Solved

Cisco ASA 9.1 FTP Teardown TCP Connection

Posted on 2014-02-24
11
2,290 Views
Last Modified: 2014-02-26
Hello Experts:

We have an internal server trying to download files from an external FTP server.  I can connect to the FTP server from the internal server, let us call this server FTP-Client.  However, when I try to download a file from the external FTP server, I get this message:

Connection closed by remote host.

I checked the logs on the Cisco ASA firewall, and this is what it shows:

Teardown TCP connection 123348 for outside:external-FTP-server-IP/21 to inside:FTP-Client-IP/32134 duration 0:00:29 bytes 338 TCP Reset-I

Can anyone of  you help me solve this problem?



Thanks.
Willie
0
Comment
Question by:willie0-360
  • 5
  • 5
11 Comments
 

Author Comment

by:willie0-360
Comment Utility
I want to add that before the message:

Teardown TCP connection 123348 for outside:external-FTP-server-IP/21 to inside:FTP-Client-IP/32134 duration 0:00:29 bytes 338 TCP Reset-I


This message appears on the Cisco ASA:

Teardown local-host outside:external-FTP-server-IP duration 0:00:29



Thanks.
Willie
0
 
LVL 16

Assisted Solution

by:AlexPace
AlexPace earned 100 total points
Comment Utility
In an FTP session, transferring a file or directory listing opens a second connection called the data channel connection.  The exact port number is negotiated at run-time when the client sends the PORT or PASV command.  Perhaps this data channel connection is the one that is failing for you.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
AlexPace is correct.  FTP uses two TCP connections, a command/control connection.  This is used for the user to issue command  (get, put, ls, cd, pwd, and others)  and for the ftp client and server to control the data transfer connection, which is used when data must be transferred.   Data is transfer because of commands like get, put, and ls.

However in this case the log entries are are for the command/control session.  You can tell this by the port the server is using, 21.

You need to find out which side is issuing the TCP reset for that connection.  You can run a packet capture ( I suggest using Wireshark) on your computer to see if it is your computer that might be sending out the TCP rest.  If your computer is not, then the server is, so you need to contact whomever controls the ftp server.
0
 

Author Comment

by:willie0-360
Comment Utility
Thanks a lot for your responses.  

I will install Wireshark on the server, where the FTP Client is on, to check on what it says about your suggestions.

The FTP Client is on a server that is on the 172.16.x.x network.  We have our office LAN in the 172.17.x.x network.  If I try to connect and download files from my desktop on the office LAN, it works.  Everything works as expected there.  However, from the 172.16.x.x network, it does not work.  I can connect to the FTP server, but that is all.   Does this tell you anything about this problem?

I would say that based on that, the FTP server is not resetting the connection.  What do you think?

Let me also mention that as far as I know, both LANs, the 172.16.x.x and the 172.17.x.x connect to two different Cisco ASAs.



Thanks.
Willie
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
What happens if you just connect to the ftp server from the "server" that is having the problem and sit there and do nothing?

It's possible that the firewall rules are not setup correctly for ftp'ing from the 172.16.0.0 network.  

How long after you issue the get/put command to you see the message "connection closed by remote host?

What ftp client are you running?
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 

Author Comment

by:willie0-360
Comment Utility
This is now what we just discovered.  When using the Windows Command Prompt FTP client, the data transfer does not work.  The same when using it with Powershell.  Now, if we try it with the Filezilla FTP client, it works.  Everything works.  However, as far as we understand, Filezilla cannot be automated.  

What could the Command Prompt be doing to cause this problem?  It works fine with the Filezilla FTP client.



It takes about 56 seconds for the Connection closed by remote host to appear.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 400 total points
Comment Utility
Easy.  With FTP there are two data transfer modes "active" and "passive."

The Windows FTP client only support "active" and the same client is used from command line and powershell.

Filezilla, and most other ftp clients, support both passive and active, but use passive by default.

"active" the server actually initiates the data TCP connection from port 20 to a random high port the client selects.  The client tells the server which port on the PORT/EPRT commands.

"passive", the client initiates the data TCP connect to the server from a random high port to a random high port that the server opens and tells the client using the PASV/EPSV command.

Most firewalls today are easily configured for passive connections, but not really for active.

I was going down this road which is why I asked which ftp client you were using.
0
 

Author Comment

by:willie0-360
Comment Utility
Thanks for your response.

I tested the PASV/EPSV commands/modes and the connection was closed as well.

This is what I did for EPSV:

ftp> type
Using ascii mode to transfer files.
ftp> type epsv
epsv: unknown mode.
ftp> epsv
Invalid command.
ftp> epvs4
Invalid command.
ftp> ls
Connection closed by remote host.
ftp> quote espv
500 Unkwown command ESPV


For PASV:

ftp> quote pasv
227 Entering Passive Mode (67,100,83,395,7,222).
ftp> ls
Connection closed by remote host.
ftp>




Thanks.
Willie
0
 
LVL 57

Accepted Solution

by:
giltjr earned 400 total points
Comment Utility
The windows client can't do anything but active.  The port/eprt and pasv/epvs commands are not commands that "user" would issue, but commands that are issued by the client based on if you are doing active or passive.

If you want do to command line ftp, you will need to get another client.

I have never used this under Windows, but I have under Linux:

http://www.ncftp.com/ncftp/
0
 

Author Comment

by:willie0-360
Comment Utility
AlexPace & giltjr:

We migrated an Oracle server back in September 2013 from Windows Server 2003 to Windows Server 2008R2.  According to the Java developer who knows better about this FTP situation, I use the word situation for lack of a better word, before the migration, the FTP client was working well.  It was also automated.

From what he can tell, things stop working on September 2013, after the migration.  He says that there is a program that uses the Microsoft-FTP client to automate things.    Filezilla is not an option since it cannot be automated.  

Last night, I found an FTP client that can be automated called MOVEit Freely.  I tested it, and it works fine in passive mode.  From what I have learned, one can move scripts written for the Microsoft-FTP client to MOVEit Freely.  Therefore, I suggested the MOVEit Freely-FTP client to the developer.  I will just have to wait, and see if he can incorporate the existing program into this MOVEit Freely-FTP client.

Like the two of you have stated, everything points to the Microsoft-FTP client not being able to work in passive mode.  I am beginning to suspect that before the migration, it was a different FTP client that was in used other than the Microsoft-FTP client.

The way I now see it is this, unless you can find a way to "hack" the Microsoft-FTP client into passive mode, then use another FTP client that can go into passive mode.



Thanks for all of your responses.
Willie
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Your developer was correct, Filezilla is a GUI only ftp client.

There is nothing you can do to hack the MS ftp client to do passive.  It just plain does not support it.

MOVEit Freely and ncftp are just a few of the Windows ftp clients that are command line driven and thus can be automated.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Is your computer hacked? learn how to detect and delete malware in your PC
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now