FTP passive mode issue
cancel
Showing results for 
Search instead for 
Did you mean: 

FTP passive mode issue

L3 Networker

Hello All,

I was read somewhere on this forum similar article from October 2014, and seem that problem with passive ftp was on new content ID. However some time passed since, I have issue with ftp passive mode on my VM-100 (panos 6.0.5, content ver. 483-2549..).

I catch traffic with pcap on pan directly (all stages) and noticed that had drop stage. From traffic log everything goes well (3way handshake, authentication, change directory, ftp commnds..). But since PASV request from client, server respond with entering into passive mode with port xxxx, client send syn sequence to offered port xxxx and never establish connection, with dropped packets from FW for that connection and port.

srv.png

Forward stage on firewall pcap with traffic log for that connection

tx_stage_retransmission.png

Tx stage with re-transmission

drop_stage_for_syn_passive.png

drop stage on FW for syn and all other packets destined to passive ftp port

Security policy was created to permit FTP with default-app in service field. From CLI I catched output that ftp-data session was created to destined ftp server and port xxxx.

Tician

3 REPLIES 3

L7 Applicator

Hello Tician

Could you please check the predict session on this firewall for that FTP connection. I think, the PAN is unable to open the pinhole for the new connection on port 35829.

a similar discussion thread: Re: About ftp passive mode App-ID insufficient-data

Thanks

Hi Hulk,

yes but if you look at the first session on traffic tab, you can see that first session was established on port 35829 and correctly decoded as FTP app. After that all others was detected as not-applicable and dropped.

Can you tell me how to enable predict sessions only for ftp?

Tician

Hi all,

I found cause off this behavior. Problem is on NAT device which is behind PAN firewall. Client initiate connection and one ftp session was created, but in moment where client send PASV request to server and server respond with port XXXX, client initiate connection to server on port XXXX. In that moment FW create new session ftp-data in INIT state with default time out 5 sec, but NAT device took long time to respond, more than 5 sec which is default timeout for INIT sessions on PAN fw. In that stage has no valid-opened session, firewall considered such session as not-applicable and had dropped a result.

So if I increase INIT sessions to 10 sec, there are no drops and ftp-data sessions were transit from INIT to FLOW. But I'm not happy with increasing session time out, so I need tracing issues on NAT device and cause of long time respond.

Regards,

Predrag

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!