Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.

FTP transfer doesn't work properly

  • 1.  FTP transfer doesn't work properly

    Posted 10-26-2021 15:50
    Hello,
    I upgraded SRX340 from 15.1X49-D90.7 to 20.2R2.11.
    After upgrade, ftp transfer that takes more than 5 minutes doesn't work properly.

    <Log excerpt>
    Success case:file transfer time < 5 minutes (20.2R2.11)
    Oct 20 01:39:44 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49497->192.168.21.15/21 0x0 junos-ftp
    Oct 20 01:39:45 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49498
    Oct 20 01:41:14 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.21.15/20->172.21.15.71/49498
    Oct 20 01:41:16 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-clt-emul: 172.21.15.71/49497->192.168.21.15/21

    Failure case:file transfer time > 5 minutes (20.2R2.11)
    Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49660->192.168.21.15/21
    Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49661
    Oct 20 01:53:34 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-svr-emul: 172.21.15.71/49660->192.168.21.15/21
    Oct 20 01:53:36 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-alg: 192.168.21.15/20->172.21.15.71/49661

    Success case:file transfer time > 5 minutes (15.1X49-D90.7)
    Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/65152->192.168.21.15/21
    Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/65153
    Oct 17 01:56:19 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN N/A: 192.168.21.15/20->172.21.15.71/65153
    Oct 17 01:56:21 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP CLIENT RST junos-tcp-clt-emul: 172.21.15.71/65152->192.168.21.15/21

    <Config excerpt>
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match source-address IBM_MIH_BATCH
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match destination-address NF_MAK_FTP
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application junos-icmp-all
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application ftp
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 then permit
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-init
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-close

    set security zones security-zone SERVICE address-book address O_NF_MAK_FTP_01 192.168.21.15/32
    set security zones security-zone SERVICE address-book address-set NF_MAK_FTP address O_NF_MAK_FTP_01
    set security zones security-zone ADVANCE address-book address O_IBM_MIH_BATCH_01 172.21.15.71/32
    set security zones security-zone ADVANCE address-book address-set IBM_MIH_BATCH address O_IBM_MIH_BATCH_01

    set applications application ftp application-protocol ftp
    set applications application ftp protocol tcp
    set applications application ftp destination-port 21

    It seems that SRX disconnects the session before "FIN" arrives from the ftps server.
    If anyone has experienced a similar situation, please give me some advice.

    ------------------------------
    KEIICHI TSUCHIHASHI
    ------------------------------