Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] FTP ALG is not working with asymmetric routing

0

0

Article ID: KB32501 KB Last Updated: 30 Sep 2019Version: 2.0
Summary:

This article explains a non-working scenario in relation to an FTP session with SRX devices in the path between the FTP client and the FTP server.

Symptoms:

​When the FTP ALG is enabled, the FTP session in the following topology fails. It does not work even if no sync check and no sequence check are configured.

Topology:


                      (192.168.1.1)SRX1(10.75.252.105)
FTP Server---Switch---                                 ---Switch--FTP Client
(192.168.1.100)       (192.168.1.2)SRX2(10.75.252.106)            10.75.252.15)

The FTP server's default gateway is SRX2.

The FTP client's default gateway is SRX1.

Cause:

This is by design. The FTP ALG cannot open a pinhole if traffic is asymmetric. Since there are two sessions for the FTP ALG, one for the control session and one for the data session, the FTP ALG needs to learn the data port number from the control session but if the FTP ALG cannot see the control packet that contains the port number on which the data connection would be created, it does not know which data port number it should open (permit).

With asymmetric routing, the information is in SRX1. So there is no gate information in SRX2, which is the reason for the pinhole not being created.

Solution:

Since the FTP ALG does not support asymmetric routing, it is suggested to redesign the network to ensure symmetric traffic. If asymmetric routing design is a requirement, then disabling the FTP ALG and adding related policies for the control and data sessions would be a feasible solution.

Note: Disabling the FTP ALG method can be used only on an active FTP. There is no practical solution for passive FTPs over the asymmetric routing network, because the client will use a random port for the data sessions.

#set security alg ftp disable

root@SRX-240-2> ftp 192.168.1.100
Connected to 192.168.1.100.
220  FTP server (Version 6.00LS) ready.
Name (192.168.1.100:root): root
331 Password required for root.
Password:
230 User root logged in.

Caution: ALG is a feature to enhance security enforced by the firewall. Do make serious considerations before deciding to disable it. Refer to the following for more details:

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search