Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hbuenafe81
New Contributor III

FTP 425 unable to build connection

Hi everyone,

 

I having an issue on FTP receiving response error 425 unable to build connection using external ip (Map on Fortigate), but using internal connection its working fine. Anyone encounter such problem? appreciate your help.

 

regards,

 

TBogs
TBogs
4 REPLIES 4
ramadas
New Contributor II

The 425 is related to the PORT mode and the FortiGate (Any Firewall). In Port Mode, the FTP server chooses ----TO INITIATE  TO INITIATE TO INITIATE; meaning from FTP To your Inside ------ a connection from port 20 to the Port choosen by the Client and based on your FireWall Policy , if you are not taken this coonection in consideration -from FTP Server to your Client-, Then the TCP YN packet will be dropped. 

ebilcari

If this is the case than a session helper need to be configured, as shown here in the admin guide or change the FTP to use passive mode.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
hbuenafe81
New Contributor III

Hi Ramada,

 

Thanks for the heads-up, however external port is working if not using Filezilla application. but if that certain port is link to Filezilla thats the time we receive such 425 response. there is something block the ftp download. I even added new config on session helper for the new ports assign for FTP as you can see below. 

 

edit 21
set name ftp
set protocol 6
set port 2021
next

 

-----Policy----

edit 34
set name "ftp-svr"
set uuid d0c524b8-7879-51ee-837e-ba610b1f8d27
set srcintf "wan1"
set dstintf "port4"
set action accept
set srcaddr "all"
set dstaddr "local-test"
set schedule "always"
set service "FTP" "FTP_GET" "FTP_PUT" "FTP_SRV"
set logtraffic all
set nat enable


edit 27
set name "ftp-outside"
set uuid 8abcfd76-78ae-51ee-cead-e8774d4e5626
set srcintf "port4"
set dstintf "wan1"
set action accept
set srcaddr "dmz-server"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable

 

TBogs
TBogs
ramadas
New Contributor II

Hi,

First, I can see that you are using a Non-Standard Port 2021 instead of 21. The Fortigate will monitor the FTP session and you might have issue with NAT (Port and the Internal address). 

1) Change to 21 

2) Test and Read the Log

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors