SRX

Hello,
I upgraded SRX340 from 15.1X49-D90.7 to 20.2R2.11.
After upgrade, ftp transfer that takes more than 5 minutes doesn't work properly.

<Log excerpt>
Success case:file transfer time < 5 minutes (20.2R2.11)
Oct 20 01:39:44 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49497->192.168.21.15/21 0x0 junos-ftp
Oct 20 01:39:45 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49498
Oct 20 01:41:14 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.21.15/20->172.21.15.71/49498
Oct 20 01:41:16 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-clt-emul: 172.21.15.71/49497->192.168.21.15/21

Failure case:file transfer time > 5 minutes (20.2R2.11)
Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49660->192.168.21.15/21
Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49661
Oct 20 01:53:34 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-svr-emul: 172.21.15.71/49660->192.168.21.15/21
Oct 20 01:53:36 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-alg: 192.168.21.15/20->172.21.15.71/49661

Success case:file transfer time > 5 minutes (15.1X49-D90.7)
Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/65152->192.168.21.15/21
Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/65153
Oct 17 01:56:19 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN N/A: 192.168.21.15/20->172.21.15.71/65153
Oct 17 01:56:21 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP CLIENT RST junos-tcp-clt-emul: 172.21.15.71/65152->192.168.21.15/21

<Config excerpt>
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match source-address IBM_MIH_BATCH
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match destination-address NF_MAK_FTP
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application junos-icmp-all
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application ftp
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then permit
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-init
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-close

set security zones security-zone SERVICE address-book address O_NF_MAK_FTP_01 192.168.21.15/32
set security zones security-zone SERVICE address-book address-set NF_MAK_FTP address O_NF_MAK_FTP_01
set security zones security-zone ADVANCE address-book address O_IBM_MIH_BATCH_01 172.21.15.71/32
set security zones security-zone ADVANCE address-book address-set IBM_MIH_BATCH address O_IBM_MIH_BATCH_01

set applications application ftp application-protocol ftp
set applications application ftp protocol tcp
set applications application ftp destination-port 21

It seems that SRX disconnects the session before "FIN" arrives from the ftps server.
If anyone has experienced a similar situation, please give me some advice.

------------------------------
KEIICHI TSUCHIHASHI
------------------------------

Hello @KEIICHI TSUCHIHASHI san,

------------------------------
SOPYAN HADI IRAWAN
------------------------------

Original Message:
Sent: 10-26-2021 14:11
From: KEIICHI TSUCHIHASHI
Subject: FTP transfer doesn't work properly

Hello,
I upgraded SRX340 from 15.1X49-D90.7 to 20.2R2.11.
After upgrade, ftp transfer that takes more than 5 minutes doesn't work properly.

<Log excerpt>
Success case:file transfer time < 5 minutes (20.2R2.11)
Oct 20 01:39:44 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49497->192.168.21.15/21 0x0 junos-ftp
Oct 20 01:39:45 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49498
Oct 20 01:41:14 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.21.15/20->172.21.15.71/49498
Oct 20 01:41:16 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-clt-emul: 172.21.15.71/49497->192.168.21.15/21

Failure case:file transfer time > 5 minutes (20.2R2.11)
Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49660->192.168.21.15/21
Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49661
Oct 20 01:53:34 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-svr-emul: 172.21.15.71/49660->192.168.21.15/21
Oct 20 01:53:36 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-alg: 192.168.21.15/20->172.21.15.71/49661

Success case:file transfer time > 5 minutes (15.1X49-D90.7)
Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/65152->192.168.21.15/21
Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/65153
Oct 17 01:56:19 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN N/A: 192.168.21.15/20->172.21.15.71/65153
Oct 17 01:56:21 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP CLIENT RST junos-tcp-clt-emul: 172.21.15.71/65152->192.168.21.15/21

<Config excerpt>
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match source-address IBM_MIH_BATCH
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match destination-address NF_MAK_FTP
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application junos-icmp-all
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application ftp
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then permit
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-init
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-close

set security zones security-zone SERVICE address-book address O_NF_MAK_FTP_01 192.168.21.15/32
set security zones security-zone SERVICE address-book address-set NF_MAK_FTP address O_NF_MAK_FTP_01
set security zones security-zone ADVANCE address-book address O_IBM_MIH_BATCH_01 172.21.15.71/32
set security zones security-zone ADVANCE address-book address-set IBM_MIH_BATCH address O_IBM_MIH_BATCH_01

set applications application ftp application-protocol ftp
set applications application ftp protocol tcp
set applications application ftp destination-port 21

It seems that SRX disconnects the session before "FIN" arrives from the ftps server.
If anyone has experienced a similar situation, please give me some advice.

------------------------------
KEIICHI TSUCHIHASHI
------------------------------

Hi Guys,

Depending on the behaviour of the FTP application, you may need to adjust the FTP ALG settings on your SRX. See the following article for options here.

https://www.juniper.net/documentation/us/en/software/junos/alg/topics/ref/statement/security-edit-ftp.html

You can use the disable option to confirm it is ALG terminating the connection, however, not entirely recommended as a permanent solution.

------------------------------
GAVIN WHITE
------------------------------

Original Message:
Sent: 11-16-2023 02:34
From: SOPYAN HADI IRAWAN
Subject: FTP transfer doesn't work properly

Hello @KEIICHI TSUCHIHASHI san,

How to update the status of this problem?

Are there any updates available?

 

I have a similar problem to you, can you please provide your experience on fix it

------------------------------
SOPYAN HADI IRAWAN

Original Message:
Sent: 10-26-2021 14:11
From: KEIICHI TSUCHIHASHI
Subject: FTP transfer doesn't work properly

Hello,
I upgraded SRX340 from 15.1X49-D90.7 to 20.2R2.11.
After upgrade, ftp transfer that takes more than 5 minutes doesn't work properly.

<Log excerpt>
Success case:file transfer time < 5 minutes (20.2R2.11)
Oct 20 01:39:44 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49497->192.168.21.15/21 0x0 junos-ftp
Oct 20 01:39:45 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49498
Oct 20 01:41:14 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.21.15/20->172.21.15.71/49498
Oct 20 01:41:16 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-clt-emul: 172.21.15.71/49497->192.168.21.15/21

Failure case:file transfer time > 5 minutes (20.2R2.11)
Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/49660->192.168.21.15/21
Oct 20 01:48:31 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/49661
Oct 20 01:53:34 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-tcp-svr-emul: 172.21.15.71/49660->192.168.21.15/21
Oct 20 01:53:36 %USER-6-RT_FLOW_SESSION_CLOSE: session closed Closed by junos-alg: 192.168.21.15/20->172.21.15.71/49661

Success case:file transfer time > 5 minutes (15.1X49-D90.7)
Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 172.21.15.71/65152->192.168.21.15/21
Oct 17 01:47:58 %USER-6-RT_FLOW_SESSION_CREATE: session created 192.168.21.15/20->172.21.15.71/65153
Oct 17 01:56:19 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP FIN N/A: 192.168.21.15/20->172.21.15.71/65153
Oct 17 01:56:21 %USER-6-RT_FLOW_SESSION_CLOSE: session closed TCP CLIENT RST junos-tcp-clt-emul: 172.21.15.71/65152->192.168.21.15/21

<Config excerpt>
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match source-address IBM_MIH_BATCH
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match destination-address NF_MAK_FTP
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application junos-icmp-all
set security policies from-zone ADVANCE to-zone SERVICE policy id36 match application ftp
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then permit
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-init
set security policies from-zone ADVANCE to-zone SERVICE policy id36 then log session-close

set security zones security-zone SERVICE address-book address O_NF_MAK_FTP_01 192.168.21.15/32
set security zones security-zone SERVICE address-book address-set NF_MAK_FTP address O_NF_MAK_FTP_01
set security zones security-zone ADVANCE address-book address O_IBM_MIH_BATCH_01 172.21.15.71/32
set security zones security-zone ADVANCE address-book address-set IBM_MIH_BATCH address O_IBM_MIH_BATCH_01

set applications application ftp application-protocol ftp
set applications application ftp protocol tcp
set applications application ftp destination-port 21

It seems that SRX disconnects the session before "FIN" arrives from the ftps server.
If anyone has experienced a similar situation, please give me some advice.

------------------------------
KEIICHI TSUCHIHASHI
------------------------------