Outbound FTP and FTPs connections result in Client-RST and never allow connection

Forum|Forum|8 years ago
September 15, 2017
2 replies
31377 views

Hi ,

since we migrated to a Fortigate solution, I have been having some issues with connecting to outbound FTP servers. Currently, I have an issue with 2 government entities that require us to upload information to their systems. One uses plain FTP(in this day and age...) and the other FTPs... nothing to help me out. So far the same result happens when I use a client or server that resides behind my Fortigate and tries to do an outbound connection. I have tried different FTP clients(Filezilla, CoreFTP, and others) with no positive results. When I look through the forward Traffic, I see the outbound connections being detected by the Application control applied on my policy, states that it is allowed and that the action is Client-RST. I've read that the RST isn't necessarily indication that something went wrong, but so far it is the only thing I can look into. I have opened a ticket with support, but in the meantime, I was wondering if any of you had experienced this type of issue beforehand.

I can use the same configurations(on the client FTP) on my laptop which uses a different line to bypass the firewall and I am able to connect and get a directory listing. When I am through the Fortigate, I get "connection successful" but then it hangs at directory listing and after 20 seconds, timeouts and retries. I've tried removing all Security policies, removing outbound firewall NAT to simply use the ISP provided IP.. nothing seems to matter.

I expect FTPs to be a bit of an issue simply due to the nature of it, but FTP on port 21.. why would this be an issue?

Any input would be appreciated.

Ben

oheigl

New Member

Did you modify something with the session helper regarding the FTP? Is it working if you set the outgoing policy to any/all service? It seems like the data channel on the random high port is not working, that's most likely a session helper problem.

Can you do a debug flow of the connection? (http://kb.fortinet.com/kb/viewContent.do?externalId=FD30038 - Step 4)

bcoteAuthor

New Member

Hi Oheigl,

as far as I can tell, I don't have an FTP session-helper... The only one I did remove was the SIP-ALG as it was actually causing us issues with our SIP provider, but the other 19 are still all there but there isn't anything related to FTP. So I added the session-helper and rebooted the firewall and still no joy.

I did try to do a full Any/all policy initially thinking it was most likely a rule or Security services blocking, but it still wouldn't go through.

I am not as familiar with debug trace on fortigate but if I follow the steps in the KB you linked, I see many traces to my Gateway (SDWAN to public NAT IP), but it doesn't give me much detail on the FTP connection itself, nor do I see any type of deny, only a ton of allows.

here is what comes out(with modified information) if that can indicate something to someone.

id=20085 trace_id=1462 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, 10.1.99.243:50161->External FTPServer:21) from LAN-LACP-P39P40. flag , seq 1871012443, ack 0, win 64240" id=20085 trace_id=1462 func=init_ip_session_common line=5519 msg="allocate a new session-227bb1ba" id=20085 trace_id=1462 func=vf_ip_route_input_common line=2583 msg="find a route: flag=04000000 gw-GW-ISP-IP via port17" id=20085 trace_id=1462 func=fw_forward_handler line=737 msg="Allowed by Policy-1: SNAT" id=20085 trace_id=1462 func=__ip_session_run_tuple line=3164 msg="SNAT 10.1.99.243->GW-SNAT-IP:50161" id=20085 trace_id=1462 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 138, vtag->vid 0 vtag->sip[0] 1f69a8e, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 61891, vtag->mtu 1500, vtag->flags 12, vtag->np6_index 1" id=20085 trace_id=1463 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, External FTPServer:21->GW-SNAT-IP:50161) from port18. flag [S.], seq 526153893, ack 1871012444, win 29200" id=20085 trace_id=1463 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, reply direction" id=20085 trace_id=1463 func=__ip_session_run_tuple line=3178 msg="DNAT GW-SNAT-IP:50161->10.1.99.243:50161" id=20085 trace_id=1463 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.1.99.243 via LAN-LACP-P39P40" id=20085 trace_id=1463 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 224, vtag->vid 0 vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 0, vtag->mtu 1500, vtag->flags 1, vtag->np6_index 69" id=20085 trace_id=1464 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, 10.1.99.243:50161->External FTPServer:21) from LAN-LACP-P39P40. flag [.], seq 1871012444, ack 526153894, win 257" id=20085 trace_id=1464 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, original direction" id=20085 trace_id=1464 func=vf_ip_route_input_common line=2583 msg="find a route: flag=04000000 gw-GW-ISP-IP via port17" id=20085 trace_id=1464 func=__ip_session_run_tuple line=3164 msg="SNAT 10.1.99.243->GW-SNAT-IP:50161" id=20085 trace_id=1464 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 138, vtag->vid 0 vtag->sip[0] 1f69a8e, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 61891, vtag->mtu 1500, vtag->flags 2, vtag->np6_index 1" id=20085 trace_id=1465 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, External FTPServer:21->GW-SNAT-IP:50161) from port18. flag [.], seq 526153894, ack 1871012444, win 229" id=20085 trace_id=1465 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, reply direction" id=20085 trace_id=1465 func=__ip_session_run_tuple line=3178 msg="DNAT GW-SNAT-IP:50161->10.1.99.243:50161" id=20085 trace_id=1465 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.1.99.243 via LAN-LACP-P39P40" id=20085 trace_id=1465 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 224, vtag->vid 0 vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 0, vtag->mtu 1500, vtag->flags 1, vtag->np6_index 69" id=20085 trace_id=1466 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, 10.1.99.243:50161->External FTPServer:21) from LAN-LACP-P39P40. flag [.], seq 1871012444, ack 526153914, win 257" id=20085 trace_id=1466 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, original direction" id=20085 trace_id=1466 func=vf_ip_route_input_common line=2583 msg="find a route: flag=04000000 gw-GW-ISP-IP via port17" id=20085 trace_id=1466 func=__ip_session_run_tuple line=3164 msg="SNAT 10.1.99.243->GW-SNAT-IP:50161" id=20085 trace_id=1466 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 138, vtag->vid 0 vtag->sip[0] 1f69a8e, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 61891, vtag->mtu 1500, vtag->flags 2, vtag->np6_index 1" id=20085 trace_id=1467 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, External FTPServer:21->GW-SNAT-IP:50161) from port18. flag [.], seq 526153914, ack 1871012454, win 229" id=20085 trace_id=1467 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, reply direction" id=20085 trace_id=1467 func=__ip_session_run_tuple line=3178 msg="DNAT GW-SNAT-IP:50161->10.1.99.243:50161" id=20085 trace_id=1467 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.1.99.243 via LAN-LACP-P39P40" id=20085 trace_id=1467 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 224, vtag->vid 0 vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 0, vtag->mtu 1500, vtag->flags 1, vtag->np6_index 69" id=20085 trace_id=1468 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, External FTPServer:21->GW-SNAT-IP:50161) from port18. flag [.], seq 526153914, ack 1871012454, win 229" id=20085 trace_id=1468 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, reply direction" id=20085 trace_id=1468 func=__ip_session_run_tuple line=3178 msg="DNAT GW-SNAT-IP:50161->10.1.99.243:50161" id=20085 trace_id=1468 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.1.99.243 via LAN-LACP-P39P40" id=20085 trace_id=1468 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 224, vtag->vid 0 vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 0, vtag->mtu 1500, vtag->flags 1, vtag->np6_index 69" id=20085 trace_id=1469 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, 10.1.99.243:50161->External FTPServer:21) from LAN-LACP-P39P40. flag [.], seq 1871012454, ack 526153952, win 257" id=20085 trace_id=1469 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, original direction" id=20085 trace_id=1469 func=vf_ip_route_input_common line=2583 msg="find a route: flag=04000000 gw-GW-ISP-IP via port17" id=20085 trace_id=1469 func=__ip_session_run_tuple line=3164 msg="SNAT 10.1.99.243->GW-SNAT-IP:50161" id=20085 trace_id=1469 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 138, vtag->vid 0 vtag->sip[0] 1f69a8e, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 61891, vtag->mtu 1500, vtag->flags 2, vtag->np6_index 1" id=20085 trace_id=1470 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, External FTPServer:21->GW-SNAT-IP:50161) from port18. flag [.], seq 526153952, ack 1871012464, win 229" id=20085 trace_id=1470 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, reply direction" id=20085 trace_id=1470 func=__ip_session_run_tuple line=3178 msg="DNAT GW-SNAT-IP:50161->10.1.99.243:50161" id=20085 trace_id=1470 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.1.99.243 via LAN-LACP-P39P40" id=20085 trace_id=1470 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 224, vtag->vid 0 vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 0, vtag->mtu 1500, vtag->flags 1, vtag->np6_index 69" id=20085 trace_id=1471 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, 10.1.99.243:50161->External FTPServer:21) from LAN-LACP-P39P40. flag [.], seq 1871012464, ack 526153990, win 257" id=20085 trace_id=1471 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, original direction" id=20085 trace_id=1471 func=vf_ip_route_input_common line=2583 msg="find a route: flag=04000000 gw-GW-ISP-IP via port17" id=20085 trace_id=1471 func=__ip_session_run_tuple line=3164 msg="SNAT 10.1.99.243->GW-SNAT-IP:50161" id=20085 trace_id=1471 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 138, vtag->vid 0 vtag->sip[0] 1f69a8e, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 61891, vtag->mtu 1500, vtag->flags 2, vtag->np6_index 1" id=20085 trace_id=1472 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, External FTPServer:21->GW-SNAT-IP:50161) from port18. flag [.], seq 526153990, ack 1871012478, win 229" id=20085 trace_id=1472 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, reply direction" id=20085 trace_id=1472 func=__ip_session_run_tuple line=3178 msg="DNAT GW-SNAT-IP:50161->10.1.99.243:50161" id=20085 trace_id=1472 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.1.99.243 via LAN-LACP-P39P40" id=20085 trace_id=1472 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 224, vtag->vid 0 vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 0, vtag->mtu 1500, vtag->flags 1, vtag->np6_index 69" id=20085 trace_id=1473 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, 10.1.99.243:50161->External FTPServer:21) from LAN-LACP-P39P40. flag [.], seq 1871012478, ack 526154024, win 257" id=20085 trace_id=1473 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, original direction" id=20085 trace_id=1473 func=vf_ip_route_input_common line=2583 msg="find a route: flag=04000000 gw-GW-ISP-IP via port17" id=20085 trace_id=1473 func=__ip_session_run_tuple line=3164 msg="SNAT 10.1.99.243->GW-SNAT-IP:50161" id=20085 trace_id=1473 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 138, vtag->vid 0 vtag->sip[0] 1f69a8e, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 61891, vtag->mtu 1500, vtag->flags 2, vtag->np6_index 1" id=20085 trace_id=1474 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=6, External FTPServer:21->GW-SNAT-IP:50161) from port18. flag [.], seq 526154024, ack 1871012491, win 229" id=20085 trace_id=1474 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-227bb1ba, reply direction" id=20085 trace_id=1474 func=__ip_session_run_tuple line=3178 msg="DNAT GW-SNAT-IP:50161->10.1.99.243:50161" id=20085 trace_id=1474 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.1.99.243 via LAN-LACP-P39P40" id=20085 trace_id=1474 func=np6_hif_nturbo_build_vtag line=867 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 224, vtag->vid 0 vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 0, vtag->mtu 1500, vtag->flags 1, vtag->np6_index 69"

oheigl

New Member

Regarding the session-helper, you can check it with the following command, I think the example is default configuration:

show system session-helper | grep -f ftp

config system session-helper
edit 5
set name tftp <---
set protocol 17
set port 69
next
edit 9
set name ftp <---
set protocol 6
set port 21
next
end

The debug flow looks good as far as the initial connection goes, but we already knew that. The problem is also that the ALL ALL ANY rule doesn't help, because the transport is going through another high port, which should be forwarded to the client similar to the destination nat on port 21.

Can you give me one other information, please do a sniffer trace like this:

diag sniffer packet any 'host <ftp_server_ip>' 4

After you started the trace, please try to connect again. If we can see in this output that the FTP server is trying to connect to the high port, but it's not forwarded to your LAN client, the session helper is not working.

fcb

Visitor III

I know this post is pretty old but I want to say that I had a similar issue and the FTPS was ultimately the issue. The session helpers cannot work due to the encryption that starts the FTPS conversation. Since it's encrypted the Fortigate does not know that it's FTP traffic so the session-helper cannot work... It's a nightmare but we ultimately forced active FTP and allowed SRC port 20 outbound back out from the FTP server and it worked. FTPS has got to be the biggest piece of crap ever. Hide my password but also hide the fact that I'm using FTP to the firewall.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded