Symptoms:
FTP ALG Control Channel specifies an FTP rule for both Control and Data traffic. However if a another higher priority rule exists above the control channel rule, the data channel traffic can match that rule.
For example:
Created two rules
rule#1 ANY->ANY Port 1024-65535
rule#2 ANY->ANY Port 21 (FTP)
FTP Traffic
CTL Packets hit rule #1558 which is FTP rule
DATA Packets hit rule #1557 which is rule#1 instead of of Rule #2
d38b6670000002d9 Active tcp 0800 OUT 1558 1 3 (est) 172.#.#.#:Unknown(50386) -> 172.#.#.#:ftp(21) 14600 TIMEWAIT:TIMEWAIT alg ctrl(FTP) 21 rtt 14278 retrans 0/0 1362 1215 19 22 attr: APP_FTP,APP_FTPCTRL
d38b6670000002da Active ipv6-icmp 86dd IN 1499 0 0 fe80::204:96ff:####:#### -> ff02::1 134 0 96 # # #
d38b6670000002db Active tcp 0800 OUT 1557 1 3 (est) 172.#.#.#:Unknown(57097) -> 172.#.#.#:Unknown(27048) 14600 TIMEWAIT:TIMEWAIT alg data(FTP) 21 d38b6670000002d9 rtt 292 retrans 18/0 98345 3216 70 57 attr: APP_INVALID