Solved

Outbound FTP Issues ,Sonicwall NSA240

Posted on 2010-09-01
22
5,055 Views
Last Modified: 2013-11-29
We are in the process of upgrading a tz170 (standard) to a nsa240 (enhanced)

Active and Passive both usually connect, and work sporadically.  More often than not the connection times out.  This has been seen using ftp client software and windows explorer.  Works perfectly on tz170, so the nsa240 being the only new element in the equation I'm lead to believe the enhanced OS handles ftp traffic differently?

The ftp server software on the remote end is Globalscape ftp, running on a windows 03 server, and is hosted.

Sonicwall was no help, they say that the nsa is not responsible for dropping the connection
0
Comment
Question by:AbeHoffman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
22 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 33578946
Are you running any of the Security Services on the NSA?  The IPS service will block FTP activity by default.  To test if it is the sonicwall, login to the sonicwall interface from the computer with the FTP client, then attempt to connect via FTP.  Test both passive and active.  The sonicwall is configured to allow the IP of the computer that logs onto the sonicwall interface to bypass ALL of the security services.  This should tell you if it's the sonicwall.
0
 

Author Comment

by:AbeHoffman
ID: 33579389
IPS has already been disabled through Advanced Firewall Options.  

0
 
LVL 33

Expert Comment

by:digitap
ID: 33579403
especially through Security Services?
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 

Author Comment

by:AbeHoffman
ID: 33579556
I don't have those options, a licensing upgrade is required.

I was able to switch the dropdown "Security Services Setting:" to "Performance Optimized"

Looks better so far, but i'll need to test a bit more before confirm fixed,

Thanks digitap, will keep posted
0
 

Author Comment

by:AbeHoffman
ID: 33579613
False Alarm, looks like i'm in the same state.  Working fast at times, not at all other times.

using smartftp client, 2 our of 4 connection attempts connected Immediately.  (the other 2 timed out)  at the FEAT cmd

I feel like it wouldn't work at all if the SW was dropping packets..

0
 
LVL 33

Expert Comment

by:digitap
ID: 33579941
Do you see any disruptions in any other type of traffic?  Are there any differences in the WAN configurations of the 170 and 240?  Perhaps the MTU or static speed/duplex?

If you want to set the MTU specifically, check out my article which walks through the steps to do that.  See the link below.

http://www.experts-exchange.com/viewArticle.jsp?aid=3110

What do the logs say about dropping the packets?  If you don't get enough logging information, then you might consider increasing the logging.  Go to Log > Categories.  Make sure the logging level is debug.  Also, check the boxes in the categories section at the top of each column as I've indicated in the screen shot.  This will give you more information and hopefully something about why the packets are being dropped.

Double check the 170 and confirm you don't have a WAN > LAN rule for FTP traffic or a NAT rule as well.
greenshot-2010-09-01-13-33-39.jpg
0
 

Author Comment

by:AbeHoffman
ID: 33580566
NSA 240 = 1gb full duplex
TZ170 = 100mb full duplex

MTU's are the same (1500)

Increasing Logging is exposing more than the "tcp connection dropped" i've been seeing.

2 new ftp related events in log:
     1) Out-of-order command packet dropped
     2) TCP packet received on non-existent/closed connection; TCP packet dropped  <--with this event the Destination is the NSA240 IP instead of my machine's IP
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580578
So, logged onto the sonicwall from the client where the FTP client is running, doesn't change anything?
0
 

Author Comment

by:AbeHoffman
ID: 33580731
Correct, there's no change.  Most of my testing has been while logged into the sonicwall
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 33580813
What is set with the following:


FIREWALL > TCP SETTINGS > Enforce strict TCP compliance with RFC 793 and RFC 1122
0
 

Author Comment

by:AbeHoffman
ID: 33580838
Unchecked.  TCP Checksum enforcement also unchecked
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580849
I know you said the MTU was the same, but would you go through the steps and confirm 1500 is the right size?
0
 

Author Comment

by:AbeHoffman
ID: 33580874
I can ping up to 1472, which i think means MTU should be 1500?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580881
yes...that's correct...once you've added for overhead.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580888
so, both active AND pasv fail?
0
 

Author Comment

by:AbeHoffman
ID: 33581241
Yes, it has been happening with both.

Just for fun, per your comment above regarding tcp compliance...I checked the box and haven't seen a timeout since.  
I need more time to be sure that this really helped but for the past 30 minutes or so it's been very responsive.

Since this change, here's what i've seen in the log:
Message
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP connection abort received; TCP connection dropped
TCP packet received with invalid ACK number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
TCP packet received with invalid SEQ number; TCP packet dropped
0
 
LVL 33

Expert Comment

by:digitap
ID: 33581276
Is the ingress traffic (WAN > LAN) that's being dropped?  I was going to suggest you disable that setting if it was enabled.  I've had challenges with it myself, but seems you're quite the opposite.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
ID: 33581298
0
 
LVL 33

Expert Comment

by:digitap
ID: 33581309
It looks like it configured TCP timeouts which was where I was going next.
0
 

Author Closing Comment

by:AbeHoffman
ID: 33588243
Kindof Stumbled upon the solution, but i surely couldn't have fixed the issue without troubleshooting tips from digitap
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588271
Thanks for the points and glad I could help!
0
 
LVL 1

Expert Comment

by:JeremiahDonahue
ID: 37883369
AbeHoffman, any specifics on what the actual fix was?
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
A few months ago I attended the Rocky Mountain IPv6 Summit which was a two-day educational event; it was the 3rd annual conference held here in Denver, Colorado that was held at the Hyatt Regency Denver at the Colorado Convention Center. It was an e…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question