FTP packets are dropped by Edge Firewall in using NSX-v 6.4.11 or later versions
Article ID: 332494
Updated On:
Products
Issue/Introduction
When FTP ALG is configured in NSX Edge firewall, FTP data connection cannot be established by dropping packets by Edge firewall as this.
<4>Dec 5 23:35:13 NSX-edge-28-0 firewall[]: [default]: ACCEPT_133173IN= OUT=vNic_0 SRC=10.50.60.70 DST=10.20.30.40 LEN=52 TOS=0x02 PREC=0x00 TTL=127 ID=11893 DF PROTO=TCP SPT=51816 DPT=21 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0<4>Dec 5 23:35:13 NSX-edge-28-0 firewall[]: [default]: DROP_131073IN= OUT=vNic_1 SRC=10.20.30.40 DST=10.50.60.70 LEN=52 TOS=0x02 PREC=0x00 TTL=124 ID=26151 DF PROTO=TCP SPT=20 DPT=51817 WINDOW=32768 RES=0x00 CWR ECE SYN URGP=0<4>Dec 5 23:35:16 NSX-edge-28-0 firewall[]: [default]: DROP_131073IN= OUT=vNic_1 SRC=10.20.30.40 DST=10.50.60.70 LEN=52 TOS=0x02 PREC=0x00 TTL=123 ID=26153 DF PROTO=TCP SPT=20 DPT=51817 WINDOW=32768 RES=0x00 CWR ECE SYN URGP=0<4>Dec 5 23:35:22 NSX-edge-28-0 firewall[]: [default]: DROP_131073IN= OUT=vNic_1 SRC=10.20.30.40 DST=10.50.60.70 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=26154 DF PROTO=TCP SPT=20 DPT=51817 WINDOW=32768 RES=0x00 SYN URGP=0
Resolution
This issue is resolved in VMware NSX Data Center for vSphere 6.4.13.
Workaround:
To workaround the issue, enable "net.netfilter.nf_conntrack_helper" on the NSX Edge:
- Connect to the NSX Manager as admin and enter enable mode by typing: en
- Enter engineering mode by typing: st en
- Enter the NSX Manager root password: IAmOnThePhoneWithTechSupport
- Get the password for the Edge by typing: /home/secureall/secureall/sem/WEB-INF/classes/GetSpockEdgePassword.sh
- Access the Edge VM console, log in as the admin user and enter enable mode by typing: en
- Enable engineering mode by typing: debug engineeringmode enable
- Exit enable mode by typing: disable
- Enter the root shell on the Edge by typing and using the password from step #4: st en
- Run commands as followings:
sysctl net.netfilter.nf_conntrack_helper=1
Feedback
