OT Device not pingable or reachable via FTP
Hello Guys
i have a OT Device where a FTP Service is running. A Windows Server connects to the server every 30min and downloads some data from the OT Device. The FTP Transfer is not always successful. Sometimes we get an error returned by our monitoring that it is not getting data from the OT Device.
I started a pcap and from the Server side i only saw TCP Syn and Retransmitted TCP Syn Packets. The Server and the OT Device are in a seperate subnet. I then sniffed at the switch with help of a mirror port. During the time i sniffed I tried a ping from the Windows Server to the OT FTP Device. I saw that the icmp ping requests were seen on the mirror port where the ot device was connected but at the same time I saw many "Who has 172.16.1.254? Tell 172.16.1.250" messages followed by a "172.16.1.254 is at ......". Only after the ot device was rebooted the communication via ftp or ping was successful again and arp who has stopped showing up so often.
Does this mean they are in the same subnet?
Who are .254 and .250?
.254 is the gateway of the ot devices subnet and .250 is the ot device where the ftp service is running. The ICMP Request is from 192.168.2.1 which is the windows server. The Windows Server is not in the same subnet as the ot device.
So the OT device is arping the gateway, the gateway responds but either it doesn't reach the OT device or it does get there but the OT device drops it or doesn't update it's ARP cache.
Does the OT device support a login shell and a way to see the ARP cache?
If not, does it support SNMP which can be used to query the ARP table.
So if you restart the OT device the issue is resolved. And at failures you see SYN and SYN retries but no SYN-ACK. Then it is time to call your OT supplier and have them fix it. Whatever is going on happens on that device.
And to be honest OT suppliers are not known for robust networking services The use of FTP is a hint that security needs work.