This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Exonix
Advisor
‎2021-12-29 07:24 AM

FTP behind RAS VPN - very strange behavior

Hello everyone,

we habe two Linux servers in a DC. Both run proftpd. There is no problem to access FTP shares from any other servers in DC, but if a RAS VPN user tries to connect - it fails. Tries again - fails, tries again - I see the VPN client is reconnecting and only after a user is connected to the FTP server. What is going on and how to solve it? It affects to Check Point Mobile Client for MAC (don't remember version) and my Check Point Mobile Client for Windows 98.61.1816.

The same happens with PING (ICMP) but SSH available at the same time.

PS C:\> Test-NetConnection -ComputerName 192.168.168.101 -port 21
WARNING: TCP connect to (192.168.168.101 : 21) failed
WARNING: Ping to 192.168.168.101 failed with status: TimedOut

ComputerName           : 192.168.168.101
RemoteAddress          : 192.168.168.101
RemotePort             : 21
InterfaceAlias         : Ethernet 2
SourceAddress          : 172.16.16.16
PingSucceeded          : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : False

PS C:\> Test-NetConnection -ComputerName 192.168.168.101 -port 21

ComputerName     : 192.168.168.101
RemoteAddress    : 192.168.168.101
RemotePort       : 21
InterfaceAlias   : Ethernet 2
SourceAddress    : 172.16.16.16
TcpTestSucceeded : True

vpn_reconnects.png

I appreciate any help. we haven't been able to solve this problem for months

0 Kudos
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2021-12-29 07:31 AM

First thing I would check is look at the logs...if nothing specific comes up, then maybe run captures on the firewall at exact moment of the issue. zdebug, tcpdump, fw monitor...

Best,
Andy
0 Kudos
Exonix
Advisor
‎2021-12-29 07:38 AM
In response to the_rock

fw shows either nothing or successful connection

tcpdump shows successful connection

what exactly should I run for zdebug?

the_rock
MVP Platinum
MVP Platinum
‎2021-12-29 07:47 AM
In response to Exonix

You can do anything for the filter...will just give you example of port and IP address.

Say you want to filter for any drops on port 21 or 22, just do this:

fw ctl zdebug + drop | grep 21 | grep 22

If say IP of your ftp server is 10.10.15.15, just do below:

fw ctl zdebug + drop | grep 10.10.15.15

Zdebug is totally non intrusive, you can leave it running for long time, so maybe open 2 ssh windows and run simultaneous ones at the same time.

Andy

Best,
Andy
Exonix
Advisor
‎2021-12-29 07:50 AM
In response to the_rock

thank you. one more question before I begin: will it impact performance or should I run it out of working hours?

the_rock
MVP Platinum
MVP Platinum
‎2021-12-29 07:54 AM
In response to Exonix

No no, dont wait...I left zdebug run for hours and nothing ever happened. I mean, its your firewall, so I wont give you any guarantees, but I would be shocked if anything did happen. Just make sure cpu/memory are fine. Once finished, just for your own piece of mind, run fw ctl debug 0 and fw ctl debug -x...those commands disable and turn off any active debugs.

Best,
Andy
Timothy_Hall
MVP Gold
MVP Gold
‎2021-12-29 08:34 AM
In response to Exonix

I would do the zdebug first as the_rock is suggesting, and if you don't see anything getting dropped there proceed to packet captures.  A port 21 FTP connection will always go F2F (so the firewall can pinhole open data ports specified by the PORT command), so feel free to use fw monitor -e and there will be no need to disable SecureXL to get a full capture of that traffic.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-12-29 07:52 AM
In response to Exonix

Also, just as a side note, since in reality, tcpdump will ONLY really show you if traffic leaves specific interface you are filtering for, but fw monitor will show you way more than that...so maybe run something like this -> fw monitor -e "accept host(x.x.x.x) and port(21);"

Where x.x.x.x is your ftp server IP address

You can also do below:

fw monitor -F 'x,x,x,x,x' -F "y,y,y,y,y'

x,x,x,x,x = source IP, source port, dst IP, dst port, protocol

y,y,y,y,y = source IP, source port, dst IP, dst port, protocol (just traffic flowing other way around)

Hope that helps.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events