Skip to main content
A
Anonymous_User
Contributor
June 12, 2008
Question

FTP Passive problem

  • June 12, 2008
  • 11 replies
  • 13929 views
Hello, I am having a problem where I cannot FTP in passive mode using an external IP to my FTP server behind the Fortigate 60B. When I FTP using the internal IP address the FTP works fine to the FTP server. The first item I noticed is when I use a FTP client the passive port range is not being used. I have used several different FTP clients such as WSFTP and Filezilla. If I eliminate the Fortigate the FTP works fine. The following is an example of the FTP external IP failure: PASV 227 Entering Passive Mode (208,xx,xx,66,132,187) connecting to 208.xx.xx.66:33979 - - connecting to 208.xx.xx.66:33979 ! Connection failed 208.xx.xx.66 - connection timed out ! connect: error 0 When it times out the FTP shifts into regular FTP and works fine. The fact that the login works and I get this far tells me the the FTP port is open. This following is an example when the FTP works using the internal IP address. PASV 227 Entering Passive Mode (208,xx,xx,66,92,28) connecting to 208.xx.xx.66:23580 - - connecting to 208.xx.xx.66:23580 Connected to 208.xx.xx.66 port 23580 This FTP works fine and it is using the FTP passive port range (23580-23590) that I assigned to the serv-u FTP server. My experineces with other routers is I have to open ports with port forwarding. I am not sure if this is the case with the Fortigate. Any guidence would be most welcome. Thank You, Joe

    11 replies

    A
    Anonymous_UserAuthor
    Contributor
    June 16, 2008
    Hey Joe, On the initial connection are you using a custom port? I had this issue where passive could open the initial control connection but couldn' t open the data connection. You can solve this issue by adding a session-helper for the custom port. This way the Fortigate knows to treat traffic on the initial custom port as FTP and will allow temporary conduits to be opened on the passive range for the data channel. config sys session-helper edit 0 set name ftp set port 2121 (port that FTP is listening on for control goes here) set protocol 6 next end hope that helps.
    A
    Anonymous_UserAuthor
    Contributor
    June 16, 2008
    Thank You for your response. But, I still have the same problem. Once again Thanks, Joe
    A
    Anonymous_UserAuthor
    Contributor
    June 16, 2008
    What does your VIP configuration look like for this IP? Firewall->Virtual IP
    A
    Anonymous_UserAuthor
    Contributor
    June 16, 2008
    Hello, Here is the VIP Name: VIP-MXWFTP External Interface: WAN1 Type: Static NAT External IP: 208.XX.XX.66 Mapped IP: 192.168.210.66 Port Fowarding: Unchecked Joe
    rwpatterson
    rwpatterson
    New Member
    June 17, 2008
    See the end of this post...
    A
    Anonymous_UserAuthor
    Contributor
    June 17, 2008
    loop rwpatterson: that thread links back to my post above in this thread . . . nice!
    rwpatterson
    rwpatterson
    New Member
    June 17, 2008
    Ooooops...LOL
    A
    Anonymous_UserAuthor
    Contributor
    June 18, 2008
    Thank you for looking in to it. I agree with you either the FTP program is passing the wrong PASV port back or the Fortigate is not translating the port correctly. Just for grins I change the passive ports to what Fortigate thinks it should be (in my case port 37988) and it also fails. I also find it interesting that it falls back into regular FTP and works. Joe
    UkWizard
    UkWizard
    New Member
    June 18, 2008
    A very obvious question, but someone has to ask it. You do have NAT unchecked on the inbound policy, dont you?
    A
    Anonymous_UserAuthor
    Contributor
    June 19, 2008
    Hello, Thank you for asking. I looked at the IB policy and NAT is unchecked. Let me know if you want me to check anything else. Joe
    A
    Anonymous_UserAuthor
    Contributor
    June 20, 2008
    Hello, I have been reading several post on this forum and found out that people with FTP problems in the past were using the following KB to fix the problem http://kc.forticare.com/default.asp?id=1765&Lang=1&SID= But, when I create the VIP with port fowarding and then test the FTP the FTP fails all the time. When I eliminate the port fowarding section of the VIP the FTP will still work in regular mode. I guess my question is am I missing something else? My custom service is setup with TCP 23580-23590 for both the source and destination ports. And when I tried the port fowarding in the VIP I put in the same port numbers. Thanks Joe
    rwpatterson
    rwpatterson
    New Member
    June 20, 2008
    Source ports should always be at least 1024-65535 (for most standard, non-secure protocols). Some folks use 1-65535.
    A
    Anonymous_UserAuthor
    Contributor
    June 20, 2008
    Hello, Thank you for the reply. I tried the range of 1024-65535 and I still have the same darn problem of no connection when I use the port forwarding option. When I get rid of the port forwarding then PASV does not work but regular FTP works. Joe
    Show more replies
    Terms & ConditionsAccessibility statement