Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

FTPS and Sonicwall

Paul_Celin75Paul_Celin75 Newbie ✭
in High End Firewalls

Hello,

I setup a rule to connect to a ftps server outside of my custommer network and I keep receiving the following error message:

TCP FIN packet dropped, out-of-oder command packed dropped

My rule is as followed:

WAN To Lan, only the the IP address of the ftps server is allowed to communicate through some ports (submitted by the FTPS server host) to computer.


Any help from you will be appreciated.


Thanks in advance.


Paul.

Category: High End Firewalls
Reply

Answers

  • shiprasahu93shiprasahu93 Moderator

    Hello @Paul_Celin75,

    Welcome to SonicWall Community.

    So, the FTPS server is behind the SonicWall and a computer from outside is unable to talk to it?

    Could you please make sure that the port forwarding is done correctly as per the KB article below

    https://www.sonicwall.com/support/knowledge-base/how-can-i-enable-port-forwarding-and-allow-access-to-a-server-through-the-sonicwall/170503477349850/
    https://www.sonicwall.com/support/knowledge-base/common-mistakes-with-port-forwarding/200530122019613/

    Also, the packet that is being dropped, is it the SYN packet or just some other packet? Also, are you able to successfully connect to the FTPS server internally?

    Is the connection made in active or passive mode?

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Paul_Celin75Paul_Celin75 Newbie ✭

    Hello @SHIPRASAHU93,

    Thanks for your prompt reply.

    The server FTPS is outside of the sonicwall network. The computer we are using to access it is behind the sonicwall. The connexion is made in passive mode.

    Thanks again.


    Paul

  • shiprasahu93shiprasahu93 Moderator

    Hello @Paul_Celin75,

    In that case the Any, Any, Any LAN to WAN rule should allow this traffic.

    1. Are you using client DPI SSL ? If yes, could you please exclude the FTP server from DPI SSL and test once?
    2. In passive mode, both data and control connections are made by the client, so it should be allowed. Is the allowed ports narrowed down on the access rules from LAN to WAN?
    3. Could you please check if FTP transformations is done under MANAGE | Firewall Settings | Advanced Settings 'Enable FTP Transformations for TCP port(s) in Service Object:' is set to FTP (All)
    4. Which packet is being dropped as out of order?

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Paul_Celin75Paul_Celin75 Newbie ✭

    Hello @SHIPRASAHU93,

    Thanks for your prompt reply.


    1. Are you using client DPI SSL ? If yes, could you please exclude the FTP server from DPI SSL and test once? It is not is use
    2. In passive mode, both data and control connections are made by the client, so it should be allowed. Is the allowed ports narrowed down on the access rules from LAN to WAN? Yes, it is
    3. Could you please check if FTP transformations is done under MANAGE | Firewall Settings | Advanced Settings 'Enable FTP Transformations for TCP port(s) in Service Object:' is set to FTP (All). It is set to FTP(ALL)
    4. Which packet is being dropped as out of order? It is not mentionned in the log

    Thanks!


    Paul

  • Paul_Celin75Paul_Celin75 Newbie ✭

    Hello @SHIPRASAHU93,


    Thanks for your help. The issue has been fixed.


    Paul

  • shiprasahu93shiprasahu93 Moderator
    Glad the issue is fixed. Would you like to share what was the issue and how you resolved it?
    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Paul_Celin75Paul_Celin75 Newbie ✭

    Hi @SHIPRASAHU93,


    I added the ports range used by the ftps server in the access rules from LAN to WAN.


    Thanks.


    Paul

  • shiprasahu93shiprasahu93 Moderator
    Perfect. Thanks for sharing.

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.