Solved

Outbound FTP Issues ,Sonicwall NSA240

Posted on 2010-09-01
22
4,808 Views
Last Modified: 2013-11-29
We are in the process of upgrading a tz170 (standard) to a nsa240 (enhanced)

Active and Passive both usually connect, and work sporadically.  More often than not the connection times out.  This has been seen using ftp client software and windows explorer.  Works perfectly on tz170, so the nsa240 being the only new element in the equation I'm lead to believe the enhanced OS handles ftp traffic differently?

The ftp server software on the remote end is Globalscape ftp, running on a windows 03 server, and is hosted.

Sonicwall was no help, they say that the nsa is not responsible for dropping the connection
0
Comment
Question by:AbeHoffman
  • 12
  • 9
22 Comments
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Are you running any of the Security Services on the NSA?  The IPS service will block FTP activity by default.  To test if it is the sonicwall, login to the sonicwall interface from the computer with the FTP client, then attempt to connect via FTP.  Test both passive and active.  The sonicwall is configured to allow the IP of the computer that logs onto the sonicwall interface to bypass ALL of the security services.  This should tell you if it's the sonicwall.
0
 

Author Comment

by:AbeHoffman
Comment Utility
IPS has already been disabled through Advanced Firewall Options.  

0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
especially through Security Services?
0
 

Author Comment

by:AbeHoffman
Comment Utility
I don't have those options, a licensing upgrade is required.

I was able to switch the dropdown "Security Services Setting:" to "Performance Optimized"

Looks better so far, but i'll need to test a bit more before confirm fixed,

Thanks digitap, will keep posted
0
 

Author Comment

by:AbeHoffman
Comment Utility
False Alarm, looks like i'm in the same state.  Working fast at times, not at all other times.

using smartftp client, 2 our of 4 connection attempts connected Immediately.  (the other 2 timed out)  at the FEAT cmd

I feel like it wouldn't work at all if the SW was dropping packets..

0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Do you see any disruptions in any other type of traffic?  Are there any differences in the WAN configurations of the 170 and 240?  Perhaps the MTU or static speed/duplex?

If you want to set the MTU specifically, check out my article which walks through the steps to do that.  See the link below.

http://www.experts-exchange.com/viewArticle.jsp?aid=3110

What do the logs say about dropping the packets?  If you don't get enough logging information, then you might consider increasing the logging.  Go to Log > Categories.  Make sure the logging level is debug.  Also, check the boxes in the categories section at the top of each column as I've indicated in the screen shot.  This will give you more information and hopefully something about why the packets are being dropped.

Double check the 170 and confirm you don't have a WAN > LAN rule for FTP traffic or a NAT rule as well.
greenshot-2010-09-01-13-33-39.jpg
0
 

Author Comment

by:AbeHoffman
Comment Utility
NSA 240 = 1gb full duplex
TZ170 = 100mb full duplex

MTU's are the same (1500)

Increasing Logging is exposing more than the "tcp connection dropped" i've been seeing.

2 new ftp related events in log:
     1) Out-of-order command packet dropped
     2) TCP packet received on non-existent/closed connection; TCP packet dropped  <--with this event the Destination is the NSA240 IP instead of my machine's IP
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
So, logged onto the sonicwall from the client where the FTP client is running, doesn't change anything?
0
 

Author Comment

by:AbeHoffman
Comment Utility
Correct, there's no change.  Most of my testing has been while logged into the sonicwall
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
Comment Utility
What is set with the following:


FIREWALL > TCP SETTINGS > Enforce strict TCP compliance with RFC 793 and RFC 1122
0
 

Author Comment

by:AbeHoffman
Comment Utility
Unchecked.  TCP Checksum enforcement also unchecked
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 33

Expert Comment

by:digitap
Comment Utility
I know you said the MTU was the same, but would you go through the steps and confirm 1500 is the right size?
0
 

Author Comment

by:AbeHoffman
Comment Utility
I can ping up to 1472, which i think means MTU should be 1500?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
yes...that's correct...once you've added for overhead.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
so, both active AND pasv fail?
0
 

Author Comment

by:AbeHoffman
Comment Utility
Yes, it has been happening with both.

Just for fun, per your comment above regarding tcp compliance...I checked the box and haven't seen a timeout since.  
I need more time to be sure that this really helped but for the past 30 minutes or so it's been very responsive.

Since this change, here's what i've seen in the log:
Message
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP connection abort received; TCP connection dropped
TCP packet received with invalid ACK number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Is the ingress traffic (WAN > LAN) that's being dropped?  I was going to suggest you disable that setting if it was enabled.  I've had challenges with it myself, but seems you're quite the opposite.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
Comment Utility
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
It looks like it configured TCP timeouts which was where I was going next.
0
 

Author Closing Comment

by:AbeHoffman
Comment Utility
Kindof Stumbled upon the solution, but i surely couldn't have fixed the issue without troubleshooting tips from digitap
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Thanks for the points and glad I could help!
0
 
LVL 1

Expert Comment

by:JeremiahDonahue
Comment Utility
AbeHoffman, any specifics on what the actual fix was?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now