Hello, 

Sorry for late resposne.

> Show conn port 20 detail
19 in use, 195 most used
Inspect Snort:
preserve-connection: 4 enabled, 0 in effect, 181 most enabled, 0 most in effect
Flags: A - awaiting responder ACK to SYN, a - awaiting initiator ACK to SYN,
B - TCP probe for server certificate,
b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, e - semi-distributed,
F - initiator FIN, f - responder FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - initiator data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, L - decap tunnel, M - SMTP data, m - SIP media
N - inspected by Snort (1 - preserve-connection enabled, 2 - preserve-connection in effect,
3 - elephant-flow, 4 - elephant-flow bypassed, 5 - elephant-flow throttled)
n - GUP, O - responder data, o - offloaded,
P - inside back connection, p - passenger flow
q - SQL*Net data, R - initiator acknowledged FIN,
R - UDP SUNRPC, r - responder acknowledged FIN,
T - SIP, t - SIP transient, U - up,
V - VPN orphan, v - M3UA W - WAAS,
w - secondary domain backup,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow

> Show conn port 21 detail
19 in use, 195 most used
Inspect Snort:
preserve-connection: 4 enabled, 0 in effect, 181 most enabled, 0 most in effect
Flags: A - awaiting responder ACK to SYN, a - awaiting initiator ACK to SYN,
B - TCP probe for server certificate,
b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, e - semi-distributed,
F - initiator FIN, f - responder FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - initiator data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, L - decap tunnel, M - SMTP data, m - SIP media
N - inspected by Snort (1 - preserve-connection enabled, 2 - preserve-connection in effect,
3 - elephant-flow, 4 - elephant-flow bypassed, 5 - elephant-flow throttled)
n - GUP, O - responder data, o - offloaded,
P - inside back connection, p - passenger flow
q - SQL*Net data, R - initiator acknowledged FIN,
R - UDP SUNRPC, r - responder acknowledged FIN,
T - SIP, t - SIP transient, U - up,
V - VPN orphan, v - M3UA W - WAAS,
w - secondary domain backup,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow

Thanks for sharing more details' the show conn is empty I think becuase you dont generate any ftp traffic.

But 

I search about this issue

Indeed there is some issue with ftp in ftd' and as workaround the suggest solution is add 

Prefilter NOT ACP to allow ftp traffic.

Try add prefilter abd check pcap again.

MHM

Hello, 

Thank you very much. I made prefilter and i have same situation. I capture traffic on my inside interface, when traffice come from outisde to indside. 

i dont know why this TCP Retransmision happen, because i made prefiler where i allowed everyting to FTP server.

can I see how you config the prefilter 

MHM

@MHM Cisco World  thank you very much.

i configure prefilter inside to outside and outsdie to inside , picture below. i can see hitts.

i would like to add that i make source and destionation NAT in my side. that is reason why i have two ip address 192.168.1.28 is my real IP address, then i make source NAT to 10.5.6.28

@faruk.zaimovic, long time ago I wrote this: In the fpr1140-mo-node1-capture_test.pcap capture we see "227 Entering Passive Mode (10,5,6,28,218,137).\r\n". The capture was collected on the inside interface of the firewall, i.e. before any packet processing done by the firewall. This means that the 10.5.6.28 IP in the PASV reply is incorrect. It should have been 192.168.1.28, i.e. the real IP address the server runs on. FTP inspect on the firewall sees that this IP address doesn't match transport IP address of the packet (192.168.1.28) and drops it as expected.

192.168.1.0/24-my local LAN(First Location)-------FPR1140----------Internet------ FPR1140-----Remote LAN(Second Location) 192.168.1.2

> show running-config nat
nat (outside,inside) source static FMF-SERVER-3-192.168.1.2 FMF-SERVER3-SEEN-FROM-FMF-10.200.200.3 destination static LFILKA-SEEN-FROM-FMF-10.5.6.28 LFILKA-192.168.1.28

So, once again, host 192.168.1.2 ("Second Location") opens FTP connection to 10.5.6.28 and then user either tries to download a file or enters "dir". 192.168.1.2 sends "PASV" command. This can be seen in both captures above. The request is NATed on the "First Location" firewall. SrcIP 192.168.1.2 is translated to 10.200.200.3 and DstIP is translated to 192.168.1.28. So far, so good. The server responds with a PASV Reply and we can see it in the 1st capture: "227 Entering Passive Mode (10,5,6,28,218,137).\r\n". However, the reply is absent in the 2nd capture on the "Second Location" firewall. The retransmission is actually the same PASV command on the "Second Location" firewall and the same PASV Reply on the "First Location" firewall.

Is above description correct?

The 1st capture, where the PASV reply is seen, was collected on the inside interface of the "First Location" firewall, right? You used "capture" command in the firewall CLI, right?

Now tell us, how's that possible that the server 192.168.1.28 knows about 10.5.6.28 address to announce this address in its PASV reply?

Shouldn't the server respond with its real IP address 192.168.1.28 instead of 10.5.6.28?

Once again, if the firewall sees that IP address in the PASV reply (10.5.6.28 in this case) is different from the transport IP address (192.168.1.28), it drops the packet and sends TCP RST back. This is a function of ASA/Lina "inspect" feature. Playing around with ACP vs Pre-filter policies won't change this behavior whatsoever and the packet will still be dropped by the inspect. The reason is: "inspection" is a feature of underlying Lina (ASA code) and ACP is distributed between ASA/Lina and Snort. The FTD is NOT an integrated system, meaning that despite so many efforts and years of development it still consists of two loosely coupled parts.

You cannot disable the "inspect" which drops the packet, because you do NAT. You need to think and answer questions above to solve this problem.

Hello, 

Thank you very much for your help.

Is above description correct?   ---  yes it is correct. 192.168.1.2 is transalted 10.5.6.28, and other side see my as 10.5.6.28, but when sorce 192.168.1.2 send request to 10.200.200.3  it si destination transaltion 10.200.200.3 to 192.168.1.2. I made soruce and destination NAT translation .

Shouldn't the server respond with its real IP address 192.168.1.28 instead of 10.5.6.28?  Server should answer with 10.5.6.28, because i have same subnet in both location and it is reason why i make source and destination NAT. 

i have same situtaion with cisco ASA firewall and it is work correctly,  i have paralel cisco FPR 1140 and i tried to configure same situation and i have that problem. I can ping from adress 192.168.1.2 to 192.168.1.28.   from server run ping 10.5.6.28 and it is make NAT from 10.5.6.28 to 192.168.1.2. 

I hope that you understand this case. 

Thank you very much for help.

Shouldn't the server respond with its real IP address 192.168.1.28 instead of 10.5.6.28? Server should answer with 10.5.6.28, because i have same subnet in both location and it is reason why i make source and destination NAT.

NO, it MUST NOT! PASV reply (227 Entering Passive Mode ...) MUST contain 192.168.1.28, not 10.5.6.28.

The firewall will translate 192.168.1.28 to 10.5.6.28 automatically in the packet payload (unless there is a bug in FTD NAT). This is what "inspect ftp" is for and it is enabled by default on FTD (you can double-check with "show run policy-map").

The only reason why FTP doesn't work for you is that the server sends incorrect IP address in the PASV reply. Pings you're sending are irrelevant here, because FTP is a completely different protocol than ICMP, as it requires both IP header translation and payload translation.

HTH

Hi ,

Thnak you very much. 

@tvotna , Shouldn't the server respond with its real IP address 192.168.1.28 instead of 10.5.6.28?  i dont know how it can work because i have same network 192.168.1.0/24 at both location. it have to use 10.5.6.28 and when i come to my firewall i make NAT translation 10.5.6.28 in 192.168.1.28. 

I have same situation in Cisco ASA and it is works witout any problem. i migrate cisco ASA to cisco FPR and i have that problem. 

I send you PM for this issue 

Thanks 

MHM

@MHM Cisco World  Thank you very much. I send u show runn policy-map

Check 

""Match passive-ftp"" 

Which I think need to use for class-map to make inspect ftp work well in fpr.

Check this point' I don't have more information about this match command

Goodluck 

MHM

There is no such command and inspect ftp works as designed back in 80's prev. century.

MHM