SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SFTP to External Server Issues - Network error: Software caused connection abort

    Posted 08-05-2015 08:31

    Hi everyone,

    I'm looking in to an issue here which resides only on the corporate network going through our SRX fw. Once I disconnect and connect to my hotspot public internet off my cell phone, the connection establishes.

    The connection is using filezilla and is configured via SFTP and it's using a custom port in the 6XXXX range, proxy bypassed. I checked our network management toolset and and I see the sessions flowing through the 6xxxx port only without any blockages. The srx fw rule set is configured from internal to out and allows the 6xxxx port to the server along with port 22. When I connect from the public internet, I get acknowledged immediately for the servers host key and once acknowledged, I'm connected with the directory structure. When I connect on the network, I get the below:

    Status: Connecting to serverhost:6xxxx...
    Response: fzSftp started, protocol_version=2
    Command: open "user@serverhost" 6xxxx
    Error: Network error: Software caused connection abort
    Error: Could not connect to server

     

    I checked the wireshark logs on and all of the packets are being dropped FROM the server back to the network.  I see the traffic flowing from internal out and a ton of restransmissions...seems like the issue is the ftp server communicating back external-internal traffic flows.

     

    set security alg ftp ftps-extension is configured on the SRX.


    Any ideas on how I can troubleshoot this further from the SRX?

    Thank you!



  • 2.  RE: SFTP to External Server Issues - Network error: Software caused connection abort

    Posted 08-05-2015 10:36

    Hey, 

     

    could you please provide us the srx configuration ?

     

     



  • 3.  RE: SFTP to External Server Issues - Network error: Software caused connection abort

    Posted 08-05-2015 11:24

    Sorry, I can't provide a companies configuration to the public Smiley Frustrated



  • 4.  RE: SFTP to External Server Issues - Network error: Software caused connection abort

    Posted 08-05-2015 11:38

    As you want 🙂 you don't have to share secret not related data in the SRX config .
    anyway .. Most likely some Policy or NAT is interfering with the connection.



  • 5.  RE: SFTP to External Server Issues - Network error: Software caused connection abort

    Posted 08-05-2015 12:48

    I had this issue before.  What version of JunOS are you running?  I had then when upgrading from version 11.x to 12.1X44-D35.5

     

    I had to create a custom application:

     

    root@FW# show applications application FTPS22
    term 1 alg ftp protocol tcp destination-port 22;

     

    I also have this included as an application in my security policy as I am sure you do:

     

    root@FW# show applications application TCP5k6k
    protocol tcp;
    destination-port 5000-6000;

     



  • 6.  RE: SFTP to External Server Issues - Network error: Software caused connection abort

    Posted 08-06-2015 05:02

    Yes, we're running the same version! 12.1X44-D35.5

     

    Do you have the configs which were used for your application sets? On my policy, I have the ssh port 22 and the custom 6xxxx port configured.  Would both require custom alg appliation sets?

     

    I ran some bidirectional source/dest tracepolicies and no policies are blocking any of the traffic.  Traffic from the dest to source eventually gets it's packets dropped "packet dropped, first pak not sync" probably due to the session timing out.  I also see no mention of ALG running in the trace log.

     

    Thanks!



  • 7.  RE: SFTP to External Server Issues - Network error: Software caused connection abort

    Posted 08-06-2015 14:13

    No just the SSH.  Here is my policy:

     

    match {
        source-address any;
        destination-address [ FTP1 ];
        application [ TCP5k6k FTPS22 ];
    }
    then {
        permit;

     

    -----------------

     

    show applications application TCP5k6k
    protocol tcp;
    destination-port 5000-6000;

     

    show applications application FTPS22    
    term 1 alg ftp protocol tcp destination-port 22;

     

     

    That should get you going.

     



  • 8.  RE: SFTP to External Server Issues - Network error: Software caused connection abort

    Posted 01-10-2017 14:14
    This didn't work for me , worked via ssg , srx swap out and unable to get any response to initial connection ? Connection to server timesout ? I can connect to the server using same version of FileZilla via a ssg ? Alg enabled , and disabled ?


  • 9.  RE: SFTP to External Server Issues - Network error: Software caused connection abort

    Posted 01-11-2017 11:49

    try some debugging:

    set security flow traceoptions file SFTPTRACE
    set security flow traceoptions file size 2m <====modify file size as fit
    set security flow traceoptions file files 10 <===set number of log files as fit
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions flag packet-drops <===== flag all
    set security flow traceoptions packet-filter F1 source-port <> <====could also add filter for source-address
    set security flow traceoptions packet-filter F2 destination-port <> <====could also add filter for destination-address

     

    You will learn which policy is causing the packet drops.

     

    take a look at his article, it may also help explain
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB19444&actp=search