[c-nsp] FWSM v2.3 and FTP

varaillon j.varaillon at cosmoline.com
Tue Jul 24 05:04:43 EDT 2007


Hi,

We had that topology:

Server1,Server2---7200---Server3,Server4

We changed it to that topology:

Server1,Server2---(dmz)---FWSM---(outside)---Server3,Server4

The goal is to use FTP to transfer files (2MBs size) between Server2 and
Server1.

The problem occurs soon after Server2 starts sending data.
As soon as few 100KB have been transferred we get the error message:
"connection reset by peer".

This issue occurs between:
Server3 and Server1
Server3 and Server2

However there is no FTP issue between:
Server3 and Server1
Server4 and Server1

On the FWSM I tried the following but it did not solve the issue:
- ACL permitting everything I/O
- no inspect ftp
- norandomseq on each relevant translation rules
- reload Server1
- restart relevant process on Server2

So we removed back to the former topology:

Server1,Server2---7200---Server3,Server4

...and without doing any reload/restart on any servers, the FTP issue did
not exist any longer.

Since replacing the FWSM by the router 7200 solves the issue and replacing
the 7200 by the FWSM creates the issue, it is clear that the FWSM is the
problem.

But since the ACL allows everything, no inspect is done on FTP and also we
disabled randomized sequence number (in case one server has already a
firewall), what else could be done on the FWSM?

Any suggestions/comments would be welcome.

Thanks!

Christophe



More information about the cisco-nsp mailing list