Do we need to fix all the problems all the time ? My answer is no. Also I believe in good solution today and dismiss ideal solutions tomorrow. Let me show this on the real case with one of the clients.
Client has Checkpoint, lots of Checkpoint, just heaps of it. And all their work is based on VPN site to site communication between myriad of remote branches and the central office. All being VPNed. One of the services running inside those endless tunnels is plain old FTP. To be more precise scriptable scheduled transfer of files.
It has been working like that for years until it started making troubles. Not all sites in one go, just one site a day or a week, only that multiplied by the sheer number of the branches it became an avalanche.
Following usual path I tried to fix things by myself, and it worked at the beginning. But then number of troublesome sites increased, at some point I attached Checkpoint to the process. They didn’t see some
major problem, just many seemingly unrelated local ones.
Also the FTP problems differed:
- download of small files went ok but on files > 1Mb it got stuck;
- download of any single file was ok, but multiple files got it stuck;
- files got transferred but with file size 0;
And all this had no obvious reasons – FTP drops here and there. Little by little I found myself fighting the windmills. Could it be solved ? I guess so . How much time ? Months .
Then I solved this problem quite simple – the client didn’t care a bit what file protocol is being used as long as it is scriptable and Windows-friendly. So I run a test, and offered him to use SSH/SCP inside VPN tunnels instead of FTP.
The results of the tests were funny – from the same remote server, and all the rest being the same moving
files with scp (pscp.exe) annihilated all the problems seen with the FTP. That is it.
See you.
FTP inside VPN Checkpoint troubles
Posted in Checkpoint NG/NGX.
– May 19, 2010
2 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
Looks like the kind of erratic behaviour you have with fragmentation/mtu issues… But then switching to SCP shouldn’t change much…
That was the catch – I didnt change anything, just installed pscp on the very same windows server that cant transfer anything in FTP and it just worked like a charm. Before coming to it I did anything I know with FTP at
firewalls level – disable Smartdefense, apply patches/HFAs, even disable FTP
security server through authfw.. completely – nothing . Where there were some drops on FTP I made sure all passed ok, still.
My conclusion is that it has to do with ftp exe and versioning/patch of client Windows – on the same server using Filezilla all worked fine. Only that there is no free reliable scriptable FTP client replacement for Windows.