Juniper SSG5 Debug Question

Good Day
I have a Juniper SSG5 firewall and it has been working fairly well until 3 days ago. FTP traffic to my webhosting server stopped. I get a connection dropped - age out message in the traffic log monitoring the ftp policy. Normal web browsing, e-mail, ping, etc. continue to function. FTP traffic to other sites works with out issue. Contacting the webhost indicated that as far as they are concerned the problem was mine. I can FTP to the web host from other internet connections outside of my home. Contacting my ISP revealed the same response, no problem outside my environment. If I connect directly to my inbound ISP connection, bypassing my internal network, I can FTP to my web host although it takes 3 or 4 tries to establish a stable connection. I ran a flow debug session on my SSG5 but with my limited understanding of the log file information, I do not see anything jumping out at me screaming fix me, this is what is broke.
I have attached the debug log and the current SSG5 configuration, edited to hopefully eliminate most personal information.
Any suggestions would be greatly appreciated, I really would like to get my website back on line.
-Bob
SSG5cfg.txtFirewall-Trace.txt
Bob ConklinConfiguration/TEST TechnicianAsked:
Who is Participating?
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Sorry, I lost track of this question because of other issues eating up my time.
Looking at that last debug log, it's telling me that FTP handshake worked fine, including the negotiation of a dynamic data port (206.188.192.200/21->72.12.65.48/1544). The last record
   ****** 00528.0: <Untrust/ethernet0/0> packet received [94]******
...
  ethernet0/0:206.188.192.200/21->72.12.65.48/1544,6, 5014(rst)<Root>

Open in new window

says the connection has been closed by the FTP server (!). I cannot see any issue with the firewall itself.
Did you try to use passive FTP?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Your debug does not contain the replies, you should add another ffilter with src and dst reversed.
Also we see both FTP and HTTP - is that correct?
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Ok I will re-run the debug log tonight with the added filter, HTTP is probably correct as the host that I was using for this test might have had http requests running in the background as well as the FTP traffic requests.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Here is the debug flow log with the 2 filters applied.Flow2.txt
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Looks like there is no response at all. You might have to broaden the ffilter to only restrict to the target address (and keep any other traffic than FTP away from the Juniper for better diagnostics).
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Hmmm...ok, so to be clear, are you suggesting that I remove all traffic from the Juniper, set up a single host that will attempt to make an FTP connection to the site in question and run the debug in that configuration?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Not exactly. Keep all traffic, but make sure there is no other traffic to that particular destination than FTP.
Of course removing all traffic would make it much easier to debug, but to expect that would be unrealistic.
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Ok, well in this instance it would be easier to remove all traffic for the time necessary to run the debug, there are 4 different hosts hitting the destination Web hosting site, all with different protocols. It may take me a bit to get the test host on line, but I will post the latest logs as soon as I can. This issue has not only driven me slightly crazy but it is impacting the data that needs to be posted to the website.
Thank you for your assistance Olemo, as we say in TV...stand by!
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Here is the latest debug log, I removed all  traffic from my network switch with the exception of a single host running an FTP client to the web hosting site. The log was captured via a console cable to the SSG5.
Flow3.txt
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Still nothing coming from outside. Strange. Use a less restrictive filter:
  set ffilter dst-ip 206.188.192.200
  set ffilter src-ip 206.188.192.200
for debugging.
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Will do
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Make sure to see a response from Untrust. You ought also want to add a debug flow drop to see dismissed traffic too.
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Hi Olemo
Here is the latest log file with the filters and drop command you suggested. As with the log before, all traffic was removed from the switch except one host running the ftp client and the console cable were hooked up.
flow4.txt
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
I am guessing at this point I will need to look at replacing this device as I can't continue to use it in its present state.
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Yes the software that does the FTP transfer is set for automatic, passive, with username and password. I had seen that response on the automated FTP software error logs that triggers the transfer. Now you see why I am so confused. While I was awaiting your latest look see, I put back into service my old SmoothWall Express firewall and ran it for 2 weeks with out issue. I reset my SSG5, put it back in and with in 4 days we were back to dropping connections to  that one FTP server.
Thank you for all your time and effort in trying to figure this out.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
With the SmoothWall firewall, do you see a similar FTP log? Since the FTP server terminates the connection, and it is definitely not after a timeout, there must be something on the server side triggering that.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
On another note, is FTP ALG enabled (in WebUI: Security » ALG)? Try if toggling it changes the behaviour as desired.
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Hi Olemo
With the SmoothWall firewall my client software FTP logs did not indicate anything abnormal. I saw not timeout errors nor did I lose connection to the FTP server. I will try the FTP ALG setting on the SSG5 and put it back into service. It may take a few days to see if there is any change in behavior and I will post what happens.
(I hear twilight zone music in the distance)
0
 
Bob ConklinConfiguration/TEST TechnicianAuthor Commented:
Final update, after doing everything that Olemo had suggested and tested for a few weeks,  I was still having the same issue. So here is what the fix turned out to be...the network switch that controlled all of the traffic in my domain was failing. The fan had died and I did not know that. After swapping out the switch with a replacement, restoring all the connections and resetting the SSG5 to its normal configuration, I am happy to report that I no longer am having FTP time outs or failures. (knock on wood). Go figure!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.