Sign in with
Sign up | Sign in
Your question

VPN connection allows telnet/ssh but sftp/ftp fails

Last response: in Networking
Share
Anonymous
June 13, 2005 11:07:39 AM

Archived from groups: comp.dcom.vpn,comp.security.unix,comp.security.firewalls (More info?)

we have setup a vpn to our customer site from our office and connect to
unix servers using putty with ssh. we can also connect to the box using
ssh/sftp and ftp to transfer files. while the ssh connection has no
problem the file transfer mechanism has never works. in each case the
connection is "reset by peer" or words to that effect. we are a bit
stumped as to where the problem may lie; the customer is adament that
it is on our side. any ideas about how i should go diagnosing things
our end ? any tools out there that could provide some useful
information ?
Anonymous
June 13, 2005 11:06:48 PM

Archived from groups: comp.dcom.vpn,comp.security.unix,comp.security.firewalls (More info?)

In article <1118671659.789929.122380@z14g2000cwz.googlegroups.com>,
<strepxe@yahoo.co.uk> wrote:
:we have setup a vpn to our customer site from our office and connect to
:unix servers using putty with ssh. we can also connect to the box using
:ssh/sftp and ftp to transfer files. while the ssh connection has no
:p roblem the file transfer mechanism has never works.

I'm a bit confused by those last two statements. I'm not sure if you
are saying that you have -configured- sftp and you can start transfers
over the VPN but the transfers fail; or if you are saying that
you have been successful with sftp when you are not going over the VPN ?

:in each case the
:connection is "reset by peer" or words to that effect. we are a bit
:stumped as to where the problem may lie; the customer is adament that
:it is on our side. any ideas about how i should go diagnosing things
:o ur end ?

The available tools would depend in part on which VPN device (and
software rev) you are using.


My shot in the dark would be that you are running into MTU problems.
putty/ssh are not generally going to be transfering full packets
(at least not in one of the two directions), but as soon as you
hit sftp then it is going to want to transfer large packets.

There is an overhead to VPNs that reduces the effective link MTU;
the exact amount of the overhead depends on the authentication
and confidentiality parameters you choose for IPSec (e.g., AH,
which ESP, whether you are using NAT-Traversal).

If both your ends have Path MTU Discovery turned on, but you are
filtering out ICMP Fragmentation Needed packets from getting through,
then the PMTUD is going to fail the first time it wants to send
a packet bigger than the effective MTU.

This problem does not occur if Path MTU Discovery is turned off
on either (or both) sides, because then the two sides will not
negotiate PMTUD, thus leaving it up to the VPN to fragment the
packets at need... which would be inefficient but effective
[provided that you haven't configured the VPN to forbid fragmentation.]
--
Feep if you love VT-52's.
Anonymous
June 19, 2005 5:19:13 PM

Archived from groups: comp.dcom.vpn,comp.security.unix,comp.security.firewalls (More info?)

hi,
thanks for the response and suggestions.
first to clarify:
- have not configured sftp, ssh, scp, ftp or telnet on server at
customer site. these services are available to us.
- have made vpn connection and then initiated sftp, scp and ftp
connections to copy files from the server. all have failed as
indicated.
second some additional information:
- problem with file transfer does not occur internal to customer
organisation or when they perform a vpn connection from outside their
offices in their country.
think it is MTU problem and something i need to get in touch with our
ISP about. will keep you informed as regards what i find out.
thanks for the assistance.
g
!