FTP ALG problem to your FTP server

PeterUK
PeterUK Posts: 2,655  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

ZyWALL 110 V4.33(AAAA.0)ITS-WK30-r89425

I have no rule that allows like from DMZ to WAN all services I allow like service port 21 and the ALG in the ZyWALL allows the other ports be it in Passive or Active mode.

ftp://ftp2.zyxel.com/

works fine in Passive or Active mode with firewall on

------------------------

ftp://ftp.zyxel.com/

does not work in Passive or Active mode but with firewall off Active mode is forced to Passive and works.

using Core FTP LE 2.2



Comments

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @PeterUK,

    The same issue is reproduced in our lab.

    We will investigate what the root cause is and keep you informed of the status.

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2019
    Hi @PeterUK,

    The root cause is on the ftp server.

    In ftp.zyxel.com, it doesn't support Active mode.

    1. When client uses Active mode, it will return “550 Permission denied”.

    2. In passive mode case, the server will response incorrect passive IP address. This incorrect IP cause it not find the correct expected conntrack and the passive port which doesn't not belong to 21 will be dropped by firewall.


  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2019

    Well Active mode did work on ftp.zyxel.com some months back so maybe something has changed on your server?

    And ftp2.zyxel.com works in Active mode even with “550 Permission denied”



  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @PeterUK,

    After FTP ALG is enabled on the ftp server "ftp.zyxel.com", it should be working now.

    Try it again and share the test result with us.

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Active mode still don't work but passive mode works on ftp.zyxel.com theirs no reason why Active mode can work as well like on ftp2.zyxel.com.


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @PeterUK,
    There is no extra setting for active mode connection.
    When using active mode on the Core FTP client and connecting to ftp.zyxel.com, it is changed to passive mode automatically and it is still able to connect to ftp.zyxel.com successfully.
    It is the current behavior of ftp.zyxel.com.


  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Yes know Core FTP client changed to passive mode automatically but I'm saying I used to connect to ftp.zyxel.com in Active mode and now I can't so something has changed.


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @PeterUK,

    The old FTP server ftp.zyxel.com was migrated to a new server a few months ago.

    That's why the behavior on the old server and the current server are different.

    We apologize for the inconvenience.  

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2019

    Even on a new server Active mode should still work maybe your blocking the outgoing connection from your server? As Active mode you connect to me for Data.

    I have never known a FTP server not being able to do Active mode unless setup not too.


Security Highlight