Welcome to ISAserver.org

Pix Sandwich, in a pickle

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> DMZ >> Pix Sandwich, in a pickle

Page: [1]

Message

<< Older Topic Newer Topic >>

Pix Sandwich, in a pickle - 2.Aug.2007 4:52:02 AM

himji

Posts: 2
Joined: 2.Aug.2007
Status: offline

Ok, sorry for the pun but that's where I am currently.

My setup has an application sitting out by itself in a segregated part of the network. the infrastructure goes something like so.

Servers > pix > ISA 2006 EE array > pix > (outer dmz servers) pix (NAT) > internet

Now since this whole thing started back in January, I've had issue with ftp traffic from the servers to the outer dmz servers and the internet. I managed to get aorund this by getting the servers to use passive ftp as opposed to active but some suppliers have changed ftp servers and it's all gone wrong again. They swear they are only using passive ftp tho...

Anyway, the problems that arise are the initial connections work fine but when the data connections get dropped with 0xc0040017 FWX_TCP_NOT_SYN_PACKET_DROPPED

As far as I can work out, I think because the connection is going through a number of pix firewalls which also do natting, somewhere the along there the ISA array thinks the packaets aren't part of the FTP connection and is dropping them.

I was just wondering if anybody has come accross any similar situations and what did they do about it.

Post #: 1

Featured Links*

RE: Pix Sandwich, in a pickle - 2.Aug.2007 5:51:35 AM

himji

Posts: 2
Joined: 2.Aug.2007
Status: offline

Slight update here in that it looks like they are using active ftp and not passive. I think the passive connections will resolve this issue.

However, I think there is a problem with the ftp filter in the way it's handling the packets in this situation but seeing it's not a common ISA setup (well I assume not) I doubt it's ever been tested by Microsoft

(in reply to himji)

Post #: 2