Support Center > Search Results > SecureKnowledge Details
Passive mode FTP connection fails Technical Level
  • When the user connects to an FTP server that is behind a 600/700 appliance, the connection is successful but can't list or transfer files.

  • The fw ctl zdebug drop debug shows:

    ;[fw4_0];fw_log_drop_ex: Packet proto=6 x.x.x.x:21 -> x.x.x.x:59348 dropped by fw_conn_post_inspect Reason: Handler 'ftp_code' drop;

  • FTP client shows logs:
    Status:	Server sent passive reply with unroutable address. Using server address instead.
    Command:	MLSD
    Error: The data connection could not be established: ECONNREFUSED - Connection refused by server

When the passive mode is initiated in an FTP-over-TLS connection, the packets are sent encrypted. Since the Security Gateway is not a peer in the communication, it is not able to replace the server's IP address with its own because of the encryption, and so the packet is sent unchanged. The client obtains the server's real IP address, which is hidden behind the Security Gateway and is unroutable from the Internet.

Note: To view this solution you need to Sign In .