FTP Data channel can match configured higher priority rules in NSX-T
search cancel

FTP Data channel can match configured higher priority rules in NSX-T

book

Article ID: 306194

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
FTP ALG Control Channel specifies an FTP rule for both Control and Data traffic. However if a another higher priority rule exists above the control channel rule, the data channel traffic can match that rule. 

For example:

Created two rules

rule#1 ANY->ANY Port 1024-65535
rule#2 ANY->ANY Port 21 (FTP)

FTP Traffic

CTL Packets hit rule #1558 which is FTP rule
DATA Packets hit rule #1557 which is rule#1 instead of of Rule #2 

d38b6670000002d9 Active tcp 0800 OUT 1558 1 3 (est) 172.#.#.#:Unknown(50386) -> 172.#.#.#:ftp(21) 14600 TIMEWAIT:TIMEWAIT alg ctrl(FTP) 21 rtt 14278 retrans 0/0 1362 1215 19 22 attr: APP_FTP,APP_FTPCTRL
d38b6670000002da Active ipv6-icmp 86dd IN 1499 0 0 fe80::204:96ff:####:#### -> ff02::1 134 0 96 # # #
d38b6670000002db Active tcp 0800 OUT 1557 1 3 (est) 172.#.#.#:Unknown(57097) -> 172.#.#.#:Unknown(27048) 14600 TIMEWAIT:TIMEWAIT alg data(FTP) 21 d38b6670000002d9 rtt 292 retrans 18/0 98345 3216 70 57 attr: APP_INVALID

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 2.x

Cause

This issue occurs because the FW engine does not check for the Data Channel bit while evaluating a regular rule, hence the Data Traffic for a corresponding ALG Control Traffic is matched with a regular rule.

Resolution

To resolve this issue, the ALG rule needs to be of higher priority than the regular rule.