07-17-2013 08:58 AM
ta, Im having a heck of a problem.
One zone out to an ftp server is working frie but from another zone the conputers can connect but they cant get file listings of xfer data ata ll. Routing is fine, obviously, the rules they are hitting is ok, NAT and Sec.
Both connections go through two VRs to get out to the ftp server. One zone hits two rules, the other only hits one.
Im running out of ideas of things to check.
Anyone else here have this problem in the past? What was the issue? Thanks.
07-18-2013 12:43 PM
set deviceconfig setting tcp asymmetric-path bypass bypass-exceed-oo-queue yes
Here are all the options under asymmetric-path:
admin@PA-200# set deviceconfig setting tcp asymmetric-path bypass
+ bypass-exceed-oo-queue whether to skip inspection of session if out-of-order packets limit is exceeded
+ check-timestamp-option whether to drop packets with invalid timestamp option
+ urgent-data clear urgent flag in TCP header
<Enter> Finish input
set deviceconfig setting tcp asymmetric-path bypass yes
This disables the sliding window and sequence number checking. Looks like you are doing asymetric routing and the firewall is dropping tcp out of sequence packets.
Hope that helps.
07-17-2013 09:16 AM
oh and ive tried both passive and active connection types.
07-17-2013 09:23 AM
You can also do the following to see what might be causing the issue
1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:
Navigate to Monitor--Packet Capture
Click 'Manage Filters'
Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )
Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)
2. Setup up the captures
Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)
3. Enable filters and captures
debug dataplane packet-diag set filter on
debug dataplane packet-diag set capture on
4. open 2 CLI windows
on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)
show counter global filter packet-filter yes delta yes
on the 2nd window run the following command to look at he sessions
show session all filter source <ip address> destination <ip address>
5. Now run the test for ftp while it is failing to look at the counters and captures and sessions to determine what is causing the issue.
6. Once you have finished testing and capturing. Make sure to turn off the debugs.
Hopefully this helps you resolve your issue.
07-17-2013 09:54 AM
thanks very much, i will try that out asap.
07-17-2013 03:10 PM
thanks again, that worked, well just going to review the files.
btw, i guess the CMD line stuff is just to make sure its actually working/capturing as you test ..?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!