Network technologies and trends

Nov 9 2017   3:23AM GMT

What is “TCP Spurious Retransmission” ? And why does this occur for the FTP traffic passing through a Cisco ASA Firewall?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Cisco ASA
Network security

Recently we come across an issue where FTP  connection was not established between the client and the FTP server. The connection was passing through the Cisco ASA Firewall. Upon troubleshooting, we discovered 3-way TCP handshake was happening, however, once the login name and password entered to access the FTP directory nothing was accessible and no errors were reported in the FileZilla client.








Figure 1.2- Packets captured in pcap format in Cisco ASA Firewalls

Upon capturing the packet at Cisco ASA Firewall we discovered after 3-way TCP handshake, the FTP connection was initiated and the client was asked to enter the login credentials, and same is visible in the packets captured. However, after entering the login credentials it was observed TCP retransmission was occurring and TCP Spurious Retransmission was happening.

Before getting into the solution and the reasons why this was happening it’s better to understand what is “TCP  Spurious Retransmission” is?

As exhibited in the above TCP flow, the ACK sent to the receiver didn’t reach the sender in time,  since the ACK failed to reach the sender before RTO expires, the sender retransmits the same data that acknowledged by the receiver. This type of retransmissions are known are “ “TCP  Spurious Retransmission”





Figure 1.2- TCP Spurious Retransmission data flow

In our case, Cisco ASA was configured to do the FTP inspection in strict mode.

policy-map default_policy

class inspection_default

inspect ftp strict FTP-Map


The main issue with a strict option in our case was, the FTP client failed to process the FTP traffic due to the security of protected network was increased.

By simply inspecting the FTP traffic in normal mode the issue was resolved, we used the below Cisco ASA commands,

policy-map default_policy

class inspection_default

inspect ftp

When it comes to FTP its hard to troubleshoot, as logs collected doesn’t provide the details for the failure occurred. One has to capture the packets and download the captured packets in the pcap format for further analysis.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: