[avasile]

I implemented some clients to use active FTP and a firewall. All works fine but sometimes my clients cannot connect and I see the following in firewall's log: out of order packets dropped".
I t is very frustrating. Can anyone help?
Thank you,
Adrian G Vasile

Edited by avasile, 16 June 2005 - 09:06 PM.

[Advertisements]

Are you sure that the log transactions mentioned are written when the users can't connect?? What type of firewall are you running?

Greazy Mcgeezy

[Greazy]

Are you sure that the log transactions mentioned are written when the users can't connect?? What type of firewall are you running?

Greazy Mcgeezy

[avasile]

Yes. The log shows up ONLY when trasnsmissions are happening. I have a sonicwall Pro 4060 version 3.1 enhanced.
I know the NAT and Access rules are somehow correct because it works but sometimes they just can't go through. I was looking at "diag.html" and I saw a setting called "allow out of order packets".
What do you think?
Thank you for the help.
Adrian Vasile

[Greazy]

If you can change that setting, you may want to try it. However by accepting out of order packets, IF you had someone sniffing your network and constructing their own packets, it may make it easier for them to steal the transmission. But, if for some reason some of the packets that are destined to you are traveling different paths for example (which can happen), and arrive in a different order than what they were sent, then it would accept those instead of dropping them. I would maybe try to enable the "allow out of order packets" option and see how it goes. BE SURE TO KEEP A VERY CLOSE CHECK ON YOUR LOGS after you do this. Your firewall should have other means to prevent someone stealing the transmission but I'm not familiar with SonicWall Pro. Again, just curious why you want to use Active instead of Passive?

Greazy Mcgeezy

[avasile]

I just checked the setting and it is set up to ALLOW out of order packets. That means it is not the problem.
I am using Active FTP because my clients are some Palm Pilots - very old and this is the way they have written the application code. I could get a new FTP client but it would not work with our system.
Any other thoughs? I really need to fix this.
Thank you,
Adrian G Vasile

[Greazy]

Well, have you noticed any kind of patterns as to when the invalid logons and log transactions are happening? What time, locations of remote users, only certain users. Is there any common transactions before/after the occurrences?

Greazy Mcgeezy

[avasile]

Well, each salesmen has to be in by 4:30 pm. before 4:00 i never get a log regarding "Out of order ..." message. Between that time and 4:30 I get all the messages. I also can track the IP addresses of the Palms. It is a big range (DHCP server) and I can see them on my AS 400 server. It seems like FTP Data cannot be created.
Other log events? Nothing unusual. Just some TCP FIN drops.

[avasile]

I was wrong. After studying the logs I saw the same error message coming up prior and duting the transmissions; it says "ICMP time exceeded , Code 0". It has as source an IP address which I determined is our cellular provider.
It hapens every day at the same time so I know it is related to my problem.
What is this message saying?
Thank you,

[Greazy]

Well, a "Time exceeded Code 0", means that the Time to Live (TTL) expired. The part about the IP being your cellular provider, well, that would have to be for you to decide if that is strange traffic or not. Are these transactions occuring at exactly the same time each day or is it around the same time?? And you have said that it is all about the time that your clients are trying to log in? Do you get logs of what ports that transaction is trying to access before it dies? Are they all trying to log in the same way or different ways, and if same way, are several trying to connect at once? From the look of that error, for some reason it's just timing out, it could be from their end depending on how they are connecting.

Greazy Mcgeezy

[avasile]

Well I have looked at the log. The error shows up everytime time they are trying to transmit but not at exactly the same time. It seems that the packet is coming from source ip port 11 (IP address:11). I talked to cell phone provider and they cannot figure it out. Their TTL is set to 200 (and something) but i know for sure that the error message is related to their IP address.
Do you want to take a look at the log? I'm desperate.
Is there another way to fix this? maybe a proxy server? How about if I put the TP server in DMZ?
Thank you,
Adrian

[Greazy]

I will help you review the logs if you would like. I will send you a PM with best form of contact.

Greazy Mcgeezy