SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  FTP transfer doesn't work properly

    Posted 10-26-2021 15:50
    Hello,
    I upgraded SRX340 from 15.1X49-D90.7 to 20.2R2.11.
    After upgrade, ftp transfer that takes more than 5 minutes doesn't work properly.

    <Log excerpt>
    Success case:file transfer time < 5 minutes (20.2R2.11)
    Oct 20 01:39:44 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49497->192.168.21.15/21 0x0 junos-ftp
    Oct 20 01:39:45 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49498
    Oct 20 01:41:14 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.21.15/20->172.21.15.71/49498
    Oct 20 01:41:16 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-clt-emul: 172.21.15.71/49497->192.168.21.15/21

    Failure case:file transfer time > 5 minutes (20.2R2.11)
    Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49660->192.168.21.15/21
    Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49661
    Oct 20 01:53:34 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-svr-emul: 172.21.15.71/49660->192.168.21.15/21
    Oct 20 01:53:36 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-alg: 192.168.21.15/20->172.21.15.71/49661

    Success case:file transfer time > 5 minutes (15.1X49-D90.7)
    Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/65152->192.168.21.15/21
    Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/65153
    Oct 17 01:56:19 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN N/A: 192.168.21.15/20->172.21.15.71/65153
    Oct 17 01:56:21 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP CLIENT RST junos-tcp-clt-emul: 172.21.15.71/65152->192.168.21.15/21

    <Config excerpt>
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match source-address IBM_MIH_BATCH
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match destination-address NF_MAK_FTP
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application junos-icmp-all
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application ftp
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 then permit
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-init
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-close

    set security zones security-zone SERVICE address-book address O_NF_MAK_FTP_01 192.168.21.15/32
    set security zones security-zone SERVICE address-book address-set NF_MAK_FTP address O_NF_MAK_FTP_01
    set security zones security-zone ADVANCE address-book address O_IBM_MIH_BATCH_01 172.21.15.71/32
    set security zones security-zone ADVANCE address-book address-set IBM_MIH_BATCH address O_IBM_MIH_BATCH_01

    set applications application ftp application-protocol ftp
    set applications application ftp protocol tcp
    set applications application ftp destination-port 21

    It seems that SRX disconnects the session before "FIN" arrives from the ftps server.
    If anyone has experienced a similar situation, please give me some advice.

    ------------------------------
    KEIICHI TSUCHIHASHI
    ------------------------------


  • 2.  RE: FTP transfer doesn't work properly

    Posted 11-16-2023 06:43

    Hello @KEIICHI TSUCHIHASHI san,

    How to update the status of this problem?
    Are there any updates available?
     
    I have a similar problem to you, can you please provide your experience on fix it


    ------------------------------
    SOPYAN HADI IRAWAN
    ------------------------------



  • 3.  RE: FTP transfer doesn't work properly

    Posted 11-17-2023 12:10

    Hi Guys,

    Depending on the behaviour of the FTP application, you may need to adjust the FTP ALG settings on your SRX. See the following article for options here.

    https://www.juniper.net/documentation/us/en/software/junos/alg/topics/ref/statement/security-edit-ftp.html

    You can use the disable option to confirm it is ALG terminating the connection, however, not entirely recommended as a permanent solution.



    ------------------------------
    GAVIN WHITE
    ------------------------------