Hey All,
I'm having an interesting issue with Passive FTP for users connected via RAP. I can connect and change directories, but the moment I do a display command (e.g. ls or dir) the session freezes and times out. Looking at the User Firewall State I see that things are allowed, but then denied. I can’t figure out why it would all of the sudden get denied after being allowed.
Even with a specific allow rule, the traffic still gets denied. Any ideas? Thanks.
After Connecting:
User Firewall State
Source IP | Source Port | Destination IP | Destination Port | Protocol | Status |
10.159.52.196 | 50597 | 10.159.54.35 | 21 | TCP | allow |
10.159.52.196 | 49665 | 10.159.16.5 | 53 | UDP | allow |
10.159.54.35 | 21 | 10.159.52.196 | 50597 | TCP | allow |
10.159.16.5 | 53 | 10.159.52.196 | 49665 | UDP | allow |
After “ls” command:
User Firewall State
Source IP | Source Port | Destination IP | Destination Port | Protocol | Status |
10.159.52.196 | 123 | 10.159.16.2 | 123 | UDP | allow |
10.159.52.196 | 50597 | 10.159.54.35 | 21 | TCP | deny |
10.159.52.196 | 49665 | 10.159.16.5 | 53 | UDP | allow |
10.159.16.2 | 123 | 10.159.52.196 | 123 | UDP | allow |
10.159.54.35 | 21 | 10.159.52.196 | 50597 | TCP | allow |
10.159.16.5 | 53 | 10.159.52.196 | 49665 | UDP | allow |
Here is the user-role configuration:
user-role DSG-Prod-rap_role
access-list session "Split Tunnel"
ip access-list session "Split Tunnel"
any any svc-dhcp permit
any host 10.159.54.35 tcp 21 permit
any alias Internal any permit
any any any route src-nat
netdestination Internal
network 10.159.16.0 255.255.248.0
network 10.159.48.0 255.255.248.0