Page 1 of 1

Incorrect PASV IP recieved

Posted: Wed Oct 05, 2011 4:34 pm
by layer427expert
All,

I am testing FTPS with a specific product. One of the behaviors I am noticing is that when the client sends a SYN to the FTP server it is actually the internal device.

In my configuration under the specific interface setting I have the radio button clicked with the Specify PASV IP. I entered the IP address. The network configuration is as follows.
172.21.21.101 -> 172.21.21.27 -> 10.10.10.2
Client -> Nat device -> server

Below are two TCPdumps One from the client with the internal server address of 10.10.10.2 and one from the client with the 172.21.21.27 address
Here are the TCP dumps. From the client...


sudo tcpdump -i en1 host 10.10.10.2
Password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:07:38.399905 IP 10.10.10.2.ftps > 172.21.21.101.54735: Flags [S.], seq 3563286778, ack 638405265, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 1771563 ecr 463649162], length 0
16:07:38.399933 IP 172.21.21.101.54735 > 10.10.10.2.ftps: Flags [R], seq 638405265, win 0, length 0
16:07:41.412297 IP 10.10.10.2.ftps > 172.21.21.101.54735: Flags [S.], seq 3563286778, ack 638405265, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 1771864 ecr 463649162], length 0
16:07:41.412353 IP 172.21.21.101.54735 > 10.10.10.2.ftps: Flags [R], seq 638405265, win 0, length 0
16:07:47.526787 IP 10.10.10.2.ftps > 172.21.21.101.54735: Flags [S.], seq 3563286778, ack 638405265, win 8192, options [mss 1460,sackOK,TS val 1772465 ecr 463649162], length 0
16:07:47.526833 IP 172.21.21.101.54735 > 10.10.10.2.ftps: Flags [R], seq 638405265, win 0, length 0
16:08:35.702067 IP 172.21.21.101.54737 > 10.10.10.2.11115: Flags [S], seq 3914551341, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463649734 ecr 0,sackOK,eol], length 0
16:08:36.690158 IP 172.21.21.101.54737 > 10.10.10.2.11115: Flags [S], seq 3914551341, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463649743 ecr 0,sackOK,eol], length 0
16:08:37.692540 IP 172.21.21.101.54737 > 10.10.10.2.11115: Flags [S], seq 3914551341, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463649753 ecr 0,sackOK,eol], length 0
16:08:38.694873 IP 172.21.21.101.54737 > 10.10.10.2.11115: Flags [S], seq 3914551341, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463649763 ecr 0,sackOK,eol], length 0
16:08:39.697246 IP 172.21.21.101.54737 > 10.10.10.2.11115: Flags [S], seq 3914551341, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463649773 ecr 0,sackOK,eol], length 0
16:08:40.699302 IP 172.21.21.101.54737 > 10.10.10.2.11115: Flags [S], seq 3914551341, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463649783 ecr 0,sackOK,eol], length 0
16:08:42.703561 IP 172.21.21.101.54737 > 10.10.10.2.11115: Flags [S], seq 3914551341, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463649803 ecr 0,sackOK,eol], length 0
16:08:46.712724 IP 172.21.21.101.54737 > 10.10.10.2.11115: Flags [S], seq 3914551341, win 65535, options [mss 1460,sackOK,eol], length 0
16:08:54.732067 IP 172.21.21.101.54737 > 10.10.10.2.11115: Flags [S], seq 3914551341, win 65535, options [mss 1460,sackOK,eol], length 0
16:14:01.521794 IP 10.10.10.2.ftps > 172.21.21.101.54774: Flags [S.], seq 1903402839, ack 697911295, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 1809874 ecr 463652987], length 0
16:14:01.521824 IP 172.21.21.101.54774 > 10.10.10.2.ftps: Flags [R], seq 697911295, win 0, length 0
16:14:04.524999 IP 10.10.10.2.ftps > 172.21.21.101.54774: Flags [S.], seq 1903402839, ack 697911295, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 1810174 ecr 463652987], length 0
16:14:04.525053 IP 172.21.21.101.54774 > 10.10.10.2.ftps: Flags [R], seq 697911295, win 0, length 0
16:14:10.709325 IP 10.10.10.2.ftps > 172.21.21.101.54774: Flags [S.], seq 1903402839, ack 697911295, win 8192, options [mss 1460,sackOK,TS val 1810775 ecr 463652987], length 0
16:14:10.709378 IP 172.21.21.101.54774 > 10.10.10.2.ftps: Flags [R], seq 697911295, win 0, length 0
16:16:01.625438 IP 10.10.10.2.ftps > 172.21.21.101.54846: Flags [S.], seq 2129971962, ack 3929560666, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 1821884 ecr 463654186], length 0
16:16:01.625464 IP 172.21.21.101.54846 > 10.10.10.2.ftps: Flags [R], seq 3929560666, win 0, length 0
16:16:04.630417 IP 10.10.10.2.ftps > 172.21.21.101.54846: Flags [S.], seq 2129971962, ack 3929560666, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 1822184 ecr 463654186], length 0
16:16:04.630451 IP 172.21.21.101.54846 > 10.10.10.2.ftps: Flags [R], seq 3929560666, win 0, length 0
16:16:10.636589 IP 10.10.10.2.ftps > 172.21.21.101.54846: Flags [S.], seq 2129971962, ack 3929560666, win 8192, options [mss 1460,sackOK,TS val 1822785 ecr 463654186], length 0
16:16:10.636643 IP 172.21.21.101.54846 > 10.10.10.2.ftps: Flags [R], seq 3929560666, win 0, length 0
16:17:48.276896 IP 10.10.10.2.ftps > 172.21.21.101.54853: Flags [S.], seq 1509994156, ack 4276602651, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 1832549 ecr 463655251], length 0
16:17:48.276923 IP 172.21.21.101.54853 > 10.10.10.2.ftps: Flags [R], seq 4276602651, win 0, length 0
16:17:51.288730 IP 10.10.10.2.ftps > 172.21.21.101.54853: Flags [S.], seq 1509994156, ack 4276602651, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 1832850 ecr 463655251], length 0
16:17:51.288780 IP 172.21.21.101.54853 > 10.10.10.2.ftps: Flags [R], seq 4276602651, win 0, length 0


16:17:57.423124 IP 10.10.10.2.ftps > 172.21.21.101.54853: Flags [S.], seq 1509994156, ack 4276602651, win 8192, options [mss 1460,sackOK,TS val 1833450 ecr 463655251], length 0
16:17:57.423173 IP 172.21.21.101.54853 > 10.10.10.2.ftps: Flags [R], seq 4276602651, win 0, length 0



Here is the client VIP address capture:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:33:11.523174 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [S], seq 513545886, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463664471 ecr 0,sackOK,eol], length 0
16:33:11.526530 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [S.], seq 3988723696, ack 513545887, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 1924871 ecr 463664471], length 0
16:33:11.526569 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 1, win 65535, options [nop,nop,TS val 463664471 ecr 1924871], length 0
16:33:11.531053 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 1:73, ack 1, win 65535, options [nop,nop,TS val 463664471 ecr 1924871], length 72
16:33:11.568355 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [.], seq 1:1449, ack 73, win 260, options [nop,nop,TS val 1924875 ecr 463664471], length 1448
16:33:11.568414 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 1449:1609, ack 73, win 260, options [nop,nop,TS val 1924875 ecr 463664471], length 160
16:33:11.568435 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 1609, win 65502, options [nop,nop,TS val 463664472 ecr 1924875], length 0
16:33:11.590793 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 73:212, ack 1609, win 65535, options [nop,nop,TS val 463664472 ecr 1924875], length 139
16:33:11.590845 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 212:218, ack 1609, win 65535, options [nop,nop,TS val 463664472 ecr 1924875], length 6
16:33:11.591868 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [.], ack 218, win 259, options [nop,nop,TS val 1924877 ecr 463664472], length 0
16:33:11.591990 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 218:335, ack 1609, win 65535, options [nop,nop,TS val 463664472 ecr 1924877], length 117
16:33:11.602490 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 1609:1668, ack 335, win 259, options [nop,nop,TS val 1924878 ecr 463664472], length 59
16:33:11.602549 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 1668, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 0
16:33:11.603117 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 1668:1806, ack 335, win 259, options [nop,nop,TS val 1924878 ecr 463664472], length 138
16:33:11.603136 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 1806, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 0
16:33:11.606405 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 335:564, ack 1806, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 229
16:33:11.607417 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 1806:1912, ack 564, win 258, options [nop,nop,TS val 1924878 ecr 463664472], length 106
16:33:11.607444 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 1912, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 0
16:33:11.607809 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 564:729, ack 1912, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 165
16:33:11.608824 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 1912:2018, ack 729, win 257, options [nop,nop,TS val 1924878 ecr 463664472], length 106
16:33:11.608845 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 2018, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 0
16:33:11.611543 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 729:926, ack 2018, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 197
16:33:11.612501 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 2018:2108, ack 926, win 256, options [nop,nop,TS val 1924878 ecr 463664472], length 90
16:33:11.612532 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 2108, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 0
16:33:11.614014 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 926:1139, ack 2108, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 213
16:33:11.614893 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 2108:2198, ack 1139, win 256, options [nop,nop,TS val 1924878 ecr 463664472], length 90
16:33:11.614914 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 2198, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 0
16:33:11.615921 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 1139:1400, ack 2198, win 65535, options [nop,nop,TS val 463664472 ecr 1924878], length 261
16:33:11.617142 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 2198:2288, ack 1400, win 255, options [nop,nop,TS val 1924880 ecr 463664472], length 90
16:33:11.617168 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 2288, win 65535, options [nop,nop,TS val 463664472 ecr 1924880], length 0
16:33:11.617678 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 1400:1597, ack 2288, win 65535, options [nop,nop,TS val 463664472 ecr 1924880], length 197
16:33:11.618547 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 2288:2410, ack 1597, win 260, options [nop,nop,TS val 1924880 ecr 463664472], length 122
16:33:11.618564 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 2410, win 65535, options [nop,nop,TS val 463664472 ecr 1924880], length 0
16:33:11.620054 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 1597:1778, ack 2410, win 65535, options [nop,nop,TS val 463664472 ecr 1924880], length 181
16:33:11.620903 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 2410:2516, ack 1778, win 259, options [nop,nop,TS val 1924880 ecr 463664472], length 106
16:33:11.620921 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 2516, win 65535, options [nop,nop,TS val 463664472 ecr 1924880], length 0
16:33:11.621755 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 1778:2007, ack 2516, win 65535, options [nop,nop,TS val 463664472 ecr 1924880], length 229
16:33:11.623670 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 2516:2606, ack 2007, win 258, options [nop,nop,TS val 1924880 ecr 463664472], length 90
16:33:11.623693 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 2606, win 65535, options [nop,nop,TS val 463664472 ecr 1924880], length 0
16:33:11.624522 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 2007:2156, ack 2606, win 65535, options [nop,nop,TS val 463664472 ecr 1924880], length 149
16:33:11.646883 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [P.], seq 2606:2728, ack 2156, win 258, options [nop,nop,TS val 1924883 ecr 463664472], length 122
16:33:11.646952 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [.], ack 2728, win 65535, options [nop,nop,TS val 463664473 ecr 1924883], length 0
16:33:11.648425 IP 172.21.21.101.54944 > 172.21.21.27.11126: Flags [S], seq 1124262230, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463664473 ecr 0,sackOK,eol], length 0
16:33:11.648541 IP 172.21.21.101.54943 > 172.21.21.27.ftps: Flags [P.], seq 2156:2353, ack 2728, win 65535, options [nop,nop,TS val 463664473 ecr 1924883], length 197
16:33:11.868217 IP 172.21.21.27.ftps > 172.21.21.101.54943: Flags [.], ack 2353, win 257, options [nop,nop,TS val 1924904 ecr 463664473], length 0
16:33:12.636427 IP 172.21.21.101.54944 > 172.21.21.27.11126: Flags [S], seq 1124262230, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463664482 ecr 0,sackOK,eol], length 0
16:33:13.637961 IP 172.21.21.101.54944 > 172.21.21.27.11126: Flags [S], seq 1124262230, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463664492 ecr 0,sackOK,eol], length 0
16:33:14.639707 IP 172.21.21.101.54944 > 172.21.21.27.11126: Flags [S], seq 1124262230, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463664502 ecr 0,sackOK,eol], length 0
16:33:15.641253 IP 172.21.21.101.54944 > 172.21.21.27.11126: Flags [S], seq 1124262230, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463664512 ecr 0,sackOK,eol], length 0
16:33:16.643032 IP 172.21.21.101.54944 > 172.21.21.27.11126: Flags [S], seq 1124262230, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463664522 ecr 0,sackOK,eol], length 0
16:33:18.645418 IP 172.21.21.101.54944 > 172.21.21.27.11126: Flags [S], seq 1124262230, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 463664542 ecr 0,sackOK,eol], length 0

Re: Incorrect PASV IP recieved

Posted: Thu Oct 06, 2011 3:06 am
by Serin
Hello,

I'm guessing from the title of this post that the problem you are having is that the PASV IP being given out is the wrong IP.

Can you please post the Cerberus FTP Server log file showing the problem? Thanks.