Hi,
We have a Fortigate cluster deployed in Azure. The design includes an internal and external Azure load balancer.
We cannot connect from a server behind the cluster using the FileZilla client outbound to the Internet (client > internal load balancer > fortigate > ext lb > ftp server). The external FTP server is configured to use passive mode and the client is also configured to use passive.
We have tried enabling all ports outbound to the target and have deleted the FTP session helper - it doesn't help. The FTP server is configured to request a conn on 5000-5100
FileZilla responds with
Status: Connection established, waiting for welcome message...
Trace: CRealControlSocket::OnSocketError(106)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFtpLogonOpData::Reset(66) in state 1
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Have anyone got a config in Azure with the above working?
Solved! Go to Solution.
Hi @kins ,
I would run "di sniff packet any "host x.x.x.x and (port 21 or port 20)" 4 0 l " (x is the FTP server IP)
Then verify whether the traffic passing over the correct direction or not.
Please run the below debugs afterwards
di de reset
di de flow filter addr x.x.x.x y.y.y.y and <- (x is the FTP server IP, y is the source machine IP)
di de flow trace start 9999
di de en
Now, you enable the connection and see whether the traffic is blocked by the firewall or not.
If traffic passes, then need to run the packet capture on the ingress and egress port to identify what type of traffic is passing.
Here the reference for capture the traffic on FortiGate: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1...
Best Regards,
Maulish
Hello
The following steps can help you find the issue:
You can also share the output if you need support.
Thanks for taking the time to respond. I have logging enabled and it is not dropping traffic. I believe the problem relates to when the remote FTP server passes back the range of ports 5000-5100 to connect on, that never happens. You can see the RST in the below
here is the diag
filters=[host ftp_server]
5.908900 port2 in ftp_client.49392 -> ftp_server.21: syn 3550550670
5.908974 port1 out wan.49392 -> ftp_server.21: syn 3550550670
5.908977 sriovslv0 out wan.49392 -> ftp_server.21: syn 3550550670
5.919494 port1 in ftp_server.21 -> wan.49392: syn 47535782 ack 3550550671
5.919513 port2 out ftp_server.21 -> ftp_client.49392: syn 47535782 ack 3550550671
5.919516 sriovslv1 out ftp_server.21 -> ftp_client.49392: syn 47535782 ack 3550550671
5.923580 sriovslv1 in ftp_client.49392 -> ftp_server.21: ack 47535783
5.923581 port2 in ftp_client.49392 -> ftp_server.21: ack 47535783
5.923593 port1 out wan.49392 -> ftp_server.21: ack 47535783
5.923595 sriovslv0 out wan.49392 -> ftp_server.21: ack 47535783
5.934781 sriovslv0 in ftp_server.21 -> wan.49392: rst 47535783 ack 3550550671
5.934782 port1 in ftp_server.21 -> wan.49392: rst 47535783 ack 3550550671
5.934789 port2 out ftp_server.21 -> ftp_client.49392: rst 47535783 ack 3550550671
5.934790 sriovslv1 out ftp_server.21 -> ftp_client.49392: rst 47535783 ack 3550550671
10.942554 port2 in ftp_client.49403 -> ftp_server.21: syn 3157714567
10.942629 port1 out wan.49403 -> ftp_server.21: syn 3157714567
10.942631 sriovslv0 out wan.49403 -> ftp_server.21: syn 3157714567
10.952930 port1 in ftp_server.21 -> wan.49403: syn 80559227 ack 3157714568
10.952954 port2 out ftp_server.21 -> ftp_client.49403: syn 80559227 ack 3157714568
10.952957 sriovslv1 out ftp_server.21 -> ftp_client.49403: syn 80559227 ack 3157714568
10.953744 sriovslv1 in ftp_client.49403 -> ftp_server.21: ack 80559228
10.953745 port2 in ftp_client.49403 -> ftp_server.21: ack 80559228
10.953762 port1 out wan.49403 -> ftp_server.21: ack 80559228
10.953765 sriovslv0 out wan.49403 -> ftp_server.21: ack 80559228
10.964576 sriovslv0 in ftp_server.21 -> wan.49403: rst 80559228 ack 3157714568
10.964577 port1 in ftp_server.21 -> wan.49403: rst 80559228 ack 3157714568
10.964588 port2 out ftp_server.21 -> ftp_client.49403: rst 80559228 ack 3157714568
10.964590 sriovslv1 out ftp_server.21 -> ftp_client.49403: rst 80559228 ack 3157714568
The Azure load balancer design is configured so the LB only communicates with the active firewall node - the cluster is A/P and all traffic routes via the the active node. I have verified this and there are zero entries in the traffic logs on the passive node.
SIP ALG and FTP session helpers are deleted. When the FTP session helper is deleted I get this far in the Filezilla client and then hangs "Connection established, waiting for welcome message.."
Hi @kins ,
I would run "di sniff packet any "host x.x.x.x and (port 21 or port 20)" 4 0 l " (x is the FTP server IP)
Then verify whether the traffic passing over the correct direction or not.
Please run the below debugs afterwards
di de reset
di de flow filter addr x.x.x.x y.y.y.y and <- (x is the FTP server IP, y is the source machine IP)
di de flow trace start 9999
di de en
Now, you enable the connection and see whether the traffic is blocked by the firewall or not.
If traffic passes, then need to run the packet capture on the ingress and egress port to identify what type of traffic is passing.
Here the reference for capture the traffic on FortiGate: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1...
Best Regards,
Maulish
Hi Maulish, thanks for the response....We requested logs from the hosted side to get an end to end picture and all of a sudden it works - waiting on an update from that side but this is now resolved.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1751 | |
1114 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.