I didn't mention the nat, because nat is being handled at a router that is
between the firewall and the internet:
internalnetwork -- router -- fw1 -- router(nat) -- internet
Our external (real) addresses are being natted to internal (private)
addresses, in this case, 172.17.1.x.
I need to say that most FTP's work fine. I've had trouble with this IBM
site, COMPAQ's site while trying to download drivers, and a few others.
SYN-Defender is disabled. I'm not using fw sam.
I have fw1 4.1, sp1, and hot fix, all on AIX 4.3.3.
I have also modified base.def with the 'fix' for newline and for high ports.
btw, I have tried this without the modifications to base.def and got the
same results.
I've tried unchecking passive, and it seems to work as you would expect (and
not in reverse as suggested on the list). A trace shows that I got logged
in, requested PASV and when my machine tried to open a data port, the
firewall dropped it.
There does seem to be a relationship with PASV since, with it unchecked, I
get logged on, and with it checked, I don't get to the point of logon.
The sequence numbers seem to be ok.
The PUSH/ACK data to my machine looks like this:
00000000 3232302d 2a2a2a2a 2a2a2a2a 2a2a2a2a |220-************|
00000010 2a2a2a2a 2a2a2a2a 2a2a2a2a 2a2a2a2a |****************|
********
00000040 2a2a2a2a 2a2a2a2a 2a2a2a2a 2a2a200d |************** .|
00000050 0a |. |
This is followed by an ACK to my machine. Here's the data: (following this
is the RST to IBM from the firewall acting as my machine):
00000000 3232302d 2a202020 49424d20 534f4654 |220-* IBM SOFT|
00000010 57415245 20444f57 4e4c4f41 44204654 |WARE DOWNLOAD FT|
00000020 50205345 52564552 20202020 20202020 |P SERVER |
00000030 20202020 20202020 20202042 6f756c64 | Bould|
00000040 65722c20 436f6c6f 7261646f 202a0d0a |er, Colorado *..|
00000050 3232302d 2a202020 20202020 20202020 |220-* |
00000060 20202020 20202020 20202020 20202020 | |
********
00000090 20202020 20202020 20202020 202a200d | * .|
000000a0 0a323230 2d2a2020 54686973 20737973 |.220-* This sys|
000000b0 74656d20 70726f76 69646573 20736f66 |tem provides sof|
000000c0 74776172 65207375 70706f72 7420666f |tware support fo|
000000d0 72207468 6520666f 6c6c6f77 696e6720 |r the following |
000000e0 49424d20 20202020 20202020 20202a0d |IBM *.|
000000f0 0a323230 2d2a2020 70726f64 75637473 |.220-* products|
00000100 2e20204e 6f742061 6c6c2049 424d2070 |. Not all IBM p|
00000110 726f6475 63747320 6e6f7220 74686569 |roducts nor thei|
00000120 72206e61 74696f6e 616c206c 616e6775 |r national langu|
00000130 61676520 20202020 20202020 20202a0d |age *.|
00000140 0a323230 2d2a2020 76657273 696f6e73 |.220-* versions|
00000150 20617265 20726570 72657365 6e746564 | are represented|
00000160 206f6e20 74686973 20736572 7665722e | on this server.|
00000170 20202020 20202020 20202020 20202020 | |
00000180 20202020 20202020 20202020 20202a0d | *.|
00000190 0a323230 2d2a2020 20202020 20202020 |.220-* |
000001a0 20202020 20202020 20202020 20202020 | |
********
000001d0 20202020 20202020 20202020 20202a0d | *.|
000001e0 0a323230 2d2a2020 2f616978 20202020 |.220-* /aix |
000001f0 20202d20 41495820 50544673 20284669 | - AIX PTFs (Fi|
00000200 78646973 74292061 6e64206d 6f72652c |xdist) and more,|
00000210 20205365 65205245 41444d45 5f414958 | See README_AIX|
00000220 20202020 20202020 20202020 20202a0d | *.|
00000230 0a323230 2d2a2020 2f617334 30302020 |.220-* /as400 |
00000240 20202d20 41532f34 30302053 6f667477 | - AS/400 Softw|
00000250 61726520 20202020 20202020 20202020 |are |
00000260 20202020 20202020 20202020 20202020 | |
00000270 20202020 20202020 20202020 20202a0d | *.|
00000280 0a323230 2d2a2020 2f646576 69636573 |.220-* /devices|
00000290 20202d20 536f6674 77617265 20696e20 | - Software in |
000002a0 73757070 6f727420 6f662068 61726477 |support of hardw|
000002b0 61726520 64657669 6365732e 20202020 |are devices. |
000002c0 20202020 20202020 20202020 20202a0d | *.|
000002d0 0a323230 2d2a2020 2f707269 6e746572 |.220-* /printer|
000002e0 73202d20 49424d20 5072696e 74696e67 |s - IBM Printing|
000002f0 20537973 74656d73 20436f6d 70616e79 | Systems Company|
00000300 20736f66 74776172 65202020 20202020 | software |
00000310 20202020 20202020 20202020 20202a0d | *.|
00000320 0a323230 2d2a2020 2f707320 20202020 |.220-* /ps |
00000330 20202d20 4f532f32 20576172 70202620 | - OS/2 Warp & |
00000340 50657273 6f6e616c 20537973 74656d20 |Personal System |
00000350 736f6674 77617265 2c207365 65205245 |software, see RE|
00000360 41444d45 5f50532e 54585420 20202a0d |ADME_PS.TXT *.|
00000370 0a323230 2d2a2020 2f736e73 20202020 |.220-* /sns |
00000380 20202d20 53706563 69616c20 4e656564 | - Special Need|
00000390 73207465 63686e6f 6c6f6779 20666f72 |s technology for|
000003a0 2070656f 706c6520 77697468 20646973 | people with dis|
000003b0 6162696c 69746965 73202020 20202a0d |abilities *.|
000003c0 0a323230 2d2a2020 2f733339 30202020 |.220-* /s390 |
000003d0 20202d20 53797374 656d2f33 39302073 | - System/390 s|
000003e0 6f667477 61726520 20202020 20202020 |oftware |
000003f0 20202020 20202020 20202020 20202020 | |
00000400 20202020 20202020 20202020 20202a0d | *.|
00000410 0a323230 2d2a2020 2f736f66 74776172 |.220-* /softwar|
00000420 65202d20 4d756c74 69706c65 20506c61 |e - Multiple Pla|
00000430 74666f72 6d20536f 66747761 72652020 |tform Software |
00000440 20202020 20202020 20202020 20202020 | |
00000450 20202020 20202020 20202020 20202a0d | *.|
00000460 0a323230 2d2a2020 20202020 20202020 |.220-* |
00000470 20202020 20202020 20202020 20202020 | |
********
000004a0 20202020 20202020 20202020 20202a0d | *.|
000004b0 0a323230 2d2a2020 53656520 55524c20 |.220-* See URL |
000004c0 22687474 703a2f2f 7777772e 736f6674 |"http://www.soft|
000004d0 77617265 2e69626d 2e636f6d 2220666f |ware.ibm.com" fo|
000004e0 72206d6f 72652064 6f776e6c 6f616473 |r more downloads|
000004f0 20616e64 20696e66 6f2e2020 20202a0d | and info. *.|
00000500 0a323230 2d2a2020 20202020 20202020 |.220-* |
00000510 20202020 20202020 20202020 20202020 | |
********
00000540 20202020 20202020 20202020 20202a0d | *.|
00000550 0a323230 2d2a2020 416c6c20 46545027 |.220-* All FTP'|
00000560 61626c65 20736f66 74776172 65206973 |able software is|
00000570 20286329 20636f70 79726967 68742049 | (c) copyright I|
00000580 6e746572 6e617469 |nternati |
====( 60 bytes transmitted on interface en0 )==== 16:48:49.560364352
ETHERNET packet : [ 00:06:29:21:b7:1e -> 00:10:7b:36:c7:7f ] type 800 (IP)
IP header breakdown:
< SRC = 172.17.1.101 > (dp06w002.sedgwick.gov)
< DST = 207.25.253.26 > (service.boulder.ibm.com)
ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=0, ip_off=0
ip_ttl=60, ip_sum=526, ip_p = 6 (TCP)
TCP header breakdown:
<source port=4454, destination port=21(ftp) >
th_seq=25dd4, th_ack=0
th_off=5, flags<RST>
th_win=0, th_sum=c6e4, th_urp=0
I'd appreciate any help I can get.
I have the traces available on a web site for Enable PASV checked and
unchecked if there is a need.
-----Original Message-----
From: Robert MacDonald [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 17, 2000 8:53 AM
To: [EMAIL PROTECTED]; Tucker, Greg
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] FTP gets Network Error: Connection reset by peer
Greg,
Are the sequence numbers lining up OK? What's
the data of the Push/Ack and Ack that follows?
Are you using SYN-Defender? If so, test without.
Have you tried disabling the passive mode? It
appears to work in reverse of what the option
says. Are you using the 'fw sam' feature?
The 172.17.x.x is you sanitizing your post? (You
mentioned no NAT in the original post.)
You haven't mentioned if SP1 and hot fix(es)
you have. If your straight v4.1, maybe apply
them and test again. Test disabling passive
first. This would be a quick test and very little
interruption - I don't think this is the problem,
but it can't hurt to test.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> Tucker, Greg <[EMAIL PROTECTED]> 7/14/00 1:30:07 PM >>>
>I haven't been able to get back to this until now.
>
>Here's what an iptrace run at the firewall shows (the I or E at the
>beginning is the firewall interface, I = Internal & E = External):
>
>I 172.17.1.201 --- Syn ------> 207.25.253.26
>E 172.17.1.201 --- Syn ------> 207.25.253.26
>E 172.17.1.201 <-- Syn/Ack --- 207.25.253.26
>I 172.17.1.201 <-- Syn/Ack --- 207.25.253.26
>I 172.17.1.201 --- Ack ------> 207.25.253.26
>E 172.17.1.201 --- Ack ------> 207.25.253.26
>E 172.17.1.201 <-- Push/Ack -- 207.25.253.26
>I 172.17.1.201 <-- Push/Ack -- 207.25.253.26
>E 172.17.1.201 <-- Ack ------- 207.25.253.26
>E 172.17.1.201 --- RST ------> 207.25.253.26 <---- Must have been issued by
>the firewall
>I 172.17.1.201 --- Ack ------> 207.25.253.26
>E 172.17.1.201 --- Ack ------> 207.25.253.26
>E 172.17.1.201 <-- RST ------- 207.25.253.26
>I 172.17.1.201 <-- RST ------- 207.25.253.26
>
>The log shows the same as before, accept.
>It looks like the firewall is sending the reset, since it did not originate
>from my machine.
>Why would it do that?
>
>Here's the URL I was going to
>ftp://ftp.software.ibm.com/software/cics/pdf/dfha800.pdf
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of
>Robert MacDonald
>Sent: Monday, June 05, 2000 12:52 PM
>To: [EMAIL PROTECTED]; Tucker, Greg
>Cc: [EMAIL PROTECTED]
>Subject: RE: [FW1] FTP gets Network Error: Connection reset by peer
>
>Greg,
>
>Wow, Enteract has two customers. You and Lance ;-) For the
>longest time, I thought Lance was Enteract.
>
>Sorry...
>
>You need to sniff the connection between you and the fw and
>between the fw and IBM. What do you see?
>
>In both, you should see three way handshake(this is why fw-1
>has a log entry). Then you should see another packet with the
>'Connected to service.boulder.ibm.com. 220-yada, yada yada'.
>You will see ACK packets in bewteen. Then you see???
>
>Have you applied SP1 and patch to SP1 for your system? btw,
>what is your setup?
>
>Robert
>
>- -
>Robert P. MacDonald, Network Engineer
>e-Business Infrastructure
>G o r d o n F o o d S e r v i c e
>Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>
>>>> Tucker, Greg <[EMAIL PROTECTED]> 6/5/00 10:19:19 AM >>>
>>
>>Passive is already enabled.
>>
>>-----Original Message-----
>>From: Amit Saha [mailto:[EMAIL PROTECTED]]
>>Sent: Saturday, June 03, 2000 10:30 AM
>>To: Tim O'Connor; Tucker, Greg
>>Cc: [EMAIL PROTECTED]
>>Subject: RE: [FW1] FTP gets Network Error: Connection reset by peer
>>
>>I think u can check if u have disabled the Passive FTP service in the fw's
>>properties tab. enable it and give it a try.
>>
>>Warm Regards,
>>
>>Amit Saha
>>Specialist - Network Security
>>HCL Comnet Systems & Services Ltd.
>>Mumbai, India.
>>
>>Tel. : 91-22-654 1986
>>Fax : 91-22-654 1475
>>Mobile : 98200 50005
>>Mail id : [EMAIL PROTECTED]
>>Web address : www.hclcomnet.com
>>
>>"This correspondence is for the named person's use only. It may contain
>>confidential or legally privileged information or both. No
>>confidentiality or privilege is waived or lost by any mistransmission.
>>If you receive this correspondence in error, please immediately delete
>>it from your system and notify the sender. You must not disclose, copy
>>or rely on any part of this correspondence if you are not the intended
>>recipient."
>>
>>
>>-----Original Message-----
>>From: Tim O'Connor [mailto:[EMAIL PROTECTED]]
>>Sent: Saturday, June 03, 2000 4:14 AM
>>To: [EMAIL PROTECTED]
>>Cc: [EMAIL PROTECTED]
>>Subject: Re: [FW1] FTP gets Network Error: Connection reset by peer
>>
>>Looks like the server is cutting you off.
>>Looks like they might be checking DNS when connecting.
>>
>>Check your DNS
>>
>>Make sure that forward matches reverse.
>>
>>At 05:25 PM 6/2/00, Tucker, Greg wrote:
>>>When I click on a link to an specific IBM FTP site (and one other site
>>>that I know of), I immediately get:
>>>
>>>A network error occurred while Netscape was receiving data.
>>>(Network Error: Connection reset by peer)
>>>Try Connecting again.
>>>
>>>The log shows only the outgoing request from my machine with no other
>>entry.
>>>
>>>When I try to go to the same site using FTP from an MSDOS window, I get:
>>>
>>>C:\>ftp <ftp://ftp.software.ibm.com>ftp.software.ibm.com
>>>Connected to service.boulder.ibm.com.
>>>220-***************************************
>>>Connection closed by remote host.
>>>
>>>Again, in the log I only see my outgoing request and no other log entries
>>>that refer to my address or the destination (either as a source or a
>>>destination).
>>>
>>>I currently am logging everything.
>>>I have Log Implied Rules checked.
>>>No Nat being done at the firewall.
>>>
>>>It appears, since there are no other log entries, that the reset must be
>>>coming from the firewall itsself.
>>>If I put a machine on the Internet interface, the FTP works fine.
>>>
>>>Any ideas?
>>>
>>>I've checked through the archives and found what looked like the same
>>>problem but a solution was never suggested.
>>
>>Tim O'Connor
>>[EMAIL PROTECTED]
>>[EMAIL PROTECTED]
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
