Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Outbound FTP Issues ,Sonicwall NSA240

Posted on 2010-09-01
22
Medium Priority
?
5,085 Views
Last Modified: 2013-11-29
We are in the process of upgrading a tz170 (standard) to a nsa240 (enhanced)

Active and Passive both usually connect, and work sporadically.  More often than not the connection times out.  This has been seen using ftp client software and windows explorer.  Works perfectly on tz170, so the nsa240 being the only new element in the equation I'm lead to believe the enhanced OS handles ftp traffic differently?

The ftp server software on the remote end is Globalscape ftp, running on a windows 03 server, and is hosted.

Sonicwall was no help, they say that the nsa is not responsible for dropping the connection
0
Comment
Question by:AbeHoffman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
22 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 33578946
Are you running any of the Security Services on the NSA?  The IPS service will block FTP activity by default.  To test if it is the sonicwall, login to the sonicwall interface from the computer with the FTP client, then attempt to connect via FTP.  Test both passive and active.  The sonicwall is configured to allow the IP of the computer that logs onto the sonicwall interface to bypass ALL of the security services.  This should tell you if it's the sonicwall.
0
 

Author Comment

by:AbeHoffman
ID: 33579389
IPS has already been disabled through Advanced Firewall Options.  

0
 
LVL 33

Expert Comment

by:digitap
ID: 33579403
especially through Security Services?
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 

Author Comment

by:AbeHoffman
ID: 33579556
I don't have those options, a licensing upgrade is required.

I was able to switch the dropdown "Security Services Setting:" to "Performance Optimized"

Looks better so far, but i'll need to test a bit more before confirm fixed,

Thanks digitap, will keep posted
0
 

Author Comment

by:AbeHoffman
ID: 33579613
False Alarm, looks like i'm in the same state.  Working fast at times, not at all other times.

using smartftp client, 2 our of 4 connection attempts connected Immediately.  (the other 2 timed out)  at the FEAT cmd

I feel like it wouldn't work at all if the SW was dropping packets..

0
 
LVL 33

Expert Comment

by:digitap
ID: 33579941
Do you see any disruptions in any other type of traffic?  Are there any differences in the WAN configurations of the 170 and 240?  Perhaps the MTU or static speed/duplex?

If you want to set the MTU specifically, check out my article which walks through the steps to do that.  See the link below.

http://www.experts-exchange.com/viewArticle.jsp?aid=3110

What do the logs say about dropping the packets?  If you don't get enough logging information, then you might consider increasing the logging.  Go to Log > Categories.  Make sure the logging level is debug.  Also, check the boxes in the categories section at the top of each column as I've indicated in the screen shot.  This will give you more information and hopefully something about why the packets are being dropped.

Double check the 170 and confirm you don't have a WAN > LAN rule for FTP traffic or a NAT rule as well.
greenshot-2010-09-01-13-33-39.jpg
0
 

Author Comment

by:AbeHoffman
ID: 33580566
NSA 240 = 1gb full duplex
TZ170 = 100mb full duplex

MTU's are the same (1500)

Increasing Logging is exposing more than the "tcp connection dropped" i've been seeing.

2 new ftp related events in log:
     1) Out-of-order command packet dropped
     2) TCP packet received on non-existent/closed connection; TCP packet dropped  <--with this event the Destination is the NSA240 IP instead of my machine's IP
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580578
So, logged onto the sonicwall from the client where the FTP client is running, doesn't change anything?
0
 

Author Comment

by:AbeHoffman
ID: 33580731
Correct, there's no change.  Most of my testing has been while logged into the sonicwall
0
 
LVL 33

Accepted Solution

by:
digitap earned 1500 total points
ID: 33580813
What is set with the following:


FIREWALL > TCP SETTINGS > Enforce strict TCP compliance with RFC 793 and RFC 1122
0
 

Author Comment

by:AbeHoffman
ID: 33580838
Unchecked.  TCP Checksum enforcement also unchecked
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580849
I know you said the MTU was the same, but would you go through the steps and confirm 1500 is the right size?
0
 

Author Comment

by:AbeHoffman
ID: 33580874
I can ping up to 1472, which i think means MTU should be 1500?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580881
yes...that's correct...once you've added for overhead.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580888
so, both active AND pasv fail?
0
 

Author Comment

by:AbeHoffman
ID: 33581241
Yes, it has been happening with both.

Just for fun, per your comment above regarding tcp compliance...I checked the box and haven't seen a timeout since.  
I need more time to be sure that this really helped but for the past 30 minutes or so it's been very responsive.

Since this change, here's what i've seen in the log:
Message
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP connection abort received; TCP connection dropped
TCP packet received with invalid ACK number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
0
 
LVL 33

Expert Comment

by:digitap
ID: 33581276
Is the ingress traffic (WAN > LAN) that's being dropped?  I was going to suggest you disable that setting if it was enabled.  I've had challenges with it myself, but seems you're quite the opposite.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 1500 total points
ID: 33581298
0
 
LVL 33

Expert Comment

by:digitap
ID: 33581309
It looks like it configured TCP timeouts which was where I was going next.
0
 

Author Closing Comment

by:AbeHoffman
ID: 33588243
Kindof Stumbled upon the solution, but i surely couldn't have fixed the issue without troubleshooting tips from digitap
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588271
Thanks for the points and glad I could help!
0
 
LVL 1

Expert Comment

by:JeremiahDonahue
ID: 37883369
AbeHoffman, any specifics on what the actual fix was?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

671 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question