FTP Data connection broken, need help

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FTP Data connection broken, need help

L3 Networker

ta, Im having a heck of a problem.

One zone out to an ftp server is working frie but from another zone the conputers can connect but they cant get file listings of xfer data ata ll. Routing is fine, obviously, the rules they are hitting is ok, NAT and Sec.

Both connections go through two VRs to get out to the ftp server. One zone hits two rules, the other only hits one.

Im running out of ideas of things to check.

Anyone else here have this problem in the past? What was the issue? Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

5.x:

set deviceconfig setting tcp asymmetric-path bypass bypass-exceed-oo-queue yes


Here are all the options under asymmetric-path:

admin@PA-200# set deviceconfig setting tcp asymmetric-path bypass

+ bypass-exceed-oo-queue   whether to skip inspection of session if out-of-order packets limit is exceeded

+ check-timestamp-option   whether to drop packets with invalid timestamp option

+ urgent-data              clear urgent flag in TCP header

  <Enter>                  Finish input

admin@PA-200#

prior versions:

set deviceconfig setting tcp asymmetric-path bypass  yes


This disables the sliding window and sequence number checking.  Looks like you are doing asymetric routing and the firewall is dropping tcp out of sequence packets.

Hope that helps.

-chadd.

View solution in original post

14 REPLIES 14

L3 Networker

oh and ive tried both passive and active connection types.

L5 Sessionator

Hi,

You can also do the following to see what might be causing the issue

1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. Enable filters and captures

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

4. open 2 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

5. Now run the test for ftp while it is failing to look at the counters and captures and sessions to determine what is causing the issue.

6. Once you have finished testing and capturing. Make sure to turn off the debugs.

Hopefully this helps you resolve your issue.

Thank you

thanks very much, i will try that out asap.

thanks again, that worked, well just going to review the files.

btw, i guess the CMD line stuff is just to make sure its actually working/capturing as you test ..?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!