Re: FTP behind RAS VPN - very strange behavior

Exonix · ‎2021-12-29

Hello everyone,

we habe two Linux servers in a DC. Both run proftpd. There is no problem to access FTP shares from any other servers in DC, but if a RAS VPN user tries to connect - it fails. Tries again - fails, tries again - I see the VPN client is reconnecting and only after a user is connected to the FTP server. What is going on and how to solve it? It affects to Check Point Mobile Client for MAC (don't remember version) and my Check Point Mobile Client for Windows 98.61.1816.

The same happens with PING (ICMP) but SSH available at the same time.

PS C:\> Test-NetConnection -ComputerName 192.168.168.101 -port 21
WARNING: TCP connect to (192.168.168.101 : 21) failed
WARNING: Ping to 192.168.168.101 failed with status: TimedOut

ComputerName           : 192.168.168.101
RemoteAddress          : 192.168.168.101
RemotePort             : 21
InterfaceAlias         : Ethernet 2
SourceAddress          : 172.16.16.16
PingSucceeded          : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : False

PS C:\> Test-NetConnection -ComputerName 192.168.168.101 -port 21

ComputerName     : 192.168.168.101
RemoteAddress    : 192.168.168.101
RemotePort       : 21
InterfaceAlias   : Ethernet 2
SourceAddress    : 172.16.16.16
TcpTestSucceeded : True

I appreciate any help. we haven't been able to solve this problem for months

the_rock · ‎2021-12-29

First thing I would check is look at the logs...if nothing specific comes up, then maybe run captures on the firewall at exact moment of the issue. zdebug, tcpdump, fw monitor...

Exonix · ‎2021-12-29

fw shows either nothing or successful connection

tcpdump shows successful connection

what exactly should I run for zdebug?

the_rock · ‎2021-12-29

You can do anything for the filter...will just give you example of port and IP address.

Say you want to filter for any drops on port 21 or 22, just do this:

fw ctl zdebug + drop | grep 21 | grep 22

If say IP of your ftp server is 10.10.15.15, just do below:

fw ctl zdebug + drop | grep 10.10.15.15

Zdebug is totally non intrusive, you can leave it running for long time, so maybe open 2 ssh windows and run simultaneous ones at the same time.

Andy

Exonix · ‎2021-12-29

thank you. one more question before I begin: will it impact performance or should I run it out of working hours?

the_rock · ‎2021-12-29

No no, dont wait...I left zdebug run for hours and nothing ever happened. I mean, its your firewall, so I wont give you any guarantees, but I would be shocked if anything did happen. Just make sure cpu/memory are fine. Once finished, just for your own piece of mind, run fw ctl debug 0 and fw ctl debug -x...those commands disable and turn off any active debugs.

Timothy_Hall · ‎2021-12-29

I would do the zdebug first as the_rock is suggesting, and if you don't see anything getting dropped there proceed to packet captures. A port 21 FTP connection will always go F2F (so the firewall can pinhole open data ports specified by the PORT command), so feel free to use fw monitor -e and there will be no need to disable SecureXL to get a full capture of that traffic.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

the_rock · ‎2021-12-29

Also, just as a side note, since in reality, tcpdump will ONLY really show you if traffic leaves specific interface you are filtering for, but fw monitor will show you way more than that...so maybe run something like this -> fw monitor -e "accept host(x.x.x.x) and port(21);"

Where x.x.x.x is your ftp server IP address

You can also do below:

fw monitor -F 'x,x,x,x,x' -F "y,y,y,y,y'

x,x,x,x,x = source IP, source port, dst IP, dst port, protocol

y,y,y,y,y = source IP, source port, dst IP, dst port, protocol (just traffic flowing other way around)

Hope that helps.

Andy

Are you a member of CheckMates?

FTP behind RAS VPN - very strange behavior