8055730
asked on
FTP TCP DUP ACK Error
Does any one know why might be causing a a lot of TCP DUP ACK and TCP Retransmission for a FTP transfer? We also get a "426 File transfer failed" error in the packet capture.
Reason for TCP duplicated acks and retransmissions is packet loss.
Typical reasons for packet loss are:
- network congestion
- network L2 errors
Typical reasons for packet loss are:
- network congestion
- network L2 errors
ASKER
Predrag: Didn't see any errors after clearing the interfaces this morning. Although we did see some input errors over 14 days period.
Noci: Tried enabling PMT D on the Cisco ASA through allowing icmp unreachable but that preventing us from monitoring the network so I had to disable it.
Note that this seems to impact just one ftp server and the ftp server connects just fine but when trying to download a file, it starts but never finishes.
I checked the routing path and there is no asymmetric routing issue.
Noci: Tried enabling PMT D on the Cisco ASA through allowing icmp unreachable but that preventing us from monitoring the network so I had to disable it.
Note that this seems to impact just one ftp server and the ftp server connects just fine but when trying to download a file, it starts but never finishes.
I checked the routing path and there is no asymmetric routing issue.
It does not mean anything that you don't see errors under interface. Errors, congestion can happen anywhere between host and server.
Ultra simplified version - TCP windows is 3 packets (Duplicated ACK and retransmissions).
Server sends packets 1 2 3
Host gets all packets and send ACK 3
Server sends packets 4 5 6
Host gets only packets 5 and 6 - host will again send ACK 3 again (TCP Duplicated ACK)
After server is waiting for timeout period and did not get ACK for 6, since server does not know which packets host did not get, server will send packets 4 5 6 again (TCP Retransmission)
If there would be no packet loss (packets are received by host and ACKs are received by server in timely fashion) there would not be duplicated ACKs nor Retrasmissions.
You can find excellent presentation The Transport Layer: TCP and UDP Jean-Yves Le Boudec Fall 2009
Ultra simplified version - TCP windows is 3 packets (Duplicated ACK and retransmissions).
Server sends packets 1 2 3
Host gets all packets and send ACK 3
Server sends packets 4 5 6
Host gets only packets 5 and 6 - host will again send ACK 3 again (TCP Duplicated ACK)
After server is waiting for timeout period and did not get ACK for 6, since server does not know which packets host did not get, server will send packets 4 5 6 again (TCP Retransmission)
If there would be no packet loss (packets are received by host and ACKs are received by server in timely fashion) there would not be duplicated ACKs nor Retrasmissions.
You can find excellent presentation The Transport Layer: TCP and UDP Jean-Yves Le Boudec Fall 2009
Note that this seems to impact just one ftp server and the ftp server connects just fine but when trying to download a file, it starts but never finishes.I just noticed marked part, I was explaining TCP and did not notice part that states that one specific ftp server is affected with specific symptoms...
Most likely ftp server is configured as active ftp, but firewall is not configured for that. Active ftp session is initiating ftp data transfer on port 20 after ftp control on port 21 is established. You can find explanation and solution for ASA in article - ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example
ASKER
Hi Predrag,
Thanks for you trying.
The FTP server is on the outside of the ASA and the clients are on the inside.
I tried enable the inspect ftp and removing and tried the strict ftp inspection too. Same issue.
The error I get when I try to download the files are " "Failed - Network error".
It happens with all browsers.
Thanks for you trying.
The FTP server is on the outside of the ASA and the clients are on the inside.
I tried enable the inspect ftp and removing and tried the strict ftp inspection too. Same issue.
The error I get when I try to download the files are " "Failed - Network error".
It happens with all browsers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For trying to help?
:)
Sorry that we were not able to help you. It will not happen ever again, at least, not from my side.
:)
Sorry that we were not able to help you. It will not happen ever again, at least, not from my side.
never finishes.... ok then a transfer took longer that a firewall was prepared to keep the port 21 (command link) open.
and the result of the transfer is never reported.... after which the local ftp has to assume failure.
and the result of the transfer is never reported.... after which the local ftp has to assume failure.
ASKER
Bypassed the Firepower module for inspection the FTP issue.
it might also be a problem if too large packets are transmitted after a short while. enabling PMTU detection might help.