Knowledge Search


×
 

[SRX] FTP ALG is not working with asymmetric routing

  [KB32501] Show Article Properties


Summary:

This article explains a non-working scenario in relation to an FTP session with SRX devices in the path between the FTP client and the FTP server.

Symptoms:

​When the FTP ALG is enabled, the FTP session in the following topology fails. It does not work even if no sync check and no sequence check are configured.

Topology:


                      (192.168.1.1)SRX1(10.75.252.105)
FTP Server---Switch---                                 ---Switch--FTP Client
(192.168.1.100)       (192.168.1.2)SRX2(10.75.252.106)            10.75.252.15)

The FTP server's default gateway is SRX2.

The FTP client's default gateway is SRX1.

Cause:

This is by design. The FTP ALG cannot open a pinhole if traffic is asymmetric. Since there are two sessions for the FTP ALG, one for the control session and one for the data session, the FTP ALG needs to learn the data port number from the control session but if the FTP ALG cannot see the control packet that contains the port number on which the data connection would be created, it does not know which data port number it should open (permit).

With asymmetric routing, the information is in SRX1. So there is no gate information in SRX2, which is the reason for the pinhole not being created.

Solution:

Since the FTP ALG does not support asymmetric routing, it is suggested to redesign the network to ensure symmetric traffic. If asymmetric routing design is a requirement, then disabling the FTP ALG and adding related policies for the control and data sessions would be a feasible solution.

Note: Disabling the FTP ALG method can be used only on an active FTP. There is no practical solution for passive FTPs over the asymmetric routing network, because the client will use a random port for the data sessions.

#set security alg ftp disable

root@SRX-240-2> ftp 192.168.1.100
Connected to 192.168.1.100.
220  FTP server (Version 6.00LS) ready.
Name (192.168.1.100:root): root
331 Password required for root.
Password:
230 User root logged in.

Caution: ALG is a feature to enhance security enforced by the firewall. Do make serious considerations before deciding to disable it. Refer to the following for more details:

Related Links: