SFTP session disconnecting

Solved
ZDonaldson
Getting noticed

SFTP session disconnecting

All,

 

I've set up a port forwarding rule to allow TCP 22 to a particular server, in order to support an SFTP server.

 

The connection is successfully being made, user logs in, but file transfers disconnect after transferring only a few kb.  

 

Error code in the sftp server is: Winsock error - 10054  which indicates the remote client is disconnecting.

 

Error code in the client indicates something similiar, the connection is being interrupted.  

 

I've used several different clients and even at one point changed SFTP server software.  I'm getting the same results.

 

As such, I've concluded it must be something related to my Meraki MX unit but I don't know where to find logs or what I would even check.

 

Any ideas would be appreciated

 

Zane D - IT Manager in Sin City NV
1 Accepted Solution
BrandonS
Kind of a big deal

I see I must have whitelisted that a long time ago and forgot.  So that explains why it worked for me 😉

 

Screen Shot 2019-06-05 at 11.54.57 AM.png

- Ex community all-star (⌐⊙_⊙)

View solution in original post

7 Replies 7
BrandonS
Kind of a big deal

I have an SFTP server behind my MX and have no issue.  Have you done a packet capture to look at it?

 

My rule is TCP 20-22 to an internal server because I have to support some FTP too.

 

 

 

 

- Ex community all-star (⌐⊙_⊙)
ZDonaldson
Getting noticed

yes, I have run a pcap but it doesn't show anything obvious.

 

I've also run a connection locally from a client on the same LAN as the server to eliminate the firewall connect.  When I do it this way, I get no disconnection.

 

If I use the same client but connect using the public IP address and back in via the MX unit, disconnect errors.

 

I also have another external business partner connecting remotely and also getting the same disconnect problem.  Its  looking like the MX unit as the issue

Zane D - IT Manager in Sin City NV
SoCalRacer
Kind of a big deal

ZDonaldson
Getting noticed

great call!  I found this in the logs: IDS Alert SSH_EVENT_RESPOVERFLOW

 

 

Zane D - IT Manager in Sin City NV
BrandonS
Kind of a big deal

I see I must have whitelisted that a long time ago and forgot.  So that explains why it worked for me 😉

 

Screen Shot 2019-06-05 at 11.54.57 AM.png

- Ex community all-star (⌐⊙_⊙)
ZDonaldson
Getting noticed

crap, i already have it whitelisted as well but it's still appearing

Zane D - IT Manager in Sin City NV
SoCalRacer
Kind of a big deal

In my experience whitelisting these ID events doesn't work very well or quickly.

 

Your best bet is start by changing the ruleset to balanced instead of security. The next option is change the mode to detection. Then it pinpoints which part of ID is detecting/causing it.

 

The other thing you might check is AMP settings.

 

Also if you can provide the SNORT link to the vulnerability it is detecting

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels