When using source NAT with "Dynamic IP and Port" and transferring multiple files over FTP in active mode, the file transfer fails prematurely.
Symptom
When using source NAT with "Dynamic IP and Port" and transferring multiple files over FTP in active mode, the file transfer fails prematurely.
Environment
- PA-Series Next-Generation Firewall
- PAN-OS 8.1 or later
- FTP
Cause
When transferring multiple files, the FTP client may reuse the active port for the FTP data session in a short span of time.
If the active port is reused while the previous NAT session remains on the FW, the previous NAT session and the new NAT session are duplicated, the new NAT session generation fails.
Example
Setup:
Client:
IP:172.16.1.30
Active port of the FTP data session: 58155
FTP Server:
IP:172.16.2.20
Service port:20
1. The client is using the active port: 58155 (The session ID:152857) to transfer the file.
> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
152857 ftp-data ACTIVE FLOW ND 172.16.2.20[20]/L3-Test-Un/6 (172.16.2.20[20])
vsys1 172.16.2.3[47521]/L3-Trust (172.16.1.30[58155])
152854 ftp ACTIVE FLOW NS 172.16.1.30[47240]/L3-Trust/6 (172.16.2.3[25771])
vsys1 172.16.2.20[21]/L3-Test-Un (172.16.2.20[21])
2. The FW will generate the predicted session (The session ID:152858) when the client requests the active port: 58155 again for the next transfer file.
> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
152858 ftp-data ACTIVE PRED ND 172.16.2.20[0]/L3-Test-Un/6 (172.16.2.20[0])
vsys1 172.16.2.3[35979]/L3-Trust (172.16.1.30[58155])
152857 ftp-data ACTIVE FLOW ND 172.16.2.20[20]/L3-Test-Un/6 (172.16.2.20[20])
vsys1 172.16.2.3[47521]/L3-Trust (172.16.1.30[58155])
152854 ftp ACTIVE FLOW NS 172.16.1.30[47240]/L3-Trust/6 (172.16.2.3[25771])
vsys1 172.16.2.20[21]/L3-Test-Un (172.16.2.20[21])
3. The NAT session of the session ID:152858 will be as follows when received a packet from FTP server.
- 172.16.2.20:20 to 172.16.1.30:58155
The NAT session of the session ID:152858 has a duplicate to the session ID:152857.
The session ID:152858 will fail to create the NAT session and this session will be discarded.
> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
152857 ftp-data ACTIVE FLOW ND 172.16.2.20[20]/L3-Test-Un/6 (172.16.2.20[20])
vsys1 172.16.2.3[47521]/L3-Trust (172.16.1.30[58155])
152860 undecided DISCARD FLOW 172.16.2.20[20]/L3-Test-Un/6 (172.16.2.20[20])
vsys1 172.16.2.3[35979]/L3-Test-Un (172.16.2.3[35979])
152854 ftp ACTIVE FLOW NS 172.16.1.30[47240]/L3-Trust/6 (172.16.2.3[25771])
vsys1 172.16.2.20[21]/L3-Test-Un (172.16.2.20[21])
Resolution
When using source NAT with "Dynamic IP and Port", Use FTP in passive mode.