Very unusual indeed, have you tried using inspect ftp instead of disabling it ? I've seen cases when fixups (replaced by inspect nowadays) really helps with protocol handling ...
Pat On 7/24/07, varaillon <[EMAIL PROTECTED]> wrote: > Sorry just a long long day we are using version 3.1(5) and not 2.x > > Christophe > > -----Original Message----- > From: varaillon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 24, 2007 12:05 PM > To: '[email protected]' > Subject: FWSM v2.3 and FTP > > Hi, > > We had that topology: > > Server1,Server2---7200---Server3,Server4 > > We changed it to that topology: > > Server1,Server2---(dmz)---FWSM---(outside)---Server3,Server4 > > The goal is to use FTP to transfer files (2MBs size) between Server2 and > Server1. > > The problem occurs soon after Server2 starts sending data. > As soon as few 100KB have been transferred we get the error message: > "connection reset by peer". > > This issue occurs between: > Server3 and Server1 > Server3 and Server2 > > However there is no FTP issue between: > Server3 and Server1 > Server4 and Server1 > > On the FWSM I tried the following but it did not solve the issue: > - ACL permitting everything I/O > - no inspect ftp > - norandomseq on each relevant translation rules > - reload Server1 > - restart relevant process on Server2 > > So we removed back to the former topology: > > Server1,Server2---7200---Server3,Server4 > > ...and without doing any reload/restart on any servers, the FTP issue did > not exist any longer. > > Since replacing the FWSM by the router 7200 solves the issue and replacing > the 7200 by the FWSM creates the issue, it is clear that the FWSM is the > problem. > > But since the ACL allows everything, no inspect is done on FTP and also we > disabled randomized sequence number (in case one server has already a > firewall), what else could be done on the FWSM? > > Any suggestions/comments would be welcome. > > Thanks! > > Christophe > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
