- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Passive FTP Outbound Connection issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Passive FTP Outbound Connection issue
Hi,
We have a Fortigate cluster deployed in Azure. The design includes an internal and external Azure load balancer.
We cannot connect from a server behind the cluster using the FileZilla client outbound to the Internet (client > internal load balancer > fortigate > ext lb > ftp server). The external FTP server is configured to use passive mode and the client is also configured to use passive.
We have tried enabling all ports outbound to the target and have deleted the FTP session helper - it doesn't help. The FTP server is configured to request a conn on 5000-5100
FileZilla responds with
Status: Connection established, waiting for welcome message...
Trace: CRealControlSocket::OnSocketError(106)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFtpLogonOpData::Reset(66) in state 1
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Have anyone got a config in Azure with the above working?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kins ,
I would run "di sniff packet any "host x.x.x.x and (port 21 or port 20)" 4 0 l " (x is the FTP server IP)
Then verify whether the traffic passing over the correct direction or not.
Please run the below debugs afterwards
di de reset
di de flow filter addr x.x.x.x y.y.y.y and <- (x is the FTP server IP, y is the source machine IP)
di de flow trace start 9999
di de en
Now, you enable the connection and see whether the traffic is blocked by the firewall or not.
If traffic passes, then need to run the packet capture on the ingress and egress port to identify what type of traffic is passing.
Here the reference for capture the traffic on FortiGate: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1...
Best Regards,
Maulish
Maulish Shah
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
The following steps can help you find the issue:
- Enable all logs on the related policy and on implicit deny policy
- Check traffic log
- Check debug sniffer output
- Check the load balancers' policy if it is not splitting FTP traffic over multiple WAN links
You can also share the output if you need support.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for taking the time to respond. I have logging enabled and it is not dropping traffic. I believe the problem relates to when the remote FTP server passes back the range of ports 5000-5100 to connect on, that never happens. You can see the RST in the below
here is the diag
filters=[host ftp_server]
5.908900 port2 in ftp_client.49392 -> ftp_server.21: syn 3550550670
5.908974 port1 out wan.49392 -> ftp_server.21: syn 3550550670
5.908977 sriovslv0 out wan.49392 -> ftp_server.21: syn 3550550670
5.919494 port1 in ftp_server.21 -> wan.49392: syn 47535782 ack 3550550671
5.919513 port2 out ftp_server.21 -> ftp_client.49392: syn 47535782 ack 3550550671
5.919516 sriovslv1 out ftp_server.21 -> ftp_client.49392: syn 47535782 ack 3550550671
5.923580 sriovslv1 in ftp_client.49392 -> ftp_server.21: ack 47535783
5.923581 port2 in ftp_client.49392 -> ftp_server.21: ack 47535783
5.923593 port1 out wan.49392 -> ftp_server.21: ack 47535783
5.923595 sriovslv0 out wan.49392 -> ftp_server.21: ack 47535783
5.934781 sriovslv0 in ftp_server.21 -> wan.49392: rst 47535783 ack 3550550671
5.934782 port1 in ftp_server.21 -> wan.49392: rst 47535783 ack 3550550671
5.934789 port2 out ftp_server.21 -> ftp_client.49392: rst 47535783 ack 3550550671
5.934790 sriovslv1 out ftp_server.21 -> ftp_client.49392: rst 47535783 ack 3550550671
10.942554 port2 in ftp_client.49403 -> ftp_server.21: syn 3157714567
10.942629 port1 out wan.49403 -> ftp_server.21: syn 3157714567
10.942631 sriovslv0 out wan.49403 -> ftp_server.21: syn 3157714567
10.952930 port1 in ftp_server.21 -> wan.49403: syn 80559227 ack 3157714568
10.952954 port2 out ftp_server.21 -> ftp_client.49403: syn 80559227 ack 3157714568
10.952957 sriovslv1 out ftp_server.21 -> ftp_client.49403: syn 80559227 ack 3157714568
10.953744 sriovslv1 in ftp_client.49403 -> ftp_server.21: ack 80559228
10.953745 port2 in ftp_client.49403 -> ftp_server.21: ack 80559228
10.953762 port1 out wan.49403 -> ftp_server.21: ack 80559228
10.953765 sriovslv0 out wan.49403 -> ftp_server.21: ack 80559228
10.964576 sriovslv0 in ftp_server.21 -> wan.49403: rst 80559228 ack 3157714568
10.964577 port1 in ftp_server.21 -> wan.49403: rst 80559228 ack 3157714568
10.964588 port2 out ftp_server.21 -> ftp_client.49403: rst 80559228 ack 3157714568
10.964590 sriovslv1 out ftp_server.21 -> ftp_client.49403: rst 80559228 ack 3157714568
The Azure load balancer design is configured so the LB only communicates with the active firewall node - the cluster is A/P and all traffic routes via the the active node. I have verified this and there are zero entries in the traffic logs on the passive node.
SIP ALG and FTP session helpers are deleted. When the FTP session helper is deleted I get this far in the Filezilla client and then hangs "Connection established, waiting for welcome message.."
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kins ,
I would run "di sniff packet any "host x.x.x.x and (port 21 or port 20)" 4 0 l " (x is the FTP server IP)
Then verify whether the traffic passing over the correct direction or not.
Please run the below debugs afterwards
di de reset
di de flow filter addr x.x.x.x y.y.y.y and <- (x is the FTP server IP, y is the source machine IP)
di de flow trace start 9999
di de en
Now, you enable the connection and see whether the traffic is blocked by the firewall or not.
If traffic passes, then need to run the packet capture on the ingress and egress port to identify what type of traffic is passing.
Here the reference for capture the traffic on FortiGate: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1...
Best Regards,
Maulish
Maulish Shah
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Maulish, thanks for the response....We requested logs from the hosted side to get an end to end picture and all of a sudden it works - waiting on an update from that side but this is now resolved.
Related Posts
- Packet duplication not done in session... 160 Views
- Connecting Two SIP Trunks with Different... 277 Views
- Trouble Receiving DHCP Packet Over S2S... 291 Views
- FortiExtender LAN Extension policy not allowing... 292 Views
- FG-100F in HA without using switches 522 Views
Labels
-
FortiGate
6,535 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.