I wonder if someone can shed some light on this for me.
I have configured a MIP on a SSG5 to map to our FTP server.
When the remote site tries to connect to the FTP server it doesn't work, however I can see that the packets are hitting the firewall but it seems the reverse communication is getting confused.
Below is a debug flow basic output:
****** 257010.0: <ManagedNetwork/ethernet0/0> packet received [48]******
ipid = 22448(57b0), @03451b70
packet passed sanity check.
ethernet0/0:194.x.x.2/41400->10.x.x.194/21,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
self check, not for us
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 194.x.x.2->10.10.10.2) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 3.route 10.10.10.2->10.10.10.2, to ethernet0/1
routed (x_dst_ip 10.10.10.2) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/1
policy search from zone 101-> zone 3
policy_flow_search policy search nat_crt from zone 101-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.x.x.194, port 21, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 26/0/0x9
Permitted by policy 26
No src xlate choose interface ethernet0/1 as outgoing phy if
no loop on ifp ethernet0/1.
session application type 1, name FTP, nas_id 0, timeout 1800sec
ALG vector is attached
service lookup identified service 1.
flow_first_final_check: in <ethernet0/0>, out <ethernet0/1>
existing vector list 183-2c56a74.
Session (id:7103) created for first pak 183
flow_first_install_session======>
route to 10.10.10.2
arp entry found for 10.10.10.2
ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/1, 10.10.10.2->194.x.x.2) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
[ Dest] 14.route 194.x.x.2->10.x.x.193, to ethernet0/0
route to 10.x.x.193
arp lookup failed for 10.x.x.193
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00000801, tunnel ffffffff, rc 0
cache src mac in session for reverse direction
flow got session.
flow session id 7103
tcp seq check.
Got syn, 194.x.x.2(41400)->10.x.x.194(21), nspflag 0x200b801, 0x800800
post addr xlation: 194.x.x.2->10.10.10.2.
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00195b6c7f48 through ethernet0/1
****** 257010.0: <DMZ/ethernet0/1> packet received [48]******
ipid = 12979(32b3), @0354a050
packet passed sanity check.
ethernet0/1:10.10.10.2/21->194.x.x.2/41400,6<Root>
existing session found. sess token 13
flow got session.
flow session id 7103
tcp seq check.
Got syn_ack, 10.10.10.2(21)->194.x.x.2(41400), nspflag 0x801800, 0x200b801
post addr xlation: 10.x.x.194->194.x.x.2.
packet send out to 0013c4569108 through ethernet0/0
****** 257013.0: <ManagedNetwork/ethernet0/0> packet received [48]******
ipid = 22461(57bd), @03452b70
packet passed sanity check.
ethernet0/0:194.x.x.2/41400->10.x.x.194/21,6<Root>
existing session found. sess token 17
flow got session.
flow session id 7103
tcp seq check.
Got syn, 194.x.x.2(41400)->10.x.x.194(21), nspflag 0x200b801, 0x801800
post addr xlation: 194.x.x.2->10.10.10.2.
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00195b6c7f48 through ethernet0/1
****** 257014.0: <DMZ/ethernet0/1> packet received [48]******
ipid = 12995(32c3), @03557050
packet passed sanity check.
ethernet0/1:10.10.10.2/21->194.x.x.2/41400,6<Root>
existing session found. sess token 13
flow got session.
flow session id 7103
tcp seq check.
Got syn_ack, 10.10.10.2(21)->194.x.x.2(41400), nspflag 0x801800, 0x200b801
post addr xlation: 10.x.x.194->194.x.x.2.
packet send out to 0013c4569108 through ethernet0/0
****** 257019.0: <ManagedNetwork/ethernet0/0> packet received [48]******
ipid = 22482(57d2), @03453b70
packet passed sanity check.
ethernet0/0:194.x.x.2/41400->10.x.x.194/21,6<Root>
existing session found. sess token 17
flow got session.
flow session id 7103
tcp seq check.
Got syn, 194.x.x.2(41400)->10.x.x.194(21), nspflag 0x200b801, 0x801800
post addr xlation: 194.x.x.2->10.10.10.2.
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00195b6c7f48 through ethernet0/1
****** 257020.0: <DMZ/ethernet0/1> packet received [48]******
ipid = 13034(32ea), @03578050
packet passed sanity check.
ethernet0/1:10.10.10.2/21->194.x.x.2/41400,6<Root>
existing session found. sess token 13
flow got session.
flow session id 7103
tcp seq check.
Got syn_ack, 10.10.10.2(21)->194.x.x.2(41400), nspflag 0x801800, 0x200b801
post addr xlation: 10.x.x.194->194.x.x.2.
packet send out to 0013c4569108 through ethernet0/0
I have configured a MIP on a SSG5 to map to our FTP server.
When the remote site tries to connect to the FTP server it doesn't work, however I can see that the packets are hitting the firewall but it seems the reverse communication is getting confused.
Below is a debug flow basic output:
****** 257010.0: <ManagedNetwork/ethernet0/0> packet received [48]******
ipid = 22448(57b0), @03451b70
packet passed sanity check.
ethernet0/0:194.x.x.2/41400->10.x.x.194/21,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
self check, not for us
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 194.x.x.2->10.10.10.2) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 3.route 10.10.10.2->10.10.10.2, to ethernet0/1
routed (x_dst_ip 10.10.10.2) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/1
policy search from zone 101-> zone 3
policy_flow_search policy search nat_crt from zone 101-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.x.x.194, port 21, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 26/0/0x9
Permitted by policy 26
No src xlate choose interface ethernet0/1 as outgoing phy if
no loop on ifp ethernet0/1.
session application type 1, name FTP, nas_id 0, timeout 1800sec
ALG vector is attached
service lookup identified service 1.
flow_first_final_check: in <ethernet0/0>, out <ethernet0/1>
existing vector list 183-2c56a74.
Session (id:7103) created for first pak 183
flow_first_install_session======>
route to 10.10.10.2
arp entry found for 10.10.10.2
ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/1, 10.10.10.2->194.x.x.2) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
[ Dest] 14.route 194.x.x.2->10.x.x.193, to ethernet0/0
route to 10.x.x.193
arp lookup failed for 10.x.x.193
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00000801, tunnel ffffffff, rc 0
cache src mac in session for reverse direction
flow got session.
flow session id 7103
tcp seq check.
Got syn, 194.x.x.2(41400)->10.x.x.194(21), nspflag 0x200b801, 0x800800
post addr xlation: 194.x.x.2->10.10.10.2.
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00195b6c7f48 through ethernet0/1
****** 257010.0: <DMZ/ethernet0/1> packet received [48]******
ipid = 12979(32b3), @0354a050
packet passed sanity check.
ethernet0/1:10.10.10.2/21->194.x.x.2/41400,6<Root>
existing session found. sess token 13
flow got session.
flow session id 7103
tcp seq check.
Got syn_ack, 10.10.10.2(21)->194.x.x.2(41400), nspflag 0x801800, 0x200b801
post addr xlation: 10.x.x.194->194.x.x.2.
packet send out to 0013c4569108 through ethernet0/0
****** 257013.0: <ManagedNetwork/ethernet0/0> packet received [48]******
ipid = 22461(57bd), @03452b70
packet passed sanity check.
ethernet0/0:194.x.x.2/41400->10.x.x.194/21,6<Root>
existing session found. sess token 17
flow got session.
flow session id 7103
tcp seq check.
Got syn, 194.x.x.2(41400)->10.x.x.194(21), nspflag 0x200b801, 0x801800
post addr xlation: 194.x.x.2->10.10.10.2.
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00195b6c7f48 through ethernet0/1
****** 257014.0: <DMZ/ethernet0/1> packet received [48]******
ipid = 12995(32c3), @03557050
packet passed sanity check.
ethernet0/1:10.10.10.2/21->194.x.x.2/41400,6<Root>
existing session found. sess token 13
flow got session.
flow session id 7103
tcp seq check.
Got syn_ack, 10.10.10.2(21)->194.x.x.2(41400), nspflag 0x801800, 0x200b801
post addr xlation: 10.x.x.194->194.x.x.2.
packet send out to 0013c4569108 through ethernet0/0
****** 257019.0: <ManagedNetwork/ethernet0/0> packet received [48]******
ipid = 22482(57d2), @03453b70
packet passed sanity check.
ethernet0/0:194.x.x.2/41400->10.x.x.194/21,6<Root>
existing session found. sess token 17
flow got session.
flow session id 7103
tcp seq check.
Got syn, 194.x.x.2(41400)->10.x.x.194(21), nspflag 0x200b801, 0x801800
post addr xlation: 194.x.x.2->10.10.10.2.
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00195b6c7f48 through ethernet0/1
****** 257020.0: <DMZ/ethernet0/1> packet received [48]******
ipid = 13034(32ea), @03578050
packet passed sanity check.
ethernet0/1:10.10.10.2/21->194.x.x.2/41400,6<Root>
existing session found. sess token 13
flow got session.
flow session id 7103
tcp seq check.
Got syn_ack, 10.10.10.2(21)->194.x.x.2(41400), nspflag 0x801800, 0x200b801
post addr xlation: 10.x.x.194->194.x.x.2.
packet send out to 0013c4569108 through ethernet0/0
