All,
I've been trying to solve some strange problems with our Nokia firewall
with CP4.1 SP1 and 2, tried both. Here's what I have:
Remote internal network (HP Unix version 12)
|
|
CP4.1 SP1 on Solaris
|
|
Web
|
|
CP4.1 SP2 on Nokia
|
|
Local internal network (NT 4.0 with IIS 4.0)
The VPN connection is working just fine for other protocols, but FTP. I can
put files to the remote HP Unix server. However, I can not do a get from the
same, the connection times out. To make matter worse the remote Unix server
can get files from the local IIS server, but can not put files to the same.
It shows up in the FTP folder as a zero size file and once the connection
times out the file is removed by IIS. It's pretty much a one way transfer
from IIS to HP Unix. To eliminate platform issues I set up a Linux box on
the local network with the FTP server and tested the FTP transfer again. The
results were the same as previously described, connection timed out on put
from the Unix to Linux.
I downgraded the SP from 2 to 1 on the local side to match the remote site's
SP, hoping that it will solve the problem. It did not help, the issue
remained. Lance posted some modifications to the base.def files, which I
tried also with SP2. That didn't change the status of the problem. Today, I
upgraded the IPSO 3.2.1 to 3.3 with CP SP2, but it didn't help. Unfortunetly
the 3.3 does not have a SP1 for CP.
We have set up an NT box on the remote network and that has no problems
putting or getting files to the IIS FTP server. Add to this that other
vertical clients with CP 4.1 SP1 on Solaris have no problems with the FTP
transfer over VPN either, although I do not know what platform they used to
transfer the files from.
At this point I'm ready to switch to NT on the remote site, however, the
vertical client's Unix admin doesn't want to hear about problems originating
from Unix. Does anyone know about FTP issues on HP Unix version 12?
TIA...
Otto
----- Original Message -----
From: "Valerie Anne Bubb" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Friday, December 22, 2000 5:54 PM
Subject: Re: ftp server using random high ports and checkpoint
> Ivan -
>
> This sounds less like an issue with the type
> of FTP server, and more of a timeout issue.
>
> If it works for other directories between
> this same client and server, then it wouldn't
> be an issue of port numbers (I don't know of any
> FTP servers that use varying port numbers based
> on quantity of files).
>
> Is the connection timing out? That is, do any
> of the files get successfully transferred?
>
> I've never actually used Firewall-1, but other
> stateful packet firewalls have timeouts on the
> stateengines. Perhaps it is taking too long
> and the firewall is losing state? sniffing on
> the wire and looking at the firewall state tables
> would help narrow down where exactly you're seeing
> a problem.
>
> As a workaround, you might be able to transfer the
> files in smaller bursts (like 100 files at a time, instead
> of 10,000).
>
> hth
>
> Valerie
>
> > Delivered-To: [EMAIL PROTECTED]
> > X-Originating-IP: [32.96.234.98]
> > From: "Ivan Fox" <[EMAIL PROTECTED]>
> > Lance;
> >
> > Thank you for your input.
> >
> > We have already done what you have advised.
> >
> > In fact, we have "complained" to Microsoft premium support. It knows
> > exactly what is the problem and directs us to talk to Check Point.
> >
> > We logged a technical support call to Check Point. We have gone through
4
> > different technical support specialists over a week, the problem is
still
> > here!
> >
> > Interestingly, it is only a folder with 10,000 1K files has problem.
The
> > other folder with many sub-folders with many 1K files without problem!
(As
> > a result, a hypothsis (sp) says it might be the NTFS Master File Table
(aka
> > file allocation table) causing this problem!)
> >
> > Any further comments are appreciated.
> >
> > Thanks and have a merry Holiday.
> >
> > Ivan
> >
> >
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
