Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 9.1 FTP Teardown TCP Connection

Posted on 2014-02-24
11
Medium Priority
?
2,762 Views
Last Modified: 2014-02-26
Hello Experts:

We have an internal server trying to download files from an external FTP server.  I can connect to the FTP server from the internal server, let us call this server FTP-Client.  However, when I try to download a file from the external FTP server, I get this message:

Connection closed by remote host.

I checked the logs on the Cisco ASA firewall, and this is what it shows:

Teardown TCP connection 123348 for outside:external-FTP-server-IP/21 to inside:FTP-Client-IP/32134 duration 0:00:29 bytes 338 TCP Reset-I

Can anyone of  you help me solve this problem?



Thanks.
Willie
0
Comment
Question by:willie0-360
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 

Author Comment

by:willie0-360
ID: 39883371
I want to add that before the message:

Teardown TCP connection 123348 for outside:external-FTP-server-IP/21 to inside:FTP-Client-IP/32134 duration 0:00:29 bytes 338 TCP Reset-I


This message appears on the Cisco ASA:

Teardown local-host outside:external-FTP-server-IP duration 0:00:29



Thanks.
Willie
0
 
LVL 16

Assisted Solution

by:AlexPace
AlexPace earned 400 total points
ID: 39883532
In an FTP session, transferring a file or directory listing opens a second connection called the data channel connection.  The exact port number is negotiated at run-time when the client sends the PORT or PASV command.  Perhaps this data channel connection is the one that is failing for you.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39884485
AlexPace is correct.  FTP uses two TCP connections, a command/control connection.  This is used for the user to issue command  (get, put, ls, cd, pwd, and others)  and for the ftp client and server to control the data transfer connection, which is used when data must be transferred.   Data is transfer because of commands like get, put, and ls.

However in this case the log entries are are for the command/control session.  You can tell this by the port the server is using, 21.

You need to find out which side is issuing the TCP reset for that connection.  You can run a packet capture ( I suggest using Wireshark) on your computer to see if it is your computer that might be sending out the TCP rest.  If your computer is not, then the server is, so you need to contact whomever controls the ftp server.
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:willie0-360
ID: 39884721
Thanks a lot for your responses.  

I will install Wireshark on the server, where the FTP Client is on, to check on what it says about your suggestions.

The FTP Client is on a server that is on the 172.16.x.x network.  We have our office LAN in the 172.17.x.x network.  If I try to connect and download files from my desktop on the office LAN, it works.  Everything works as expected there.  However, from the 172.16.x.x network, it does not work.  I can connect to the FTP server, but that is all.   Does this tell you anything about this problem?

I would say that based on that, the FTP server is not resetting the connection.  What do you think?

Let me also mention that as far as I know, both LANs, the 172.16.x.x and the 172.17.x.x connect to two different Cisco ASAs.



Thanks.
Willie
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39886105
What happens if you just connect to the ftp server from the "server" that is having the problem and sit there and do nothing?

It's possible that the firewall rules are not setup correctly for ftp'ing from the 172.16.0.0 network.  

How long after you issue the get/put command to you see the message "connection closed by remote host?

What ftp client are you running?
0
 

Author Comment

by:willie0-360
ID: 39887102
This is now what we just discovered.  When using the Windows Command Prompt FTP client, the data transfer does not work.  The same when using it with Powershell.  Now, if we try it with the Filezilla FTP client, it works.  Everything works.  However, as far as we understand, Filezilla cannot be automated.  

What could the Command Prompt be doing to cause this problem?  It works fine with the Filezilla FTP client.



It takes about 56 seconds for the Connection closed by remote host to appear.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1600 total points
ID: 39887410
Easy.  With FTP there are two data transfer modes "active" and "passive."

The Windows FTP client only support "active" and the same client is used from command line and powershell.

Filezilla, and most other ftp clients, support both passive and active, but use passive by default.

"active" the server actually initiates the data TCP connection from port 20 to a random high port the client selects.  The client tells the server which port on the PORT/EPRT commands.

"passive", the client initiates the data TCP connect to the server from a random high port to a random high port that the server opens and tells the client using the PASV/EPSV command.

Most firewalls today are easily configured for passive connections, but not really for active.

I was going down this road which is why I asked which ftp client you were using.
0
 

Author Comment

by:willie0-360
ID: 39887561
Thanks for your response.

I tested the PASV/EPSV commands/modes and the connection was closed as well.

This is what I did for EPSV:

ftp> type
Using ascii mode to transfer files.
ftp> type epsv
epsv: unknown mode.
ftp> epsv
Invalid command.
ftp> epvs4
Invalid command.
ftp> ls
Connection closed by remote host.
ftp> quote espv
500 Unkwown command ESPV


For PASV:

ftp> quote pasv
227 Entering Passive Mode (67,100,83,395,7,222).
ftp> ls
Connection closed by remote host.
ftp>




Thanks.
Willie
0
 
LVL 57

Accepted Solution

by:
giltjr earned 1600 total points
ID: 39887842
The windows client can't do anything but active.  The port/eprt and pasv/epvs commands are not commands that "user" would issue, but commands that are issued by the client based on if you are doing active or passive.

If you want do to command line ftp, you will need to get another client.

I have never used this under Windows, but I have under Linux:

http://www.ncftp.com/ncftp/
0
 

Author Comment

by:willie0-360
ID: 39889433
AlexPace & giltjr:

We migrated an Oracle server back in September 2013 from Windows Server 2003 to Windows Server 2008R2.  According to the Java developer who knows better about this FTP situation, I use the word situation for lack of a better word, before the migration, the FTP client was working well.  It was also automated.

From what he can tell, things stop working on September 2013, after the migration.  He says that there is a program that uses the Microsoft-FTP client to automate things.    Filezilla is not an option since it cannot be automated.  

Last night, I found an FTP client that can be automated called MOVEit Freely.  I tested it, and it works fine in passive mode.  From what I have learned, one can move scripts written for the Microsoft-FTP client to MOVEit Freely.  Therefore, I suggested the MOVEit Freely-FTP client to the developer.  I will just have to wait, and see if he can incorporate the existing program into this MOVEit Freely-FTP client.

Like the two of you have stated, everything points to the Microsoft-FTP client not being able to work in passive mode.  I am beginning to suspect that before the migration, it was a different FTP client that was in used other than the Microsoft-FTP client.

The way I now see it is this, unless you can find a way to "hack" the Microsoft-FTP client into passive mode, then use another FTP client that can go into passive mode.



Thanks for all of your responses.
Willie
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39889832
Your developer was correct, Filezilla is a GUI only ftp client.

There is nothing you can do to hack the MS ftp client to do passive.  It just plain does not support it.

MOVEit Freely and ncftp are just a few of the Windows ftp clients that are command line driven and thus can be automated.
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question