CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 4 of 4

Thread: FTP on custom port having problems

  1. #1
    Join Date
    2006-09-19
    Posts
    6
    Rep Power
    0

    Default FTP on custom port having problems

    When we were on R55 we could ftp to our extranet host on a custom port with no issues, after upgrading to R60 we started seeing smartdefense errors etc.
    The error message I get is an alert/drop "message_info: Too many pending data connections for one control connection".
    We don't use an ftp security server and do not subscribe to smartdefense.
    I set all smartdefense settings concerning ftp to 'monitor only'.
    I also created a custom rule for this outbound ftp on the custom port and on the service advanced tab I have changed the 'protocol type' to all the available choices, it was on just 'ftp' on R55, but still get the error message.
    I thought there might could have been a guidbedit setting for ftp but I searched in guidbedit and couldn't find anything pertaining to 'too many data connections'.

    Any idea's what I could try next?

    Thanks,
    Craig

  2. #2
    Join Date
    2006-07-24
    Posts
    2
    Rep Power
    0

    Default Re: FTP on custom port having problems

    Hi
    I have the same problem.
    Did you fix this problem?
    can you share?
    thanks!
    dolphin.

  3. #3
    Join Date
    2005-11-15
    Posts
    6
    Rep Power
    0

    Default Re: FTP on custom port having problems

    Quote Originally Posted by dolphin528 View Post
    Hi
    I have the same problem.
    Did you fix this problem?
    can you share?
    thanks!
    dolphin.
    I found a solution to this. I had to put a src to dest on ftp rule above the previous rule. Specifically I had to tell it ftp as a service, not 'any' which was how the previous rule was written.

  4. #4
    Join Date
    2013-08-07
    Posts
    1
    Rep Power
    0

    Default Re: FTP on custom port having problems

    Hi,

    If you have the message "too many pending data connections for one control connection", it's probably because the FTP client is not set in passiv mode. Each time the ftp command "PORT" is emitted by the client, the CheckPoint counts 1 pending data connection (but this data connection is never used).

    A single ftp control connection can only handle 50 pending data connections. So the 51th "PORT" request is dropped by the firewall due to this limit. This problem typically appears when a ftp script, executed on the client side, browses empty directories on a server behind a firewall.

    You can not change the Checkpoint behavior ("any" service will not solve the problem) so the best practice is to ensure the ftp client is in passiv mode and possibly rewrite the ftp script to limit the use of "PORT" command.

    Regards,
    Mat

Similar Threads

  1. Replies: 5
    Last Post: 2008-07-24, 05:29
  2. SMTP on custom port with SMTP Resource problem
    By BAM279 in forum Content Security/Security Servers/CVP/UFP
    Replies: 2
    Last Post: 2007-06-29, 06:30
  3. Dual port or quad port NICS in SPLAT
    By JeffN in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2007-02-07, 21:50
  4. Host tried to open tcp service port, port xxxx
    By roadrunner in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2005-08-13, 15:17
  5. Host tried to open tcp service port, port xxxx
    By Barry J. Stiefel in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2005-08-13, 14:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •