, then the server sends a RST message for whatever reason. Seems like a server side security thing is dropping the connection but it's strange that no other hosts are having the issue, just these 3850s, and we have other traffic coming from the same public IP address. We should probably just make the switch to FileZilla, I've heard a lot of good things about it. 

@chrihussey Same symptoms unfortunately.

@rasmus.elmholt We did try with ip ftp username (etc.) (see note 3. in the main post). It's really silly, the 3850 supports SCP but not SFTP, and our server supports SFTP but not SCP. We're looking into transferring over HTTP now.

That's a shame about the lack of logging.

What I'd suggest, which I'm sure you're already doing would be to set up FileZilla server somewhere on the network and ensure there's connectivity between the 3850 and the server and required rules to allow the FTP traffic. It takes no time at all to set this up and costs nothing, that way you'll be able to get some decent logs and you should be able to rule out either a bug on the device or an issue with the existing FTP server.

HTH

esa_fresa
Level 1
Level 1

We ran a packet capture on the ftp server and tcp debugs on the switch. Both sides were saying the other one sent a tcp reset packet.

The issue turned out to be an IPS appliance sending (spoofing) RST packets to both the server and the client. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: