No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configure black-hole route led to the FTP service fault

Publication Date:  2012-09-14 Views:  660 Downloads:  0
Issue Description
Since the address of the USG5100 address pool and the interface address are not in the same network segment, the firewall needs to configure black-hole route for the address pool segment. After that, configure nat server ftp server service is anomaly. The data channel can not be built up normally. Need to wait about 10 minutes to establish. Without configuring black-hole route , it will be built up quickly .
Networking diagram:
client ------- internet ------- USG ------- ftp_serve
Alarm Information
Handling Process
Handing Process
1.Configure black-hole routing, ftp service exception, can not see the corresponding session in the firewall. If there is no black-hole routing configuration, the session can be saw.
2. DO packet capture on the client, the client using pasv mode. Data channel connection is initiated by the client. The corresponding address is the private network address of the ftp server .
3. View firewall found that the state detection function has been closed. Change the client into port mode, the data channel connections initiated by the server, there is no problem.
4. Close the black-hole routing, seize packet in the client. The client displays using pass mode ,and then change into port mode immediately .The data channel connections initiated by the server. It is possible to create a data channel normally.
To sum up: when there isn’t configured the black-hole routing, match to the default route, and the uplink device turn packet sent back to the firewall, so that it will form a loop. Soon the TTL timeout willl send to the client. After the client receives it, change into port mode immediately, and change connect by the server, so it can be established successfully.
Root Cause
After configuring nat ,the firewall state inspection can’t be closed. If you turn off, the state detection similar to the FTP multi-channel protocol can’t play its role, led to the service abnormal.