• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5151
  • Last Modified:

Outbound FTP Issues ,Sonicwall NSA240

We are in the process of upgrading a tz170 (standard) to a nsa240 (enhanced)

Active and Passive both usually connect, and work sporadically.  More often than not the connection times out.  This has been seen using ftp client software and windows explorer.  Works perfectly on tz170, so the nsa240 being the only new element in the equation I'm lead to believe the enhanced OS handles ftp traffic differently?

The ftp server software on the remote end is Globalscape ftp, running on a windows 03 server, and is hosted.

Sonicwall was no help, they say that the nsa is not responsible for dropping the connection
0
AbeHoffman
Asked:
AbeHoffman
  • 12
  • 9
2 Solutions
 
digitapCommented:
Are you running any of the Security Services on the NSA?  The IPS service will block FTP activity by default.  To test if it is the sonicwall, login to the sonicwall interface from the computer with the FTP client, then attempt to connect via FTP.  Test both passive and active.  The sonicwall is configured to allow the IP of the computer that logs onto the sonicwall interface to bypass ALL of the security services.  This should tell you if it's the sonicwall.
0
 
AbeHoffmanAuthor Commented:
IPS has already been disabled through Advanced Firewall Options.  

0
 
digitapCommented:
especially through Security Services?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
AbeHoffmanAuthor Commented:
I don't have those options, a licensing upgrade is required.

I was able to switch the dropdown "Security Services Setting:" to "Performance Optimized"

Looks better so far, but i'll need to test a bit more before confirm fixed,

Thanks digitap, will keep posted
0
 
AbeHoffmanAuthor Commented:
False Alarm, looks like i'm in the same state.  Working fast at times, not at all other times.

using smartftp client, 2 our of 4 connection attempts connected Immediately.  (the other 2 timed out)  at the FEAT cmd

I feel like it wouldn't work at all if the SW was dropping packets..

0
 
digitapCommented:
Do you see any disruptions in any other type of traffic?  Are there any differences in the WAN configurations of the 170 and 240?  Perhaps the MTU or static speed/duplex?

If you want to set the MTU specifically, check out my article which walks through the steps to do that.  See the link below.

http://www.experts-exchange.com/viewArticle.jsp?aid=3110

What do the logs say about dropping the packets?  If you don't get enough logging information, then you might consider increasing the logging.  Go to Log > Categories.  Make sure the logging level is debug.  Also, check the boxes in the categories section at the top of each column as I've indicated in the screen shot.  This will give you more information and hopefully something about why the packets are being dropped.

Double check the 170 and confirm you don't have a WAN > LAN rule for FTP traffic or a NAT rule as well.
greenshot-2010-09-01-13-33-39.jpg
0
 
AbeHoffmanAuthor Commented:
NSA 240 = 1gb full duplex
TZ170 = 100mb full duplex

MTU's are the same (1500)

Increasing Logging is exposing more than the "tcp connection dropped" i've been seeing.

2 new ftp related events in log:
     1) Out-of-order command packet dropped
     2) TCP packet received on non-existent/closed connection; TCP packet dropped  <--with this event the Destination is the NSA240 IP instead of my machine's IP
0
 
digitapCommented:
So, logged onto the sonicwall from the client where the FTP client is running, doesn't change anything?
0
 
AbeHoffmanAuthor Commented:
Correct, there's no change.  Most of my testing has been while logged into the sonicwall
0
 
digitapCommented:
What is set with the following:


FIREWALL > TCP SETTINGS > Enforce strict TCP compliance with RFC 793 and RFC 1122
0
 
AbeHoffmanAuthor Commented:
Unchecked.  TCP Checksum enforcement also unchecked
0
 
digitapCommented:
I know you said the MTU was the same, but would you go through the steps and confirm 1500 is the right size?
0
 
AbeHoffmanAuthor Commented:
I can ping up to 1472, which i think means MTU should be 1500?
0
 
digitapCommented:
yes...that's correct...once you've added for overhead.
0
 
digitapCommented:
so, both active AND pasv fail?
0
 
AbeHoffmanAuthor Commented:
Yes, it has been happening with both.

Just for fun, per your comment above regarding tcp compliance...I checked the box and haven't seen a timeout since.  
I need more time to be sure that this really helped but for the past 30 minutes or so it's been very responsive.

Since this change, here's what i've seen in the log:
Message
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP connection abort received; TCP connection dropped
TCP packet received with invalid ACK number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
0
 
digitapCommented:
Is the ingress traffic (WAN > LAN) that's being dropped?  I was going to suggest you disable that setting if it was enabled.  I've had challenges with it myself, but seems you're quite the opposite.
0
 
digitapCommented:
0
 
digitapCommented:
It looks like it configured TCP timeouts which was where I was going next.
0
 
AbeHoffmanAuthor Commented:
Kindof Stumbled upon the solution, but i surely couldn't have fixed the issue without troubleshooting tips from digitap
0
 
digitapCommented:
Thanks for the points and glad I could help!
0
 
JeremiahDonahueCommented:
AbeHoffman, any specifics on what the actual fix was?
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now