Junos OS

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



FTP transfer doesn't work properly

  • 1.  FTP transfer doesn't work properly

    Posted 10-26-2021 15:50
    Hello,
    I upgraded SRX340 from 15.1X49-D90.7 to 20.2R2.11.
    After upgrade, ftp transfer that takes more than 5 minutes doesn't work properly.

    <Log excerpt>
    Success case:file transfer time < 5 minutes (20.2R2.11)
    Oct 20 01:39:44 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49497->192.168.21.15/21 0x0 junos-ftp
    Oct 20 01:39:45 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49498
    Oct 20 01:41:14 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.21.15/20->172.21.15.71/49498
    Oct 20 01:41:16 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-clt-emul: 172.21.15.71/49497->192.168.21.15/21

    Failure case:file transfer time > 5 minutes (20.2R2.11)
    Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49660->192.168.21.15/21
    Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49661
    Oct 20 01:53:34 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-svr-emul: 172.21.15.71/49660->192.168.21.15/21
    Oct 20 01:53:36 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-alg: 192.168.21.15/20->172.21.15.71/49661

    Success case:file transfer time > 5 minutes (15.1X49-D90.7)
    Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/65152->192.168.21.15/21
    Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/65153
    Oct 17 01:56:19 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN N/A: 192.168.21.15/20->172.21.15.71/65153
    Oct 17 01:56:21 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP CLIENT RST junos-tcp-clt-emul: 172.21.15.71/65152->192.168.21.15/21

    <Config excerpt>
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match source-address IBM_MIH_BATCH
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match destination-address NF_MAK_FTP
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application junos-icmp-all
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application ftp
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 then permit
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-init
    set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-close

    set security zones security-zone SERVICE address-book address O_NF_MAK_FTP_01 192.168.21.15/32
    set security zones security-zone SERVICE address-book address-set NF_MAK_FTP address O_NF_MAK_FTP_01
    set security zones security-zone ADVANCE address-book address O_IBM_MIH_BATCH_01 172.21.15.71/32
    set security zones security-zone ADVANCE address-book address-set IBM_MIH_BATCH address O_IBM_MIH_BATCH_01

    set applications application ftp application-protocol ftp
    set applications application ftp protocol tcp
    set applications application ftp destination-port 21

    It seems that SRX disconnects the session before "FIN" arrives from the ftps server.
    If anyone has experienced a similar situation, please give me some advice.

    ------------------------------
    KEIICHI TSUCHIHASHI
    ------------------------------