cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

R75.47 SPLAT and FTP Issues

So before I get "upgrade please!!!" we are getting new R80.10 boxes in the next year but intill those are up i am seeing a issue with many FTP sites not finishing the handshake over the firewalls. When i connect just past the firewall on the same device it is working. Logs, FW monitor, and zdebug drop are all showing no blocks and that all trafiic is allowed. Wireshark just shows TCP retransmits due to the incomplete handshake. Anyone fight this issue before and can offer up some insight ?

Tags (3)
3 Replies
Vladimir
Pearl

Re: R75.47 SPLAT and FTP Issues

If you are not seeing SynACKs from the destination (FTP servers) at all, check your NAT for the sources: if it is static and manual, you may have to define proxy ARP entries. If it is automatic and either "Hide" or "Static" in the object's properties, check the routing on the destination, if these are your servers.

Verify that your NAT settings are accurate: i.e. if you have Hide NAT for HTTP/S access to ANY, but have a manual rule with different NATed IP for FTP and that IP is wrong, the replies will get lost.

If the destination is not under your control, check tcpdump and fw monitor on external interfaces of the firewall to see if you are receiving SynACKs there.

It would also help, if you are addressing the FTP servers by name and not the IP from inside of the firewall, to check if they are being resolved to the same IPs as when you are trying it on the outside.

0 Kudos

Re: R75.47 SPLAT and FTP Issues

Unfortunately, testing the above yeilded the same results

0 Kudos
Admin
Admin

Re: R75.47 SPLAT and FTP Issues

It would be helpful if you could post the text output of tcpdump -eni ifname while the traffic is traversing.

Verify the destination MAC shown actually matches your interface (this will verify the gateway is actually receiving the traffic).

You might also try, as a troubleshooting step, disabling SecureXL briefly (fwaccel off) and testing as well, but do this during a low traffic period.