SRX Services Gateway
Reply
Visitor
hilehoffer
Posts: 2
Registered: ‎02-23-2009
0

FTP over SSL Explicit

Secure ftp is not making it through the TLS authentication in filezilla.  It is just hanging.  I set static nat to the server and permit the passive ports along with port 21, but still nothing.

 

 

    policy FTP {

        match {

            source-address any;

            destination-address MIP197;

            application [ FTP-SSL FTP-Passive junos-ftp FTP ];

        }

        then {

            permit;

        }

    }


application FTP-Passive {
    protocol tcp;
    destination-port 51500-51550;
application FTP {
    protocol tcp;
    destination-port 20-21;

static {
    rule-set WBSMIP {
        from interface ge-0/0/15.0;
     rule PRODDC01 {
            match {
                destination-address 67.220.151.197/32;
            }
            then {
                static-nat prefix 10.1.1.10/32;
            }
        }
proxy-arp {
    interface ge-0/0/15.0 {
        address {
            67.220.151.197/32;

What could I be missing?  Or is this a tcp check that I have to disable?







 

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: FTP over SSL Explicit

Try enabling flow traceoptions to find out how the SRX is handling the traffic. Refer to Troubleshooting Flow thread at top of this board. That should give you an idea of what is happening.

 

-Richard

Recognized Expert
wimclend
Posts: 275
Registered: ‎04-03-2009
0

Re: FTP over SSL Explicit

I THINK the problem might be because your custom services don't include the source-port option.

 

Someone feel free to correct me if i'm wrong, but I think that it is required, even if JUNOS wont scream at you during a commit for it.

 

 

If you get it working please post back and let us know in case someone else runs into the same issue!

 

Good luck,

 

Will

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: FTP over SSL Explicit

Source port is not required in your custom application. Absence of source port means any source port would match. Better to run the flow traces and that will tell you what part is failing.

 

-Richard

Contributor
noas
Posts: 10
Registered: ‎07-18-2008
0

Re: FTP over SSL Explicit

[ Edited ]

I'm curious to know if the FTP ALG is breaking your connection... What hardware platform & OS version are you using?

 

If it were me... I would try turning it and test to see what happens.

 

set security alg ftp disable

 

Please share if this makes any difference.

New User
ericp726
Posts: 1
Registered: ‎02-24-2010
0

Re: FTP over SSL Explicit

I'm having this same issue with a SRX 5800.  Started a ticket with JTAC but no resolution yet.  I have disabled FTP ALG but the issue persists.  We moved users from behind a redundant pair of Juniper 5200's and this issue did not exist.  As soon as we moved our customers behind the SRX they could no longer perform FTP over explicit SSL.

 

We moved the customer back behind the 5200 and the connection works again so I know the block is taking place on the SRX.

 

JTAC had me start a traceoption and this is what I'm seeing:

 

Feb 24 22:31:26 22:31:25.1117349:CID-01:FPC-10:smileytongue:IC-01:THREAD_ID-16:RT:FTP trace nat_ftp_line_break:1924

Feb 24 22:31:26 22:31:25.1117367:CID-01:FPC-10:smileytongue:IC-01:THREAD_ID-16:RT:FTP line-breaker found, total length = 6, residual length = 0

 lFeb 24 22:31:32 22:31:31.921496:CID-01:FPC-10:smileytongue:IC-01:THREAD_ID-08:RT:FTP trace nat_ftp_line_break:1924

Feb 24 22:31:32 22:31:31.921516:CID-01:FPC-10:smileytongue:IC-01:THREAD_ID-08:RT:FTP line-breaker found, total length = 6, residual length = 0

Feb 24 22:31:32 22:31:31.946478:CID-01:FPC-10:smileytongue:IC-01:THREAD_ID-10:RT:FTP trace nat_ftp_line_break:1924

Feb 24 22:31:32 22:31:31.946496:CID-01:FPC-10:smileytongue:IC-01:THREAD_ID-10:RT:FTP line-breaker found, total length = 6, residual length = 0

Feb 24 22:31:32 22:31:31.946977:CID-01:FPC-10:smileytongue:IC-01:THREAD_ID-29:RT:FTP trace nat_ftp_line_break:1924

Feb 24 22:31:32 22:31:31.946992:CID-01:FPC-10:smileytongue:IC-01:THREAD_ID-29:RT:FTP line-breaker found, total length = 30, residual length = 0

New User
Georg
Posts: 1
Registered: ‎08-23-2010
0

Re: FTP over SSL Explicit

[ Edited ]

turning off the FTP-ALG worked in my case. thanks for the tip.

note that a regular FTPS connection was still refused by my SRX-240 - be sure to connect over FTPES!

Trusted Contributor
Digs
Posts: 57
Registered: ‎08-25-2010

Re: FTP over SSL Explicit

Instead fo turning off ftp alg, you could try

 

set security alg ftp ftps-extension

 

I had a similar problem and doing this resolved it

Contributor
peterbishop
Posts: 83
Registered: ‎04-16-2013
0

Re: FTP over SSL Explicit

You'll need to specify your passive data ports that filezilla is listening on.  Check out my post on this other thread.

 

http://forums.juniper.net/t5/SRX-Services-Gateway/FTPS-not-working-from-internet-hosts/m-p/224535/hi...

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.