https://community.checkpoint.com/t5/General-Topics/R75-47-SPLAT-and-FTP-Issues/m-p/26068#M5274 <HTML><HEAD></HEAD><BODY><P>So before I get "upgrade please!!!" we are getting new R80.10 boxes in the next year but intill those are up i am seeing a issue with many FTP sites not finishing the handshake over the firewalls. When i connect just past the firewall on the same device it is working. Logs, FW monitor, and zdebug drop are all showing no blocks and that all trafiic is allowed. Wireshark just shows TCP retransmits due to the incomplete handshake. Anyone fight this issue before and can offer up some insight ? </P></BODY></HTML> Fri, 25 May 2018 15:25:56 GMT Jonathan_Diegan 2018-05-25T15:25:56Z https://community.checkpoint.com/t5/General-Topics/R75-47-SPLAT-and-FTP-Issues/m-p/26068#M5274 <HTML><HEAD></HEAD><BODY><P>So before I get "upgrade please!!!" we are getting new R80.10 boxes in the next year but intill those are up i am seeing a issue with many FTP sites not finishing the handshake over the firewalls. When i connect just past the firewall on the same device it is working. Logs, FW monitor, and zdebug drop are all showing no blocks and that all trafiic is allowed. Wireshark just shows TCP retransmits due to the incomplete handshake. Anyone fight this issue before and can offer up some insight ? </P></BODY></HTML> Fri, 25 May 2018 15:25:56 GMT https://community.checkpoint.com/t5/General-Topics/R75-47-SPLAT-and-FTP-Issues/m-p/26068#M5274 Jonathan_Diegan 2018-05-25T15:25:56Z https://community.checkpoint.com/t5/General-Topics/R75-47-SPLAT-and-FTP-Issues/m-p/26069#M5275 <HTML><HEAD></HEAD><BODY><P>If you are not seeing SynACKs from the destination (FTP servers) at all, check your NAT for the sources: if it is static and manual, you may have to define proxy ARP entries. If it is automatic and either "Hide" or "Static" in the object's properties, check the routing on the destination, if these are your servers.</P><P>Verify that your NAT settings are accurate: i.e. if you have Hide NAT for HTTP/S access to ANY, but have a manual rule with different NATed IP for FTP and that IP is wrong, the replies will get lost.</P><P>If the destination is not under your control, check tcpdump and fw monitor on external interfaces of the firewall to see if you are receiving <SPAN>SynACKs</SPAN> there.</P><P>It would also help, if you are addressing the FTP servers by name and not the IP from inside of the firewall, to check if they are being resolved to the same IPs as when you are trying it on the outside.</P></BODY></HTML> Fri, 25 May 2018 18:52:50 GMT https://community.checkpoint.com/t5/General-Topics/R75-47-SPLAT-and-FTP-Issues/m-p/26069#M5275 Vladimir 2018-05-25T18:52:50Z https://community.checkpoint.com/t5/General-Topics/R75-47-SPLAT-and-FTP-Issues/m-p/26070#M5276 <HTML><HEAD></HEAD><BODY><P>Unfortunately, testing the above yeilded the same results </P></BODY></HTML> Fri, 25 May 2018 19:31:16 GMT https://community.checkpoint.com/t5/General-Topics/R75-47-SPLAT-and-FTP-Issues/m-p/26070#M5276 Jonathan_Diegan 2018-05-25T19:31:16Z https://community.checkpoint.com/t5/General-Topics/R75-47-SPLAT-and-FTP-Issues/m-p/26071#M5277 <HTML><HEAD></HEAD><BODY><P>It would be helpful if you could post the text output of tcpdump -eni ifname while the traffic is traversing.</P><P>Verify the destination MAC shown actually matches your interface (this will verify the gateway is actually receiving the traffic).</P><P>You might also try, as a troubleshooting step, disabling SecureXL briefly (fwaccel off) and testing as well, but do this during a low traffic period.</P></BODY></HTML> Sat, 26 May 2018 03:34:52 GMT https://community.checkpoint.com/t5/General-Topics/R75-47-SPLAT-and-FTP-Issues/m-p/26071#M5277 PhoneBoy 2018-05-26T03:34:52Z