1. Home
  2. Cisco Systems
  3. ASA 5510 FTP Issue

ASA 5510 FTP Issue

Hi All,

I have a ASA 5510 running 7.0(5) and I am having an FTP issue, which I cant seem to find a way to fix.

The issue is that after about 5 min of uploading any file (big or small, as long as it takes more than 5 min to upload), the ftp connection is reset.

I have tried a few different things to rule out other possible causes. I have tried FTP'ing from a few different boxes behind the firewall, to the same and other FTP servers, this all results in the same issue. I have tried ftp'ing from servers not behind the firewall, to the same ftp servers, and the problem does not exist. I am able to upload for

10-20+ min without any resets.

I have sniffed the packets on the outside of the firewall, (filtering just the 2 server IP's), and at about the 5 min mark, just before the connection reset, I see a RST,ACK packet come back from the FTP server.

It seems as if the firewall thinks the connection is not fully open and after 5 min, it closes the connection between the 2 servers even though they are still transferring data.

I do not see any errors or other info in the logs either.

Has any one else had this problem and know how to fix it?

If you need more info etc, please let me know.

Thanks

-Hurgh-

Reply to
Hurgh
Loading thread data ...

Check out the xlate timeout, it's the time-to-live of any translation created by the asa, the default should be 1 hour, maybe someone lowered it to 5 minutes. If this is the case, after 5 minutes tha asa do clear the translation and send a rst to both server and client, this will abort the transfer. Bye, Tosh.

Reply to
Tosh

There are a ton of FTP related bugs in 7.0; you might try upgrading the ASA software

Reply to
Merv

I haven't checked out PIX 7 details. In PIX 6, it would not work that way.

The translate timeout applies only after *all* the appropriate connection timeouts have been reached and all of the active connections through the translation are closed. It is not a timeout aimed at controlling connection lengths: it is a timeout aimed at reducing the effort of continually rebuilding translations. For example if you are fetching a document full of HTML links, you don't want to end up having to rebuild the translation just because there happened to be a fraction of a second during which the client paused between fetches.

In turn, the connection timeout (for general TCP) applies only to idle connections: it is reset for any connection when there is I/O on the connection. In PIX 6, a TCP connection that times out due to the 'conn' timeout is not actively sent an RST: the RST waits until the next time there is I/O in that direction. (The need for a RST is not remembered: it is simply generated because the device detects non-SYN traffic that it does not have a connection for.)

The connection timeout for UDP also applies only to idle connections, and of course there is no RST to send for UDP. When additional UDP traffic is detected for which there is no corresponding internal state, it is treated as if it was completely new traffic, generating new flow state if it is permitted by the access rules. This -does- imply that if the UDP port would not normally be open but was opened by way of inspection of earlier traffic (e.g., SIP or RPC or RPC-NETBIOS) then the "came back to life" UDP traffic might be denied by the ACL.

Reply to
Walter Roberson

Thanks Merv, I was afraid that might be the case, I have just upgraded from 7.0(2) to 7.0(5) as there was a few FTP related bugs fixed in that version, as well as some security holes closed, but the client does not have any contract for the device, so they are unable to go any higher.

That's what they get if they don't want to spend the money.

-Hurgh-

Reply to
Hurgh

Hi Tosh,

I have checked this setting and it is set at the default 1 hour. So looks like this is not the issue (though I wish it were, cause then I could fix it).

Thanks for your time.

-Hurgh-

Reply to
Hurgh

I did it a try and you're right, I was a little confused about ios. Bye, Tosh.

Reply to
Tosh

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.