On SRX100, SRX110, SRX210, and SRX220 devices with FTP ALG enabled, ICMP redirect might not work for FTP traffic.
When FTP ALG is enabled on SRX100, SRX110, SRX210 and SRX220, ICMP redirect does not work.
However, It only affect FTP traffic and Ping or other traffic will work without any problem.
Once Ping packet is through, FTP connection will be success.
Without ping or other traffic, FTP connection will not success.
This is software bug that SRX should generated a ICMP redirect packet to the source, but the ICMP redirect packet is not generated.
This issue only affects SRX100, SRX110, SRX210 and SRX220 platforms with FTP ALG is enabled (Enabled by default).
Affected version:
11.4R9 12.1X44-D20 12.1X45-D15 12 or lower.
Fixed version 11.4R10 12.1X44-D30 12.1X45-D20 12.1X46-D10 or higher. Work Around: Disable FTP ALG. Verify if ALG is enabled >show security alg status ALG Status : DNS : Enabled FTP : Enabled H323 : Enabled MGCP : Enabled MSRPC : Enabled PPTP : Enabled RSH : Enabled RTSP : Enabled SCCP : Enabled SIP : Enabled SQL : Enabled SUNRPC : Enabled TALK : Enabled TFTP : Enabled IKE-ESP : Disabled Disable ALG globally >configure #set security alg <name> disable #commit and quit