Hi everyone,
I having an issue on FTP receiving response error 425 unable to build connection using external ip (Map on Fortigate), but using internal connection its working fine. Anyone encounter such problem? appreciate your help.
regards,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The 425 is related to the PORT mode and the FortiGate (Any Firewall). In Port Mode, the FTP server chooses ----TO INITIATE TO INITIATE TO INITIATE; meaning from FTP To your Inside ------ a connection from port 20 to the Port choosen by the Client and based on your FireWall Policy , if you are not taken this coonection in consideration -from FTP Server to your Client-, Then the TCP YN packet will be dropped.
If this is the case than a session helper need to be configured, as shown here in the admin guide or change the FTP to use passive mode.
Created on 11-05-2023 01:30 AM Edited on 11-05-2023 01:36 AM
Hi Ramada,
Thanks for the heads-up, however external port is working if not using Filezilla application. but if that certain port is link to Filezilla thats the time we receive such 425 response. there is something block the ftp download. I even added new config on session helper for the new ports assign for FTP as you can see below.
edit 21
set name ftp
set protocol 6
set port 2021
next
-----Policy----
edit 34
set name "ftp-svr"
set uuid d0c524b8-7879-51ee-837e-ba610b1f8d27
set srcintf "wan1"
set dstintf "port4"
set action accept
set srcaddr "all"
set dstaddr "local-test"
set schedule "always"
set service "FTP" "FTP_GET" "FTP_PUT" "FTP_SRV"
set logtraffic all
set nat enable
edit 27
set name "ftp-outside"
set uuid 8abcfd76-78ae-51ee-cead-e8774d4e5626
set srcintf "port4"
set dstintf "wan1"
set action accept
set srcaddr "dmz-server"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
Hi,
First, I can see that you are using a Non-Standard Port 2021 instead of 21. The Fortigate will monitor the FTP session and you might have issue with NAT (Port and the Internal address).
1) Change to 21
2) Test and Read the Log
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.