Hello FW-1 godz, FW-1 ver 4.1 Solaris 7
Here's a brief overview. User explains that they have automated ftp jobs that run every hour from a mainframe to an ftp server. User says that occasionally, maybe once a day or so, these jobs will fail and have to be restarted. I run some snoops in the background and redirect to a file to capture the ftp sessions. User calls me when one fails so I can discontinue the capture. Of course I expected to find nothing of interest. Unfortunately that was/is not the case. Pasted below are the snoop captures between the mainframe and the ftp server. The file names are above each section and I believe self explanatory. This is the FAILED ftp session. If you will notice in the first section the PORT command is sent to the ftp server yet never leaves the other side of the FW in qfe0out.txt. If I recall the port command is used the establish the port to be used by the DATA-Channel connection. Since the server never receives the PORT command I imagine it closes the connection and hence the FTP fails and has to be restarted. I also have a successful ftp session between the two hosts. The packets match up one for one on the way there and on the way back. In other words if it comes in one interface it goes out the other. Does anyone have any idea as to why this would happen ?!?!?!?!?!?!!?!? HELP ME !!!!!!!!!!!!!!!!!! Note: IP's and any sensitive info has been changed to bogus entries... hme0in.txt 10.11.12.13 -> 192.168.13.14 FTP C port=1568 10.11.12.13 -> 192.168.13.14 FTP C port=1568 10.11.12.13 -> 192.168.13.14 FTP C port=1568 USER ardvark\r\n 10.11.12.13 -> 192.168.13.14 FTP C port=1568 PASS cacadoodldo\r\n 10.11.12.13 -> 192.168.13.14 FTP C port=1568 MODE S\r\n 10.11.12.13 -> 192.168.13.14 FTP C port=1568 SITE SPATULA LRECL= 10.11.12.13 -> 192.168.13.14 FTP C port=1568 PORT 10,11,12,13,6 10.11.12.13 -> 192.168.13.14 FTP C port=1568 qfe0out.txt 10.11.12.13 -> 192.168.13.14 FTP C port=1568 10.11.12.13 -> 192.168.13.14 FTP C port=1568 10.11.12.13 -> 192.168.13.14 FTP C port=1568 USER ardvark\r\n 10.11.12.13 -> 192.168.13.14 FTP C port=1568 PASS cacadoodldo\r\n 10.11.12.13 -> 192.168.13.14 FTP C port=1568 MODE S\r\n 10.11.12.13 -> 192.168.13.14 FTP C port=1568 SITE SPATULA LRECL= 10.11.12.13 -> 192.168.13.14 FTP C port=1568 qfe0backin.txt 192.168.13.14 -> 10.11.12.13 FTP R port=1568 192.168.13.14 -> 10.11.12.13 FTP R port=1568 220 maniac FTP ser 192.168.13.14 -> 10.11.12.13 FTP R port=1568 331 Password require 192.168.13.14 -> 10.11.12.13 FTP R port=1568 230 User ardvark logged 192.168.13.14 -> 10.11.12.13 FTP R port=1568 200 MODE S ok.\r\n 192.168.13.14 -> 10.11.12.13 FTP R port=1568 500 'SITE SPATULA L 192.168.13.14 -> 10.11.12.13 FTP R port=1568 500 'SITE SPATULA L hme0backout.txt 192.168.13.14 -> 10.11.12.13 FTP R port=1568 192.168.13.14 -> 10.11.12.13 FTP R port=1568 220 maniac FTP ser 192.168.13.14 -> 10.11.12.13 FTP R port=1568 331 Password require 192.168.13.14 -> 10.11.12.13 FTP R port=1568 230 User ardvark logged 192.168.13.14 -> 10.11.12.13 FTP R port=1568 200 MODE S ok.\r\n 192.168.13.14 -> 10.11.12.13 FTP R port=1568 500 'SITE SPATULA L 192.168.13.14 -> 10.11.12.13 FTP R port=1568 192.168.13.14 -> 10.11.12.13 FTP R port=1568 500 'SITE SPATULA L ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
