https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-retransmission-causing-FW-to-modify-packet/m-p/119487#M16895 <P>Hello All,</P><P>We have put a FTP server behind a Security Gateway (R80.40) and this is causing the FTP scripts on the server to fail. It looks like a retransmission is happening with one FTP packets occasionally. The FW is altering this packet, which cause the FTP transfers to stop unexpectedly early.</P><P>I am using cppcap to capture the packets so the packets are seen 6 times as the traverse the firewall.</P><P>We see the original FTP response packet enter the firewall and pass correctly.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Packet1.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11842i1FBE46CD01CFA218/image-size/large?v=v2&amp;px=999" role="button" title="Packet1.png" alt="Packet1.png" /></span>&nbsp;after this packet there is a normal ACK back.</P><P>We then see a retransmission of this response packet enter the firewall.&nbsp; We see this 3 times as it is inbound on the firewall:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Packet2.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11843iDC0399FACA8400C8/image-size/large?v=v2&amp;px=999" role="button" title="Packet2.png" alt="Packet2.png" /></span></P><P>When the packet starts on the outbound path it has dropped from 120 byte to 67 bytes, the TCP flags have changed and the FTP data has been truncated to be a single character (I believe it is a newline character)&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Packet3.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11844i4353A4068F7386D2/image-size/large?v=v2&amp;px=999" role="button" title="Packet3.png" alt="Packet3.png" /></span></P><P>Something in the FW seems to process this retransmission in a strange way.&nbsp; The FTP commands and the output are logged on the server and are checked by a script for the return FTP code 226. As is visible when we decode the FTP stream on a wireshark trace on the server, this modified packet with the newline causes the FTP return code to appear as "newline" + 26 instead of the expected FTP return code 226. This causing the FTP scripts to fail:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="decode.png" style="width: 405px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11845i68BFA059364196F7/image-size/large?v=v2&amp;px=999" role="button" title="decode.png" alt="decode.png" /></span></P><P>Has anyone experienced something like this before?</P><P>Many thanks,</P><P>Michael</P> Wed, 26 May 2021 16:10:48 GMT Michael_Horne 2021-05-26T16:10:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-retransmission-causing-FW-to-modify-packet/m-p/119487#M16895 <P>Hello All,</P><P>We have put a FTP server behind a Security Gateway (R80.40) and this is causing the FTP scripts on the server to fail. It looks like a retransmission is happening with one FTP packets occasionally. The FW is altering this packet, which cause the FTP transfers to stop unexpectedly early.</P><P>I am using cppcap to capture the packets so the packets are seen 6 times as the traverse the firewall.</P><P>We see the original FTP response packet enter the firewall and pass correctly.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Packet1.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11842i1FBE46CD01CFA218/image-size/large?v=v2&amp;px=999" role="button" title="Packet1.png" alt="Packet1.png" /></span>&nbsp;after this packet there is a normal ACK back.</P><P>We then see a retransmission of this response packet enter the firewall.&nbsp; We see this 3 times as it is inbound on the firewall:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Packet2.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11843iDC0399FACA8400C8/image-size/large?v=v2&amp;px=999" role="button" title="Packet2.png" alt="Packet2.png" /></span></P><P>When the packet starts on the outbound path it has dropped from 120 byte to 67 bytes, the TCP flags have changed and the FTP data has been truncated to be a single character (I believe it is a newline character)&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Packet3.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11844i4353A4068F7386D2/image-size/large?v=v2&amp;px=999" role="button" title="Packet3.png" alt="Packet3.png" /></span></P><P>Something in the FW seems to process this retransmission in a strange way.&nbsp; The FTP commands and the output are logged on the server and are checked by a script for the return FTP code 226. As is visible when we decode the FTP stream on a wireshark trace on the server, this modified packet with the newline causes the FTP return code to appear as "newline" + 26 instead of the expected FTP return code 226. This causing the FTP scripts to fail:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="decode.png" style="width: 405px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11845i68BFA059364196F7/image-size/large?v=v2&amp;px=999" role="button" title="decode.png" alt="decode.png" /></span></P><P>Has anyone experienced something like this before?</P><P>Many thanks,</P><P>Michael</P> Wed, 26 May 2021 16:10:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-retransmission-causing-FW-to-modify-packet/m-p/119487#M16895 Michael_Horne 2021-05-26T16:10:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-retransmission-causing-FW-to-modify-packet/m-p/119503#M16898 <P>Yes I have although Wireshark does not seem to be showing a checksum error, check this SK:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk173191&amp;partition=Advanced&amp;product=IPS" target="_blank">sk173191: Packet data stripped by "TCP Invalid Checksum" IPS protection</A></P> <P>Your issue also sounds vaguely similar to the following SK, but it does not match the symptoms exactly:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk24960&amp;partition=Advanced&amp;product=Quantum" target="_blank">sk24960: "<STRONG>Smart</STRONG> <STRONG>Connection</STRONG> Reuse" feature modifies some SYN packets</A></P> <P>&nbsp;</P> Wed, 26 May 2021 18:49:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-retransmission-causing-FW-to-modify-packet/m-p/119503#M16898 Timothy_Hall 2021-05-26T18:49:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-retransmission-causing-FW-to-modify-packet/m-p/119543#M16904 <P>Hello ,</P><P>Thanks for the links to the topics. I put in an exception for the "TCP invalid Checksum" protection for this particular connection, and I no longer see the FTP packets being truncated / changed as the pass through the firewall.</P> Thu, 27 May 2021 08:47:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FTP-retransmission-causing-FW-to-modify-packet/m-p/119543#M16904 Michael_Horne 2021-05-27T08:47:45Z