FTP Server is no longer accessible externally
Last week, our Internet went down. We pulled the plug on the ASA to cycle power on it and the Internet came back up. However, the next day, some of our employees working offsite said they could not connect to the FTP server. We can connect internally. The FTP server plugs into the DMZ. We have since restarted that. We have also restarted the server a few times. Here are some of the things i have checked:
config of the ASA
config and port of the DMZ
our A records with our domain provider
our rDNS
the config of the IIS
the FTP publishing and IIS services
the event log
the DNS entries to our ISP
the firewall on the server
our AD and DNS
These checked out okay. I'm not sure what else to do at this point.
config of the ASA
config and port of the DMZ
our A records with our domain provider
our rDNS
the config of the IIS
the FTP publishing and IIS services
the event log
the DNS entries to our ISP
the firewall on the server
our AD and DNS
These checked out okay. I'm not sure what else to do at this point.
ASKER
All the other services are working.
I'm not permitted to post the config. It doesn't appear to have changed when comparing it to the backup.
Not sure how to do a packet capture. Can I put Wireshark on the FTP server to do this?
Your saying to look at traffic going from the ASA to the FTP server?
I'm not permitted to post the config. It doesn't appear to have changed when comparing it to the backup.
Not sure how to do a packet capture. Can I put Wireshark on the FTP server to do this?
Your saying to look at traffic going from the ASA to the FTP server?
ASKER
Your saying to look at traffic going from the ASA to the FTP server and see if there are any signs of external traffic?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay,
I don't think the config changed, it compares okay with the backup. I don't know enough to know if the policies are correct. I don't know the commands to track traffic in the ASA, but I can try looking it up
Aside from the normal initial troubleshooting steps, is there any common known issues that can cause this after power is lost to an ASA?
I don't think the config changed, it compares okay with the backup. I don't know enough to know if the policies are correct. I don't know the commands to track traffic in the ASA, but I can try looking it up
Aside from the normal initial troubleshooting steps, is there any common known issues that can cause this after power is lost to an ASA?
I would double check the configuration. If a change was made to the ASA to get FTP working and nobody ever did a "write mem" to copy the running configuration to the startup configuration then when you power cycled the ASA a old configuration may have been loaded.
Depending on how you did your backup, the backup could match the currently running configuration, but it may not be what the ASA was running before it went down.
I would say that 99% of the time if something was working and then a device was restarted/rebooted and that something was no longer working it is because a change was made and never saved.
Depending on how you did your backup, the backup could match the currently running configuration, but it may not be what the ASA was running before it went down.
I would say that 99% of the time if something was working and then a device was restarted/rebooted and that something was no longer working it is because a change was made and never saved.
ASKER
Okay,
Sounds logical. Thanks! Our network assistance provider is going to remote in later and try to help. I will let you know what happens.
Sounds logical. Thanks! Our network assistance provider is going to remote in later and try to help. I will let you know what happens.
ASKER
It turns out the ISP had the wrong MAC address entered for FTP address.
ASKER
The config turned out to be okay. Our ISP had the wrong MAC address entered on their side for our FTP services.
ASKER
Our Cisco provider was able to see that the traffic was not even reaching the firewall so we contacted our ISP and they had the wrong MAC entered on their side. Thank you for suggesting that we should monitor the traffic!
ASKER
As giltjr suggested, the key was seeing that traffic was not reaching the firewall. Turned out our ISP had the wrong MAC address for our firewall for the FTP address.
Thanks for the points. But the solution confuses me. Your ISP should not have a static MAC coded for anything within your network. I am assuming they had this defined as a static ARP entry, which they should not be doing.
ASKER
Our ISP said they require the MAC for our ASA. They had the correct MAC for our ASA associated with all of our assigned IP addresses except for the FTP address. Now, all of our IP addresses have the correct MAC for our ASA.
Sorry I wasn't clear. I didn't mean the MAC address of our FTP server.
Am I understanding correctly?
Sorry I wasn't clear. I didn't mean the MAC address of our FTP server.
Am I understanding correctly?
I'm still confused as to why they need to have the MAC for anything defined statically. ARP processing should find that out dynamically and the ARP cache typically has a timeout when the cached entry would get deleted and ARP processing run again to find out.
Of course there is the question of, how was FTP working before hand if they did not have the FTP address defined properly to start with.
Of course there is the question of, how was FTP working before hand if they did not have the FTP address defined properly to start with.
ASKER
Yeah, it is weird. I think their ARP table did update for our other addresses when power was restored to the ASA, but not the FTP. Our Cisco vendor asked the same question. The ISP said something to lead us to believe they had plugged a test laptop into our connection at an offsite location, causing the initial outage to begin with. But I really have no idea what kind of crazy setup the telecom may have.
At any rate, the ISP did something on their end and it started working.
I really appreciate your help.
At any rate, the ISP did something on their end and it started working.
I really appreciate your help.
Have you done a packet capture from the ASA to see if traffic going to your FTP server is hitting it from the outside?
Are there any other services that you host? Are they accessible from the Internet?