SRX240H2 FTP Active Mode - Issue when client reuses port

‎05-19-2014 07:39 PM



We recently installed SRX240H2 as border router in our network and been having some issue with FTP transfers since then.


We have a server on our network, on a public IP range, that accesses a number of external FTP servers to download files multiple times during the day. In some cases it can be accessing the same remote server, for multiple accounts, at same time.


We have been having some issue with downloading files, randomnly, where the data connection opens a port and then just gets stuck there.


After spending a long time debugging the issue I believe the error is to do with session lookup in SRX.


What I have noticed is that if the FTP client reuses one of the port for data connection, it seems SRX is trying to match it to old session and hence rejects connection from server due to TCP SYN checking (in matching the session).


There is no NATing happening between these connections, at least at our end, as the server is on public IP.


To clarify a bit further


Client: A.B.C.D opens port 10000 and receive connection from W.X.Y.Z port 20 and successfully receives a file.


After downloading few more files,


Client: A.B.C.D again opens port 10000 and but then does not receive any connection from server.


Is this a known issue? Is there any fix/workaround for this?


Please advise what logs I could include to assist in identifying the cause?




Re: SRX240H2 FTP Active Mode - Issue when client reuses port

‎05-27-2014 07:16 AM

Every time data transfer is complete, the session should be closed by client /serverand subsequently, srx will clear the session.

If you suspect syn checking is the problem, disable syn checkon flow to confirm.

Reenable syn check after test.

But I would advise to run flow traces to check the flow of packets in the firewall.




