Wireless Access

Reply
Occasional Contributor II
Posts: 37
Registered: ‎05-25-2011

Passive FTP via RAP

Hey All,

I'm having an interesting issue with Passive FTP for users connected via RAP.  I can connect and change directories, but the moment I do a display command (e.g. ls or dir) the session freezes and times out.  Looking at the User Firewall State I see that things are allowed, but then denied.  I can’t figure out why it would all of the sudden get denied after being allowed. 

Even with a specific allow rule, the traffic still gets denied.  Any ideas?  Thanks.

 

After Connecting:

User Firewall State

Source   IP

Source   Port

Destination   IP

Destination   Port

Protocol

Status

10.159.52.196

50597

10.159.54.35

21

TCP

allow

10.159.52.196

49665

10.159.16.5

53

UDP

allow

10.159.54.35

21

10.159.52.196

50597

TCP

allow

10.159.16.5

53

10.159.52.196

49665

UDP

allow

 

 

 After “ls” command:

User Firewall State

Source   IP

Source   Port

Destination   IP

Destination   Port

Protocol

Status

10.159.52.196

123

10.159.16.2

123

UDP

allow

10.159.52.196

50597

10.159.54.35

21

TCP

deny

10.159.52.196

49665

10.159.16.5

53

UDP

allow

10.159.16.2

123

10.159.52.196

123

UDP

allow

10.159.54.35

21

10.159.52.196

50597

TCP

allow

10.159.16.5

53

10.159.52.196

49665

UDP

allow

 

 

Here is the user-role configuration:

user-role DSG-Prod-rap_role

 access-list session "Split Tunnel"

 

ip access-list session "Split Tunnel"

  any any svc-dhcp  permit

  any host 10.159.54.35 tcp 21  permit

  any   alias Internal any  permit

  any any any  route src-nat

 

netdestination Internal

  network 10.159.16.0 255.255.248.0

  network 10.159.48.0 255.255.248.0

 

 

 

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Passive FTP via RAP

Tim I would suggest that you move this try read over to the unified wired and wireless for a broader audience for the RAPs.

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/bd-p/unified-wired-wireless-access
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Passive FTP via RAP

[ Edited ]

Try it in fully tunneled mode. (AKA, change the VAP to tunnel if you can).  It is possible in split-tunnel mode that the RAP does not have the ALG to support passive FTP.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 37
Registered: ‎05-25-2011

Re: Passive FTP via RAP

Hey cjoseph,

I converted one of the RAPs to have the SSID as tunneled.  No luck.  I did some more troubleshooting and I found the issue.  After testing with other FTP clients and found that they work, I narrowed the issue down to this client was sending a EPSV (extended passive) request.  For some reason, the RAP does no like this and would deny the connection.  The work around is to turn off ESPV on IPv4 (epsv4).

 

Quick question, what does ALG stand for?

 

Thanks.

Aruba
Posts: 760
Registered: ‎05-31-2007

Re: Passive FTP via RAP

[ Edited ]

ALG == Application Level Gateway

 

Examples and Deep Dive: 

http://en.wikipedia.org/wiki/Application-level_gateway

 

 

JF

Search Airheads
Showing results for 
Search instead for 
Did you mean: