Required Multi-Channel Protocol is Not Inspected
If there are connectivity issues with multi-channel protocols such as FTP or H323 for example, make sure you are inspecting those specific protocols. In multi-channel protocols, the data channels are built up based on the negotiation that takes place using a control channel. So, the IOS firewall engine must inspect the control channel to get the necessary information from the negotiation that takes place to create openings on the ACL for the data channel. So, if you do not inspect the application layer protocol, the inspection engine for that protocol is not used. Instead, a generic inspection engine, such as TCP or UDP, is used, which does not go into the payload to get all the required information for the subsequent data channels once the control channel is built up. Hence the data channels fail. For FTP a typical symptom is this: when you execute ls, it hangs infinitely. If inspecting multi-channel protocol does not resolve the issues, then most likely there is a software bug, which can be confirmed by Cisco Support if presented with the debug ip inspect multi_channel_protcol (for example, FTP).