CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Services
FTP - CheckPoint 4.1 FTP - CheckPoint 4.1
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-06-14
Junior Member
  
Join Date: 2005-09-19
Posts: 1
Rep Power: 0
venkatesh shetty has an average reputation (10+)
Default FTP - CheckPoint 4.1
Hi !

I have a check point 4.1 Firewall running on a windows operating system. I am not able to do FTP transfer from a client inside the network to the server on the other side of the firewall. The logs on the firewall shows that the firewall is rejecting the packet on Rule 0 from the FTP server to the Client and the reason " reason: tried to open other host port"

Please let me know if anyone knows the solution to the problem.

Thanks
Venky
Reply With Quote
  #2 (permalink)  
Old 2006-08-03
Member
  
Join Date: 2006-01-20
Posts: 39
Rep Power: 0
bvanniekerk has an average reputation (10+)
Default Re: FTP - CheckPoint 4.1
Hi

I'm also having issues with FTP on 4.1
Large FTP's do not seem to be going through successfully from Mainframe.
Seen the mainframe trace, not seeing keep-alive. Also, seeing ACK PSH FIN in last packet before error pops up on green screen.

I've been looking around and found "new line entry" checking.
Apparently, the Client is sending FIN in packet that should be in new line and not data connection.
Workaround is to set FTP keepalive packets on Mainframe or hashing out "n l e" ...

FTP Client fails with message EZA2590E getNextReply error from recv = (1121.76650446) - EDC8121I Connection reset after applying PQ45544

Cause
The above message indicates a Reset was received on the FTP control connection. This causes the connection to end; the above error message is issued when the FTP client tries to read a reply from the FTP server indicating if the FTP transfer worked.
PQ45544 enhances the FTP client to turn on Keepalive support on the FTP control connection. This causes the TCP layer to send a one-byte packet to the remote TCP stack when the connection has been idle for a certain period of time. Certain firewalls do not allow TCP packets on the FTP control connection to be sent unless they end with ASCII CRLF(Carriage Return Line Feed) NL (new line). These firewalls respond with a Reset to the Keepalive packet that is sent. In particular, this problem has been seen with firewalls from Check Point (tm) Software Technologies LTD configured with #define FTP_ENFORCE_NL in the $FWDIR/lib/base.def file.

Solution
Removing the #define FTP_ENFORCE_NL definition from the $FWDIR/lib/base.def file on the firewall allows the Keepalive packet to pass through. Another possible circumvention is to code an FTPKEEPALIVE value in the FTP.DATA file for the client that is longer than the amount of time the FTP transfer will run.

See if this works for you.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 14:36.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0