FTP Data connection broken, need help

choff123 · ‎07-17-2013

ta, Im having a heck of a problem.

One zone out to an ftp server is working frie but from another zone the conputers can connect but they cant get file listings of xfer data ata ll. Routing is fine, obviously, the rules they are hitting is ok, NAT and Sec.

Both connections go through two VRs to get out to the ftp server. One zone hits two rules, the other only hits one.

Im running out of ideas of things to check.

Anyone else here have this problem in the past? What was the issue? Thanks.

cchristiansen · ‎07-18-2013

5.x:

set deviceconfig setting tcp asymmetric-path bypass bypass-exceed-oo-queue yes

Here are all the options under asymmetric-path:

admin@PA-200# set deviceconfig setting tcp asymmetric-path bypass

+ bypass-exceed-oo-queue whether to skip inspection of session if out-of-order packets limit is exceeded

+ check-timestamp-option whether to drop packets with invalid timestamp option

+ urgent-data clear urgent flag in TCP header

<Enter> Finish input

admin@PA-200#

prior versions:

set deviceconfig setting tcp asymmetric-path bypass yes

This disables the sliding window and sequence number checking. Looks like you are doing asymetric routing and the firewall is dropping tcp out of sequence packets.

Hope that helps.

-chadd.

View solution in original post

choff123 · ‎07-17-2013

oh and ive tried both passive and active connection types.

mbutt · ‎07-17-2013

Hi,

You can also do the following to see what might be causing the issue

1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. Enable filters and captures

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

4. open 2 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

5. Now run the test for ftp while it is failing to look at the counters and captures and sessions to determine what is causing the issue.

6. Once you have finished testing and capturing. Make sure to turn off the debugs.

Hopefully this helps you resolve your issue.

Thank you

choff123 · ‎07-17-2013

thanks very much, i will try that out asap.

choff123 · ‎07-17-2013

thanks again, that worked, well just going to review the files.

btw, i guess the CMD line stuff is just to make sure its actually working/capturing as you test ..?

FTP Data connection broken, need help

FTP Data connection broken, need help

Show your appreciation!