Wireless Access

last person joined: 12 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Passive FTP via RAP

This thread has been viewed 1 times

  • 1.  Passive FTP via RAP

    Posted Sep 20, 2013 06:38 PM

    Hey All,

    I'm having an interesting issue with Passive FTP for users connected via RAP.  I can connect and change directories, but the moment I do a display command (e.g. ls or dir) the session freezes and times out.  Looking at the User Firewall State I see that things are allowed, but then denied.  I can’t figure out why it would all of the sudden get denied after being allowed. 

    Even with a specific allow rule, the traffic still gets denied.  Any ideas?  Thanks.

     

    After Connecting:

    User Firewall State

    Source   IP

    Source   Port

    Destination   IP

    Destination   Port

    Protocol

    Status

    10.159.52.196

    50597

    10.159.54.35

    21

    TCP

    allow

    10.159.52.196

    49665

    10.159.16.5

    53

    UDP

    allow

    10.159.54.35

    21

    10.159.52.196

    50597

    TCP

    allow

    10.159.16.5

    53

    10.159.52.196

    49665

    UDP

    allow

     

     

     After “ls” command:

    User Firewall State

    Source   IP

    Source   Port

    Destination   IP

    Destination   Port

    Protocol

    Status

    10.159.52.196

    123

    10.159.16.2

    123

    UDP

    allow

    10.159.52.196

    50597

    10.159.54.35

    21

    TCP

    deny

    10.159.52.196

    49665

    10.159.16.5

    53

    UDP

    allow

    10.159.16.2

    123

    10.159.52.196

    123

    UDP

    allow

    10.159.54.35

    21

    10.159.52.196

    50597

    TCP

    allow

    10.159.16.5

    53

    10.159.52.196

    49665

    UDP

    allow

     

     

    Here is the user-role configuration:

    user-role DSG-Prod-rap_role

     access-list session "Split Tunnel"

     

    ip access-list session "Split Tunnel"

      any any svc-dhcp  permit

      any host 10.159.54.35 tcp 21  permit

      any   alias Internal any  permit

      any any any  route src-nat

     

    netdestination Internal

      network 10.159.16.0 255.255.248.0

      network 10.159.48.0 255.255.248.0

     

     

     



  • 2.  RE: Passive FTP via RAP

    EMPLOYEE
    Posted Sep 20, 2013 06:55 PM
    Tim I would suggest that you move this try read over to the unified wired and wireless for a broader audience for the RAPs.

    http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/bd-p/unified-wired-wireless-access


  • 3.  RE: Passive FTP via RAP

    EMPLOYEE
    Posted Sep 20, 2013 10:41 PM

    Try it in fully tunneled mode. (AKA, change the VAP to tunnel if you can).  It is possible in split-tunnel mode that the RAP does not have the ALG to support passive FTP.



  • 4.  RE: Passive FTP via RAP

    Posted Sep 24, 2013 12:09 AM

    Hey cjoseph,

    I converted one of the RAPs to have the SSID as tunneled.  No luck.  I did some more troubleshooting and I found the issue.  After testing with other FTP clients and found that they work, I narrowed the issue down to this client was sending a EPSV (extended passive) request.  For some reason, the RAP does no like this and would deny the connection.  The work around is to turn off ESPV on IPv4 (epsv4).

     

    Quick question, what does ALG stand for?

     

    Thanks.



  • 5.  RE: Passive FTP via RAP

    Posted Sep 24, 2013 01:05 AM

    ALG == Application Level Gateway

     

    Examples and Deep Dive: 

    http://en.wikipedia.org/wiki/Application-level_gateway

     

     

    JF