Passive mode FTP connection fails

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk112001
Technical Level
Product	Quantum Spark Appliances
Version	R77.20 (EOL), R80.30 (EOL), R80.20.x, R81.10.x
OS	Gaia Embedded
Platform / Model	600, 700, 1100, 1200R, 1500, 900, 1600, 1800
Date Created	29-Jun-2016
Last Modified	24-Jul-2022

Symptoms

When the user connects to an FTP server that is behind a 600/700 appliance, the connection is successful but can't list or transfer files.
The fw ctl zdebug drop debug shows:

;[fw4_0];fw_log_drop_ex: Packet proto=6 x.x.x.x:21 -> x.x.x.x:59348 dropped by fw_conn_post_inspect Reason: Handler 'ftp_code' drop;

FTP client shows logs:

Status:	Server sent passive reply with unroutable address. Using server address instead.
Command:	MLSD
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server

Cause

When the passive mode is initiated in an FTP-over-TLS connection, the packets are sent encrypted. Since the Security Gateway is not a peer in the communication, it is not able to replace the server's IP address with its own because of the encryption, and so the packet is sent unchanged. The client obtains the server's real IP address, which is hidden behind the Security Gateway and is unroutable from the Internet.

Solution

Note: To view this solution you need to Sign In .