PFTPX client reset connection

ipfftw

I am getting lots and lots of these in a sort of a storm today.

Sep 29 10:26:55 	pftpx[558]: #251 server timeout
Sep 29 10:26:55 	pftpx[558]: #251 server timeout
Sep 29 10:26:51 	pftpx[558]: #250 server timeout
Sep 29 10:26:51 	pftpx[558]: #250 server timeout
Sep 29 10:26:44 	pftpx[558]: #249 server timeout
Sep 29 10:26:44 	pftpx[558]: #249 server timeout
Sep 29 10:26:21 	pftpx[558]: #247 server timeout
Sep 29 10:26:21 	pftpx[558]: #247 server timeout
Sep 29 10:26:19 	pftpx[558]: #246 server timeout
Sep 29 10:26:19 	pftpx[558]: #246 server timeout
Sep 29 10:26:04 	pftpx[558]: #245 server timeout
Sep 29 10:26:04 	pftpx[558]: #245 server timeout
Sep 29 10:25:57 	pftpx[558]: #244 client reset connection
Sep 29 10:25:57 	pftpx[558]: #244 client reset connection
Sep 29 10:25:51 	pftpx[558]: #243 server timeout
Sep 29 10:25:51 	pftpx[558]: #243 server timeout
Sep 29 10:25:49 	pftpx[558]: #242 server timeout
Sep 29 10:25:49 	pftpx[558]: #242 server timeout

etc.. etc..

My question is, how do i find out which client is causing these errors? If you use the Diagnostic -> States -> Filter by ":21", i come up with all sorts of random internet IPs and the IP of the firewall. eg: Firewall -> Random internet IP

I have turned off the FTP helper on all the interfaces and now the FILTER reports correctly as: INTERNAL MACHINE -> Firewall -> Random Internet IP

So now i can find the user and "discipline" them.

I guess my problem is solved, i was just wondering if there is a way to see connections which are being made by pftpx and where they are originating from.

ipfftw

Weird! seems to be symantec endpoint protection talking to a bunch of FTP sites… 69.22.137.48 is what i gather to be a symantec ip. Very strange as we are all locally managed for symantec updates.