How to trace policy for native FTP

Michal Bruncko · ‎01-23-2013

Hi guys,

I am trying to troubleshoot policy for native FTP (proxy port 8021 where FTP proxy is listening). The main reasons are wrong probably policy: we have usersA that are able to log into ftp via FTP proxy, but another usersB (another subnet) are not able to do the same (receiving "530 Login denied").

Questions:

- is there any way how can I troubleshoot/trace policy for native FTP?

- where/what access rules are applied to request placed to FTP proxy from users? I can see that there is option to disable "Native FTP" within access policies ("Protocols and User Agents" column) but all those checkboxes within all access policies rules are unchecked.

thanks for any help

michal

Erik Kaiser · ‎01-24-2013

Hi Michal,

Yes you can trouble shoot the FTP connection issues that you are having. Follow these steps below:

To grep the access logs for an entry, SSH into the WSA and run the following command from the CLI:

1. Grep

2. Enter the number of the log you wish to grep.

[]> 1

3. Enter the regular expression to grep.

[]> IP of the PC that the issue is being re produced on.

4. Do you want this search to be case insensitive? [Y]>

5. Do you want to search for non-matching lines? [N]>

6. Do you want to tail the logs? [N]> Yes

7. Do you want to paginate the output? [N]>

If you have any questions or concerns please feel free to email or call me.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator