SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Juniper SRX100 FTP pass through

    Posted 04-29-2015 22:26

    Hello, i have to networks: 172.17.20.0/24 and 172.17.21.0/24

    there is ftp server - 172.17.20.3

    I am trying to connect from 172.17.21.0/24 net to FTP server  - and it fails:

     

    Status:	Connecting to 172.17.20.3:21...
Status:	Connection established, waiting for welcome message...
Error:	Connection timed out
Error:	Could not connect to server

    Both  networks are in trusted zone and there is policy allwoing traffic between them:

     

    show security policies from-zone trust to-zone trust
policy office {
    match {
        source-address TCO;
        destination-address TCO;
        application any;
    }
    then {
        permit;
    }
}


  • 2.  RE: Juniper SRX100 FTP pass through
    Best Answer

    Posted 04-29-2015 23:13

    Hi,

     

    What kind of FTP are you using (active or passive)?

    By default the FTP ALG is enabled on the SRX. Have you tried disabling it?

     

    > show security alg status

    # set security alg ftp disable

    # commit

     

    If this does not help, then please apply flow trace-options for this traffic:

    http://kb.juniper.net/KB16108

    http://kb.juniper.net/KB16233

     

     

    Regards,

    Srinath



  • 3.  RE: Juniper SRX100 FTP pass through

    Posted 04-30-2015 11:33

    Disabling ftp alg helped and now it start to work, but connection speed is about 30-40kbps and it interrupts regulary.

    will provide trace options for traffic later, if needed.

     

     >thegoggel

    It's assress set, contains several subnets.



  • 4.  RE: Juniper SRX100 FTP pass through

    Posted 04-30-2015 21:27

    Glad that it started working. Next step is to tweak the MSS value.

    # set security flow tcp-mss all-tcp mss 1350

     

    Now that its working, I'm not sure how helpful flow trace options will be. 

     

     

    Regards,

    Srinath

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 5.  RE: Juniper SRX100 FTP pass through

    Posted 04-30-2015 06:49

    Is it me reading it incorrectly or is the source and destination address in the policy the same address?

    @Nomad-71 wrote:

    Hello, i have to networks: 172.17.20.0/24 and 172.17.21.0/24

    there is ftp server - 172.17.20.3

    I am trying to connect from 172.17.21.0/24 net to FTP server  - and it fails:

     

    Status:	Connecting to 172.17.20.3:21...
Status:	Connection established, waiting for welcome message...
Error:	Connection timed out
Error:	Could not connect to server

    Both  networks are in trusted zone and there is policy allwoing traffic between them:

     

    show security policies from-zone trust to-zone trust
policy office {
    match {
        source-address TCO;
        destination-address TCO;
        application any;
    }
    then {
        permit;
    }
}