Solved

WYSE ThinOS Connectivity

Posted on 2014-04-14
10
1,111 Views
Last Modified: 2014-04-23
Site A has a Citrix array behind a SonicWall router
Site B had the IIS FTP server which fed the INI file to the S10 units

Units outside Site A CANNOT connect to the FTP server or the array consistently. So we moved the WNOS files to Site A to be served locally on a FileZilla FTP server. We are watching connections to the server, however the units are still not consistently getting connected to the FTP or the array.

NOTE: S10 units INSIDE the Site A firewall are working perfectly, every time. There is no rule we see on the firewall that would block FTP or cause intermittent connectivity with VPN traffic (we are allowing "All" to/from the VPN). The only two things that changed in our environment recently are: A few weeks ago we configured LDAP/SSO on our firewalls, so HTTP traffic is being authenticated across the same tunnel. Also, we put a pre-release firmware on the router at Site A to address some other issues. These two changes are the only ones that fit the timeline.

Any thoughts?
0
Comment
Question by:Lee Seeman
  • 9
10 Comments
 

Author Comment

by:Lee Seeman
ID: 40000586
Ftp log shows successful login intermittently and cannot find cle10_... File. Other times, more frequently, Wyse Devices not even attempt to login and Device hangs on 'connecting to file server'
0
 

Author Comment

by:Lee Seeman
ID: 40001306
I'm thinking there may be site /subnet specific dhcp server options needed for Wyse.  Is this the case?
0
 

Author Comment

by:Lee Seeman
ID: 40001329
I am confirming that our dhcp server at the problematic site is configured as noted here: http://www.freewysemonkeys.com/downloads/DHCP%20%20FTP%20blazer.pdf
0
 

Author Comment

by:Lee Seeman
ID: 40001476
We are seeing this on our FTP server when the WYSE device is brought back to the local subnet of the FTP:

(000277)4/15/2014 9:00:52 AM - (not logged in) (192.168.1.87)> USER anonymous
(000277)4/15/2014 9:00:52 AM - (not logged in) (192.168.1.87)> 331 Password required for anonymous
(000277)4/15/2014 9:00:52 AM - (not logged in) (192.168.1.87)> PASS ***************
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> 230 Logged on
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> TYPE I
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> 200 Type set to I
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> SIZE /wyse/wnos/C10_bios.bin
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> 550 File not found
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> CWD /wyse/wnos/C10_bios.bin
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> 550 CWD failed. "/wyse/wnos/C10_bios.bin": directory not found.
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> PASV
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> 227 Entering Passive Mode (192,168,1,31,235,41)
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> RETR /wyse/wnos/C10_bios.bin
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> 550 File not found
(000277)4/15/2014 9:00:52 AM - anonymous (192.168.1.87)> disconnected.

Open in new window


Interesting enough, the WYSE device successfully boots and connects to our Citrix WI.

However, when this device was at a remote site yesterday it hung on 'connecting to file server...' and gave netboot error.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40001695
I think this might be FTP "Data" range ports on the firewall that's being blocked occasionally.

Maybe for better observation you can use the Wireshark Application in order to capture the errors?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Lee Seeman
ID: 40006557
I ruled out it being a Sonicwall FTP issue since we can successfully connect to FTP using Windows XP CMD from a client at the same site repeatedly without an issue.

A.) Site A same subnet as FTP: no issues with WYSE auth and connecting to FTP server

B.) Site B & C are remote to FTP over Sonicwall VPN tunnel: WYSE devices show connecting to file server...then revert to default ICA settings screen. We see no attempt to login in FTP server (FileZilla) log.

The Sonicwall LAN-to-VPN and VPN-to-LAN access-rules on either side have allow any-any rules; there are no deny rules.

We do not have WYSE tech support options and they have not been helpful in the past.

Please help us resolve this issue.
0
 

Author Comment

by:Lee Seeman
ID: 40008550
Any have an idea why our WYSE devices are not initiating the FTP connection behind our sonicwall's and over our VPN tunnels?

FTP works from from Windows clients...
0
 

Author Comment

by:Lee Seeman
ID: 40008778
Here is a packet capture on the remote sonicwall for the wyse device and it shows dropped ftp control packets:

Ethernet Header
 Ether Type: IP(0x800), Src=[00:80:64:68:12:93], Dst=[00:17:c5:62:4b:ce]
IP Packet Header
 IP Type: TCP(0x6), Src=[192.168.14.32], Dst=[192.168.1.31]
TCP Packet Header
 TCP Flags = [SYN,], Src=[2050], Dst=[21], Checksum=0xb6c1
Application Header
 FTP Control
Value:[0]
DROPPED, Drop Code: 39, Module Id: 26, (Ref.Id: _4703_uyHtJcpfngKrRmv) 0:0)

Open in new window


This is a LAN-to-VPN zone path and the egress rule is any/any allow....

I'm stumped!
0
 

Accepted Solution

by:
Lee Seeman earned 0 total points
ID: 40009299
The issue turned out to be a conflict with Sonicwall's SSO option. Once we excluded the WYSE device IP's using a Object Group, packets no longer got dropped and the WYSE devices were able to connect to the FTP server consistently.
0
 

Author Closing Comment

by:Lee Seeman
ID: 40017021
Researched issue and trouble-shoot various options on Sonicwall. The Sonicwall logs also showed SSO failure for the WYSE IP address.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now