All,
I've set up a port forwarding rule to allow TCP 22 to a particular server, in order to support an SFTP server.
The connection is successfully being made, user logs in, but file transfers disconnect after transferring only a few kb.
Error code in the sftp server is: Winsock error - 10054 which indicates the remote client is disconnecting.
Error code in the client indicates something similiar, the connection is being interrupted.
I've used several different clients and even at one point changed SFTP server software. I'm getting the same results.
As such, I've concluded it must be something related to my Meraki MX unit but I don't know where to find logs or what I would even check.
Any ideas would be appreciated
Solved! Go to solution.
I see I must have whitelisted that a long time ago and forgot. So that explains why it worked for me 😉
I have an SFTP server behind my MX and have no issue. Have you done a packet capture to look at it?
My rule is TCP 20-22 to an internal server because I have to support some FTP too.
yes, I have run a pcap but it doesn't show anything obvious.
I've also run a connection locally from a client on the same LAN as the server to eliminate the firewall connect. When I do it this way, I get no disconnection.
If I use the same client but connect using the public IP address and back in via the MX unit, disconnect errors.
I also have another external business partner connecting remotely and also getting the same disconnect problem. Its looking like the MX unit as the issue
Might check Security Center event log
https://documentation.meraki.com/MX/Monitoring_and_Reporting/Security_Center
great call! I found this in the logs: IDS Alert SSH_EVENT_RESPOVERFLOW
I see I must have whitelisted that a long time ago and forgot. So that explains why it worked for me 😉
crap, i already have it whitelisted as well but it's still appearing
In my experience whitelisting these ID events doesn't work very well or quickly.
Your best bet is start by changing the ruleset to balanced instead of security. The next option is change the mode to detection. Then it pinpoints which part of ID is detecting/causing it.
The other thing you might check is AMP settings.
Also if you can provide the SNORT link to the vulnerability it is detecting