Hello,
I upgraded SRX340 from 15.1X49-D90.7 to 20.2R2.11.
After upgrade, ftp transfer that takes more than 5 minutes doesn't work properly.
<Log excerpt>
Success case:file transfer time < 5 minutes (20.2R2.11)
Oct 20 01:39:44 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49497->192.168.21.15/21 0x0 junos-ftp
Oct 20 01:39:45 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49498
Oct 20 01:41:14 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.21.15/20->172.21.15.71/49498
Oct 20 01:41:16 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-clt-emul: 172.21.15.71/49497->192.168.21.15/21
Failure case:file transfer time > 5 minutes (20.2R2.11)
Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49660->192.168.21.15/21
Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49661
Oct 20 01:53:34 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-svr-emul: 172.21.15.71/49660->192.168.21.15/21
Oct 20 01:53:36 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-alg: 192.168.21.15/20->172.21.15.71/49661
Success case:file transfer time > 5 minutes (15.1X49-D90.7)
Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/65152->192.168.21.15/21
Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/65153
Oct 17 01:56:19 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN N/A: 192.168.21.15/20->172.21.15.71/65153
Oct 17 01:56:21 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP CLIENT RST junos-tcp-clt-emul: 172.21.15.71/65152->192.168.21.15/21
<Config excerpt>
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match source-address IBM_MIH_BATCH
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match destination-address NF_MAK_FTP
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application junos-icmp-all
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application ftp
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then permit
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-init
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-close
set security zones security-zone SERVICE address-book address O_NF_MAK_FTP_01 192.168.21.15/32
set security zones security-zone SERVICE address-book address-set NF_MAK_FTP address O_NF_MAK_FTP_01
set security zones security-zone ADVANCE address-book address O_IBM_MIH_BATCH_01 172.21.15.71/32
set security zones security-zone ADVANCE address-book address-set IBM_MIH_BATCH address O_IBM_MIH_BATCH_01
set applications application ftp application-protocol ftp
set applications application ftp protocol tcp
set applications application ftp destination-port 21
It seems that SRX disconnects the session before "FIN" arrives from the ftps server.
If anyone has experienced a similar situation, please give me some advice.
------------------------------
KEIICHI TSUCHIHASHI
------------------------------