[FW1] ftp-data droped in stonebeat fullcluster

Thu, 02 Nov 2000 10:08:12 -0800 



Hi,

I have a couple of sparc FW1s running with Stonebeat fullcluster 1.0,
Everything seems fine right now except for the FTP service.
I use NAT in the internal network. When I FTP to an external host from
the internal network, sometimes I get no response when I run command such
as "ls" in ftp(cannot build up ftp-data connection tcp port 20). But I
have no problem with other stuff that use port 21 only such as "cd (change
directory".

This problem does not occur in every FTP session. I keep an eye on the 
log viewer and notice the below:

when I see the following log entry the FTP-data works:

FW      service   source       dest          source-port
========================================================
FW-A     ftp       ftp-client   ftp-server     33099

when I see the following log entry the FTP-data *dont* work:
FW      service   source       dest          source-port
========================================================
FW-A     ftp       ftp-client   ftp-server     33099
FW-B    33099     ftp-server    ftp-client       ftp

The difference is the second log entry! Of course when I offline one of
the FW it works in both case ( sometimes one entry only and sometimes two,
but both will go thourgh the same FW of course).

I have set up the state sync for both FW1 and set up
$SBHOME/etc/filter.conf as follow:
mode = dynamic
node = all
ignore-port = 20 21
ip static-nat = 10.0.0.0 netmask 255.255.255.0 xxxxxxxx
ip static-nat = 202.xx.xx.xx netmask 255.255.255.0 xxxxxxx

I can't remember the content of filter.conf exactly but I think they
are correct as the stonebeat don't complain when I click "reconfigure" in
the stonebeat GUI.

Could anyone pls give me some hint on the problem? It is strange that
sometimes it only log one entry as the ftp-server should reply to the
client when the connection is made, and it is more strange that it is
a success connection! It is a any-any-any-accept rule in the FW policy so
I guess I am not missing anything in the log viewer...

Pls help. Thanks in advance.


laiben



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to