WannabeNerd
asked on
Can not access external FTP server. Result Code:0xc0040017 fwx_e_tcp_not_syn_packet_dropped
Hi,
I keep gettin the Denied connection with code Result Code:0xc0040017 fwx_e_tcp_not_syn_packet_d
Name:Allow FTP
Protocols:ftp
From ;internal, To:External , All Users
and In configure FTP i have unchecked the Read Only option.
FTP access filter is enabled.
Thanks!
I keep gettin the Denied connection with code Result Code:0xc0040017 fwx_e_tcp_not_syn_packet_d
Name:Allow FTP
Protocols:ftp
From ;internal, To:External , All Users
and In configure FTP i have unchecked the Read Only option.
FTP access filter is enabled.
Thanks!
Try the following...
1. Install the Firewall client on the client PC and try again
OR
2. Try connecting using IE with ftp://username:password@url
Thanks,
Nimal
1. Install the Firewall client on the client PC and try again
OR
2. Try connecting using IE with ftp://username:password@url
Thanks,
Nimal
ASKER
Hello and thanks for the reply,
I have made some headway,before i was not even able to get to the authentication part but i added both port 20 and 21 to the FTP access rule in the TMG server and now i am getting this.
Looks like something is blocking it.
C:\Documents and Settings\abc>ftp 80.193.100.137
Connected to 80.193.100.137.
220 Microsoft FTP Service
User (80.193.100.137:(none)): bandm
331 Password required for bandm.
Password:
230 User bandm logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
> ftp: get :Connection reset by peer
ftp>
I have made some headway,before i was not even able to get to the authentication part but i added both port 20 and 21 to the FTP access rule in the TMG server and now i am getting this.
Looks like something is blocking it.
C:\Documents and Settings\abc>ftp 80.193.100.137
Connected to 80.193.100.137.
220 Microsoft FTP Service
User (80.193.100.137:(none)): bandm
331 Password required for bandm.
Password:
230 User bandm logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
> ftp: get :Connection reset by peer
ftp>
Do you have any router/firewall in front of your TMG box?
Nimal
Nimal
ASKER
Yes i have a firewall in front but at the moment i have let everything IN and OUT.
Moreover i just found out i can acces the external ftp site from the TMG server itself which sits in the DMZ.
Doesnt it mean that the router is not blocking anything and its the TMG that is not allowing the data into the internal network or maybe the client can not get it back...
Moreover i just found out i can acces the external ftp site from the TMG server itself which sits in the DMZ.
Doesnt it mean that the router is not blocking anything and its the TMG that is not allowing the data into the internal network or maybe the client can not get it back...
Doesnt it mean that the router....
If the traffic is blocked, you will see this, if you log the traffic in ISA (Monitoring - Logging)
This may be the second issue.
If you say, ISA sits in a DMZ, what does this mean? The only configuration with ISA in a DMZ is having 2 firewalls and ISA between them in a single NIC configuration, working as Proxy.
Installing Firewall Client has nothing to do with FTP.
Check your firewall in front of your network.
You have to seperate two things: Web traffic and all other
Web (HTTP / HTPPS / FTP) traffic is set on the clients via IE settings (Proxy)
All other traffic is set by the default gateway on the clients.
If the Web traffic is setup in that way, that your ISA is the proxy for your clients, you have to make sure, that the external firewall forwards all this traffic back to ISA.
If the default gateway on the clients is set to ISA, ISA handles the outgoing traffic. In that case, you have to config your firewall in front of ISA, to forward all other responses back to ISA, otherwise your described error will occur.
If the default gateway on the clients points to the external firewall, the firewall must not forward this traffic back to ISA.
I'm quite sure, that this is a routing issue, but this needs more information on how your network is setup, to follow up the traffic flow.
The fact, that you can access FTP via ISA itself does only mean, that the external firewall is routing back the traffic to the source device. ISA uses the same rules for it own as for the clients. If this works for local host, it should also work for the clients (from ISA perspective).
If the traffic is blocked, you will see this, if you log the traffic in ISA (Monitoring - Logging)
This may be the second issue.
If you say, ISA sits in a DMZ, what does this mean? The only configuration with ISA in a DMZ is having 2 firewalls and ISA between them in a single NIC configuration, working as Proxy.
Installing Firewall Client has nothing to do with FTP.
Check your firewall in front of your network.
You have to seperate two things: Web traffic and all other
Web (HTTP / HTPPS / FTP) traffic is set on the clients via IE settings (Proxy)
All other traffic is set by the default gateway on the clients.
If the Web traffic is setup in that way, that your ISA is the proxy for your clients, you have to make sure, that the external firewall forwards all this traffic back to ISA.
If the default gateway on the clients is set to ISA, ISA handles the outgoing traffic. In that case, you have to config your firewall in front of ISA, to forward all other responses back to ISA, otherwise your described error will occur.
If the default gateway on the clients points to the external firewall, the firewall must not forward this traffic back to ISA.
I'm quite sure, that this is a routing issue, but this needs more information on how your network is setup, to follow up the traffic flow.
The fact, that you can access FTP via ISA itself does only mean, that the external firewall is routing back the traffic to the source device. ISA uses the same rules for it own as for the clients. If this works for local host, it should also work for the clients (from ISA perspective).
Install the firewall client and try again. You will need it to connect to an outside FTP Server. Otherwise you have to disable FTP Access Filter from the FTP protocol and manually create protocol with FTP ports etc.
ISA Firewall Client - http://www.microsoft.com/DownLoads/details.aspx?FamilyID=05c2c932-b15a-4990-b525-66380743da89&displaylang=enhttp://www.microsoft.com/DownLoads/details.aspx?FamilyID=05c2c932-b15a-4990-b525-66380743da89&displaylang=en
More about FTP - http://slacksite.com/other/ftp.html
Thanks,
Nimal
ISA Firewall Client - http://www.microsoft.com/DownLoads/details.aspx?FamilyID=05c2c932-b15a-4990-b525-66380743da89&displaylang=enhttp://www.microsoft.com/DownLoads/details.aspx?FamilyID=05c2c932-b15a-4990-b525-66380743da89&displaylang=en
More about FTP - http://slacksite.com/other/ftp.html
Thanks,
Nimal
ASKER
Thanks both,
i cant understand how it finally worked and why was not it working before. Will be really glad if one of you can make me understand.
As i said my TMG was behind a router. All my clients have there DG pointing to the TMG and not to the router so they are acting as a SecureNAT.
I had setup the netork relationship between the internal to external as ROUTE and not as NAT.
Natting was taking place at the Router.
Now that i changed the relationship to NAT on the TMG i can access all the external ftp sites, but as of now am i not doubling natting?First at the TMG and then at the ROUTER.
Why wasnt it working when i was ROuting the traffic from Internal to External instead of NAT ??
I didnt need to install the firewall client.
i cant understand how it finally worked and why was not it working before. Will be really glad if one of you can make me understand.
As i said my TMG was behind a router. All my clients have there DG pointing to the TMG and not to the router so they are acting as a SecureNAT.
I had setup the netork relationship between the internal to external as ROUTE and not as NAT.
Natting was taking place at the Router.
Now that i changed the relationship to NAT on the TMG i can access all the external ftp sites, but as of now am i not doubling natting?First at the TMG and then at the ROUTER.
Why wasnt it working when i was ROuting the traffic from Internal to External instead of NAT ??
I didnt need to install the firewall client.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well that explains everything i guess.Thanks a lot for the explanation.
Finally are there any consequnces of double nat taking place ?
Finally are there any consequnces of double nat taking place ?
> are there any consequnces of double nat taking place
In practise, not really from my point of perspective. As the external connection is the real bandwidth limitation, ISA and all other NAT devices has only to handle, what the external connection can deliver. This should be not a problem for the most of the connections.
You may make a simple FTP download upload test to an external server to see, if you reach the performance you expect. If you reach the maximum of your bandwidth, I would not take care about double natting it. You may also have a look onto the work load on ISA, if you make a full speed up / download. This gives you an idea, if you can expect any load issues.
Nevertheless, what is valid for FTP may also be valid for all other protocols. It may be a little more logical work to do to publish things through your ISA, as you have usually always to touch both firewalls.
In practise, not really from my point of perspective. As the external connection is the real bandwidth limitation, ISA and all other NAT devices has only to handle, what the external connection can deliver. This should be not a problem for the most of the connections.
You may make a simple FTP download upload test to an external server to see, if you reach the performance you expect. If you reach the maximum of your bandwidth, I would not take care about double natting it. You may also have a look onto the work load on ISA, if you make a full speed up / download. This gives you an idea, if you can expect any load issues.
Nevertheless, what is valid for FTP may also be valid for all other protocols. It may be a little more logical work to do to publish things through your ISA, as you have usually always to touch both firewalls.
http://support.microsoft.com/kb/888042/en-us
This issue may happen, if you either connect via ISA to the target and the packages are coming back without touching ISA or vice versa. You have to make sure, that ISA either both directions or none of them are touching the ISA server.
Check your gateway settings on the devices, which are involved in internet traffic. Maybe there is another device in front of ISA, which allowes the outgoing traffic from ISA, but do not route the response back to ISA.