USG20 Routing Issue during FTP transfer

Options
Brandon
Brandon Posts: 3
edited April 2021 in Security
Salutations,

I'm trying to FTP into a USG20 w/ 3.30(BDQ.9) for config-backup purposes and for some reason the ZyWALL wants to route differently as soon as the data connection begins for transferring a file. The issue is not happening on our USG20-VPN, and I'm curious if perhaps there's a configuration I'm missing somewhere.

Path:
FTP Client VM -> LocalRouter -> USG110 -> VPN Tunnel to another geographical location -> USG20

The control port 21 works fine and traffic flows back and forth along this path during normal FTP comamnds. 
However, as soon as you try to retrieve a file and it opens the data connection on the high TCP ports, the endpoint USG20 suddenly starts trying to reply out its LAN interface instead of coming back over the tunnel.

I have the same setup with a USG20-VPN as an endpoint and it works fine. Both Control and Data ports traverse the tunnel. 

I've tried to band-aid the problem with very specific policy routes but im not getting anywhere. 









Comments

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Brandon,

     

    On ZyWALL USG 20, are there any 1:1 NAT rules?

    If the answer is yes, the 1:1 NAT function is "forwarding all traffic" to the local server.

    In "packet flow explore", the priority of 1-1 SNAT is higher than site to sitesite-to-site VPN when 1:1 NAT is enabled.

    To solve this problem on ZyWALL USG 20, please use the following CLI command to reorganize the order of the routing priority.

    Router(config)# ip route control-virtual-server-rules activate

    Router(config)# write

     

    If it is not the problem, please share the configuration file of USG110 and USG20 with us via private message.


  • Brandon
    Brandon Posts: 3
    Options
    Thanks for the response, unfortunately that doesn't seem to be the issue. I do not have any 1-1 NAT rules. I went ahead and tried to command you posted and I did see where it changed the priority in the packet flow explore but it didn't resolve the issue. 

    It almost seems like a bug to me. I can't find any configuration set on the zywall that would cause it to route differently based on which port is being used. Just to give more info, this is a passive FTP session. 

    I've been able to work around the issue for now by just catching those packets coming out the LAN interface and routing them over a different tunnel using MikroTik routers. 
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Brandon,

     

    The latest firmware of USG 20 is sent to you via private message.

    If the issue is still not resolved and you'd like to find the root cause, please share the configuration file of USG110 and USG20 with us.


  • Brandon
    Brandon Posts: 3
    Options
    Hi @Zyxel_Emily

    The firmware that you sent seems to have fixed the issue. Thanks for your time!

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)