Preview Tool

Cisco Bug: CSCvh65500 - Firepower 2100 Client in FTP active mode is not able to establish control channel with the Server

Last Modified

Jun 21, 2019

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases


Description (partial)

When client works in Active mode some of the control channels packets may not matching the rule and are dropped by default rule

Client uses Active mode:
FTP server has a multiline banner response.
On the FTP server: Create a new folder banners under /etc (mkdir /etc/banners)

Create a new file ftp.msg under /etc/banners and add around 10 lines of server response "Welcome to FTP service" (vim /etc/banners/ftp.msg)

Edit the /etc/vsftpd.conf file and comment out the line ftpd_banner= "Welcome to blah FTP service." And add the line banner_file=/etc/banners/ftp.msg

Restart the vsftpd service: service vsftpd restart

Access Control Policy Rule contains: 
Applications: FTP, FTP Active, FTP Data Action Allow
Default rule : Block all traffic

Now from an FTP endpoint, try to login to the server and download a file.

Expected output: File download should go through. 

Actual Output: File download is blocked. (hits the default block rule)
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.