- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello everyone,
we habe two Linux servers in a DC. Both run proftpd. There is no problem to access FTP shares from any other servers in DC, but if a RAS VPN user tries to connect - it fails. Tries again - fails, tries again - I see the VPN client is reconnecting and only after a user is connected to the FTP server. What is going on and how to solve it? It affects to Check Point Mobile Client for MAC (don't remember version) and my Check Point Mobile Client for Windows 98.61.1816.
The same happens with PING (ICMP) but SSH available at the same time.
PS C:\> Test-NetConnection -ComputerName 192.168.168.101 -port 21
WARNING: TCP connect to (192.168.168.101 : 21) failed
WARNING: Ping to 192.168.168.101 failed with status: TimedOut
ComputerName : 192.168.168.101
RemoteAddress : 192.168.168.101
RemotePort : 21
InterfaceAlias : Ethernet 2
SourceAddress : 172.16.16.16
PingSucceeded : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False
PS C:\> Test-NetConnection -ComputerName 192.168.168.101 -port 21
ComputerName : 192.168.168.101
RemoteAddress : 192.168.168.101
RemotePort : 21
InterfaceAlias : Ethernet 2
SourceAddress : 172.16.16.16
TcpTestSucceeded : True
I appreciate any help. we haven't been able to solve this problem for months
First thing I would check is look at the logs...if nothing specific comes up, then maybe run captures on the firewall at exact moment of the issue. zdebug, tcpdump, fw monitor...
fw shows either nothing or successful connection
tcpdump shows successful connection
what exactly should I run for zdebug?
You can do anything for the filter...will just give you example of port and IP address.
Say you want to filter for any drops on port 21 or 22, just do this:
fw ctl zdebug + drop | grep 21 | grep 22
If say IP of your ftp server is 10.10.15.15, just do below:
fw ctl zdebug + drop | grep 10.10.15.15
Zdebug is totally non intrusive, you can leave it running for long time, so maybe open 2 ssh windows and run simultaneous ones at the same time.
Andy
thank you. one more question before I begin: will it impact performance or should I run it out of working hours?
No no, dont wait...I left zdebug run for hours and nothing ever happened. I mean, its your firewall, so I wont give you any guarantees, but I would be shocked if anything did happen. Just make sure cpu/memory are fine. Once finished, just for your own piece of mind, run fw ctl debug 0 and fw ctl debug -x...those commands disable and turn off any active debugs.
I would do the zdebug first as the_rock is suggesting, and if you don't see anything getting dropped there proceed to packet captures. A port 21 FTP connection will always go F2F (so the firewall can pinhole open data ports specified by the PORT command), so feel free to use fw monitor -e and there will be no need to disable SecureXL to get a full capture of that traffic.
Also, just as a side note, since in reality, tcpdump will ONLY really show you if traffic leaves specific interface you are filtering for, but fw monitor will show you way more than that...so maybe run something like this -> fw monitor -e "accept host(x.x.x.x) and port(21);"
Where x.x.x.x is your ftp server IP address
You can also do below:
fw monitor -F 'x,x,x,x,x' -F "y,y,y,y,y'
x,x,x,x,x = source IP, source port, dst IP, dst port, protocol
y,y,y,y,y = source IP, source port, dst IP, dst port, protocol (just traffic flowing other way around)
Hope that helps.
Andy
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY