Solved

Issue with PASV FTP over VPN

Posted on 2013-05-14
15
576 Views
Last Modified: 2013-05-31
I have run into a bit of a problem.  I have a client who recently implemented a VPN from Columbitech (http://www.columbitech.com/).  Other than not telling me he was making this change, I also got tasked with troubleshooting some of the issues he is now encountering.

He uses an a program with a PASV FTP component that transfers files from his laptop.  However, When on the VPN, no data is able to be transferred.  I have included a screenshot of 2 wireshark traces I performed, with the relevant section, where things seem to go south.

Screenshot of traces
My first impression leads me to believe there is some sort of security system or firewall that is blocking the transfer, but oddly enough, it lets me connect to the ftp and list the files.  Also note that the IP's are the same as the successful transfer is via LAN, and the failed transfer is a cellular WAN card dialed into the VPN.

Any of the experts here think it may be something else?

I have the traces, but they are not on the approved attachments list, so i can post them on another host if someone would like to take a look at stuff outside of the screenshot.

Thanks for looking!
0
Comment
Question by:oldstone00
  • 8
  • 7
15 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I don't see "the problem area".

In Wireshark select file, export and select K12 txt file.  You can post it as a txt file.

Just remember as this is clear text if there are any passwords we will be able to see them.
0
 
LVL 1

Author Comment

by:oldstone00
Comment Utility
Attached are the txt file outputs from wireshark.

Some more background information:
- during the successful try, i also had an RDP session open, so you will see alot of traffic from that.
- From what i can tell, the failed tranfer allows a connection and a list command on the FTP, but no FTP data is transferred.  On the client side, the FTP just hangs (no error message or disconnect)
vpn.ftp.zip
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I need to look at it in more detail, but it does seem that on one of the FTP sessions there is a data connection made, nothing is sent, and then it is disconnected almost immediately.

Right off the top of my head I would think error on the server side, do you have access to the server logs?

Or there is an IPS/IDS some place that is seeing something it does not like and it is issuing the FIN.
0
 
LVL 1

Author Comment

by:oldstone00
Comment Utility
I will try to get access to the server again.  I will see if I can pull the IIS logs (I am assuming this is what you are interested in).
0
 
LVL 1

Author Comment

by:oldstone00
Comment Utility
Attached is the FTP log from the day of the testing.  its an anonymous ftp transfer on a SSL tunnel so no juicy bits in there.
u-ex130522.log
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
The only failure I see is the very last LIST:

2013-05-22 21:11:34 10.8.9.31 - 10.8.9.11 52189 DataChannelClosed - - 258 50 3f98cf63-43c2-421f-98ff-bd4695c33f7f -

I can't find what a code 258 is.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Some of the stuff in the log looks weird.  It almost looks like you had two FTP sessions open from the same client at the same time and were issues commands on both at the same time.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Comment

by:oldstone00
Comment Utility
The FTP is used exclusively for the application in question, so all of the logs for the FTP reflect the testing that I was doing.  In the middle of the log there are sections that show numerous connections with no file transfers.  These will be the sections that I was connected to the VPN (and I can't upload).

Do you notice anything peculiar about the sections with no data transfer compared to the sections that have data transfer?

I will check with the vendor regarding the dual FTP connections
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I only see 2 STOR cmmands that failed:

STOR      /ftpVideos/Hensonjw@20130521183539.mpg      550
STOR      /ftpVideos/Hensonjw@20130521183539.mpg      425


Other than that I see no failures.  I do see a LOT of LIST commands, but all of the STOR commands seem to have worked, execpt for the two above.
0
 
LVL 1

Author Comment

by:oldstone00
Comment Utility
I think the issue is that the STOR command is not being recieved.  From my limited understanding of this program, it lists the directory contents of the ftp site, and depending on what is there (existing mpg files, metadata files, etc), will upload data.  Under normal operation, almost all of the list commands (over 90%) should be followed by a data transfer.

So the issue seems is likely attributed to either:
1. some sort of firewall or IDS/IPS blocking the STOR command when I am on the VPN (possibly because of the dual FTP connections)
2. Some logic issue or exception for the FTP program that is causing it not to initiate a transfer

Sound correct?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Do you know what the function of the program is?

From what you described it sounds like this program is trying to keep a remote directory/folder in sync with a local copy.  

This means that there should only be a STOR command when there is a new file on the client side.  Does it have files updated that much?

In the log there are times where there a multiple LIST commands within the same second.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
What is the IP address of the client in question?

What is the IP address that you where using to do the test?

I just noticed that this is the whole log, not just for your test.
0
 
LVL 1

Author Comment

by:oldstone00
Comment Utility
.11 is the FTP server
.57 is the problem client, connected via VPN

there are several other IPs that do transfer data, they are on the physical LAN and have no issues,  only when I try to VPN do I get the issue with the transfers not going through.

The purpose of the program is to transfer video files from a PC video recorder to an ftp site.  When new video is recorded, it makes a metadata file (the txt and xml files) to transfer to the FTP site, along with the mpg.

I noticed the same thing as you with the repeated LIST commands, is it possible that the LIST is failing?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
I would say that somebody needs to really look at the program. In my humble opinion something is wrong.  There are times where that client is doing what I would consider way too many commands.  In one instance it did 18 LIST in the same second.

Not sure what this video record is really doing, but 18 new files in a second seems like an lot to me.

If that is correct, then what I would suggest that somebody change the program so that it wakes up once every 10 or 15 seconds, see's what it needs to upload and upload.  I am assuming that it is already trying to figure out what files need to be uploaded by doing the LIST of what is on the server and looking at what is local and finding the differences.
0
 
LVL 1

Author Comment

by:oldstone00
Comment Utility
A agree with you.  Thanks for the help in troubleshooting.  i will continue working on this issue
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now