Guest

Preview Tool

Cisco Bug: CSCvh65500 - Firepower 2100 Client in FTP active mode is not able to establish control channel with the Server

Last Modified

Jun 21, 2019

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

2.9.11

Description (partial)

Symptom:
When client works in Active mode some of the control channels packets may not matching the rule and are dropped by default rule

Conditions:
Client uses Active mode:
FTP server has a multiline banner response.
On the FTP server: Create a new folder banners under /etc (mkdir /etc/banners)

Create a new file ftp.msg under /etc/banners and add around 10 lines of server response "Welcome to FTP service" (vim /etc/banners/ftp.msg)

Edit the /etc/vsftpd.conf file and comment out the line ftpd_banner= "Welcome to blah FTP service." And add the line banner_file=/etc/banners/ftp.msg

Restart the vsftpd service: service vsftpd restart

Access Control Policy Rule contains: 
Applications: FTP, FTP Active, FTP Data Action Allow
Default rule : Block all traffic

Now from an FTP endpoint, try to login to the server and download a file.

Expected output: File download should go through. 

Actual Output: File download is blocked. (hits the default block rule)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.