Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Horne
Advisor
Jump to solution

FTP retransmission causing FW to modify packet

Hello All,

We have put a FTP server behind a Security Gateway (R80.40) and this is causing the FTP scripts on the server to fail. It looks like a retransmission is happening with one FTP packets occasionally. The FW is altering this packet, which cause the FTP transfers to stop unexpectedly early.

I am using cppcap to capture the packets so the packets are seen 6 times as the traverse the firewall.

We see the original FTP response packet enter the firewall and pass correctly.

Packet1.png after this packet there is a normal ACK back.

We then see a retransmission of this response packet enter the firewall.  We see this 3 times as it is inbound on the firewall:

Packet2.png

When the packet starts on the outbound path it has dropped from 120 byte to 67 bytes, the TCP flags have changed and the FTP data has been truncated to be a single character (I believe it is a newline character) 

Packet3.png

Something in the FW seems to process this retransmission in a strange way.  The FTP commands and the output are logged on the server and are checked by a script for the return FTP code 226. As is visible when we decode the FTP stream on a wireshark trace on the server, this modified packet with the newline causes the FTP return code to appear as "newline" + 26 instead of the expected FTP return code 226. This causing the FTP scripts to fail:

decode.png

Has anyone experienced something like this before?

Many thanks,

Michael

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

Yes I have although Wireshark does not seem to be showing a checksum error, check this SK:

sk173191: Packet data stripped by "TCP Invalid Checksum" IPS protection

Your issue also sounds vaguely similar to the following SK, but it does not match the symptoms exactly:

sk24960: "Smart Connection Reuse" feature modifies some SYN packets

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend

Yes I have although Wireshark does not seem to be showing a checksum error, check this SK:

sk173191: Packet data stripped by "TCP Invalid Checksum" IPS protection

Your issue also sounds vaguely similar to the following SK, but it does not match the symptoms exactly:

sk24960: "Smart Connection Reuse" feature modifies some SYN packets

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Michael_Horne
Advisor

Hello ,

Thanks for the links to the topics. I put in an exception for the "TCP invalid Checksum" protection for this particular connection, and I no longer see the FTP packets being truncated / changed as the pass through the firewall.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events