No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

To solve the interruption problem when Sftp use L2TP VPN tunnel to transform files

Publication Date:  2012-10-25 Views:  63 Downloads:  0
Issue Description
An office site customer feedback that when in L2TP VPN tunnel use SFTP to transfer files to the intranet, appear interruption situation.
after customers establish L2TP VPN tunnel, use secureFX tool (use SFTP protocol) transfer files to the intranet server, when the file is bigger than 10M can appear Virtual - Template1 interface UP and DOWN switching state, leading to the SFTP upload file failure. At the same using FTP upload test, fault phenomenon still exist.
Customer network state: use 2 FW to make VRRP, connect to core switch, configured with three VRRP groups which intranet interface has two VRRP group and extranet interface has one VRRP group. Public IP is virtual VRRP address.
Alarm Information
none
Handling Process
First of all check customer VRRP, check VRRP state and HRP state. From the show can see that the master configuration state is normal, can eliminate the VRRP problem.

[USG]display hrp state

=====================================================
firewall has enabled HRP mirror session function!
The firewall's config state is: MASTER

Current state of virtual routers configured as master:
             GigabitEthernet0/0/3    vrid   4 : master
             GigabitEthernet0/0/2    vrid   3 : master
             GigabitEthernet0/0/1    vrid   2 : master
             GigabitEthernet0/0/1    vrid   1 : master

[USG]display vrrp
================================================
15:25:04  2012/04/12
  GigabitEthernet0/0/3 | Virtual Router 4
    VRRP Group : Master
    state : Master
    Virtual IP : 192.168.235.251
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0
    Timer : 1
    Auth Type : NONE
    Check TTL : YES

  GigabitEthernet0/0/2 | Virtual Router 3
    VRRP Group : Master
    state : Master
    Virtual IP : 192.168.239.254
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0
    Timer : 1
    Auth Type : NONE
    Check TTL : YES

  GigabitEthernet0/0/1 | Virtual Router 1
    VRRP Group : Master
    state : Master
    Virtual IP : 172.16.200.10
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0
    Timer : 1
    Auth Type : NONE
    Check TTL : YES

  GigabitEthernet0/0/1 | Virtual Router 2
    VRRP Group : Master
    state : Master
    Virtual IP : 114.113.154.190
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0
    Timer : 1
    Auth Type : NONE
    Check TTL : YES
Check the inter-domain packet filtering policy configured by customer, and find the customer only open that:
local ---- trust /local ---- hrp
(customer user-defined heartbeat interface zone)
The two inter-domain policy, policy inter-domain policy open the untrust - trust policy configuration, and there is no deny data flow configuration policy configuration, policy configuration also does not have the obvious problem. At the same time open the inter-domain and intra-domain detect FTP commandn. After the test, the problem still exist.
Customers are suggested to check whether relate with the intranet server permission, and whether have deny policy. By the customer test, when don't dial the L2TP, use SFTP or FTP to upload file is no problem. Once dialing pass L2TP, then through the SFTP/FTP upload files, will appear VT poet UP/DOWN situation, and file uploading failure.
Check the customer configuration again, find that it configured firewall defend udp - flood interface XXX, give interface udp defense detection function, after help the customer close the function. Test that SFTP/FTP upload a packet bigger than 10M, problem solved.
It seems to be related with UDP packets.
Root Cause
To help customers do standby test, through the WEB pages using FTP transmission file, when transform 5M file, can successfully uploaded successfully, but when upload 8M to 10M packet it will stopped as a certain position, prompt 'peer end stop file uploading, please check whether has the permission or configure deny policy ".
May reason:
1. The customer configured VRRP, maybe the double device problems influence SFTP file transmission.
2. Inter-domain policy limits the SFTP transfer files.
3. The peer end server setup permission problems or configured deny policy.

Suggestions
Because the customer use SFTP/FTP protocol after establish L2TP VPN tunnel, when use SFTP/FTP, the uploading file is also through L2TP VPN tunnel. So after configured the attack defense, all VPN operation will not care about, but directly monitor UDP packets of L2TP VPN. Find that it is bigger than UDP data rate of attack defense set by interface, and will break virtual template VT interface, resulting in the data transmission failure.
When deal with the data transmission error problem in VPN, it can be used as reference.
Attachment is the key configuration ~

END