FTP ALG problem to your FTP server

PeterUKPeterUK Member Posts: 376  Guru Member
edited October 2, 2019 7:24AM in ZyWALL USG Series

ZyWALL 110 V4.33(AAAA.0)ITS-WK30-r89425

I have no rule that allows like from DMZ to WAN all services I allow like service port 21 and the ALG in the ZyWALL allows the other ports be it in Passive or Active mode.

ftp://ftp2.zyxel.com/

works fine in Passive or Active mode with firewall on

------------------------

ftp://ftp.zyxel.com/

does not work in Passive or Active mode but with firewall off Active mode is forced to Passive and works.

using Core FTP LE 2.2



Comments

  • Zyxel_EmilyZyxel_Emily Zyxel Official Agent Posts: 477  mod
    Hi @PeterUK,

    The same issue is reproduced in our lab.

    We will investigate what the root cause is and keep you informed of the status.

  • Zyxel_EmilyZyxel_Emily Zyxel Official Agent Posts: 477  mod
    edited October 8, 2019 4:27PM
    Hi @PeterUK,

    The root cause is on the ftp server.

    In ftp.zyxel.com, it doesn't support Active mode.

    1. When client uses Active mode, it will return “550 Permission denied”.

    2. In passive mode case, the server will response incorrect passive IP address. This incorrect IP cause it not find the correct expected conntrack and the passive port which doesn't not belong to 21 will be dropped by firewall.


  • PeterUKPeterUK Member Posts: 376  Guru Member
    edited October 8, 2019 8:41PM

    Well Active mode did work on ftp.zyxel.com some months back so maybe something has changed on your server?

    And ftp2.zyxel.com works in Active mode even with “550 Permission denied”



  • Zyxel_EmilyZyxel_Emily Zyxel Official Agent Posts: 477  mod
    Hi @PeterUK,

    After FTP ALG is enabled on the ftp server "ftp.zyxel.com", it should be working now.

    Try it again and share the test result with us.

  • PeterUKPeterUK Member Posts: 376  Guru Member

    Active mode still don't work but passive mode works on ftp.zyxel.com theirs no reason why Active mode can work as well like on ftp2.zyxel.com.


  • Zyxel_EmilyZyxel_Emily Zyxel Official Agent Posts: 477  mod
    Hi @PeterUK,
    There is no extra setting for active mode connection.
    When using active mode on the Core FTP client and connecting to ftp.zyxel.com, it is changed to passive mode automatically and it is still able to connect to ftp.zyxel.com successfully.
    It is the current behavior of ftp.zyxel.com.


  • PeterUKPeterUK Member Posts: 376  Guru Member

    Yes know Core FTP client changed to passive mode automatically but I'm saying I used to connect to ftp.zyxel.com in Active mode and now I can't so something has changed.


  • Zyxel_EmilyZyxel_Emily Zyxel Official Agent Posts: 477  mod
    Hi @PeterUK,

    The old FTP server ftp.zyxel.com was migrated to a new server a few months ago.

    That's why the behavior on the old server and the current server are different.

    We apologize for the inconvenience.  

  • PeterUKPeterUK Member Posts: 376  Guru Member
    edited October 16, 2019 11:25PM

    Even on a new server Active mode should still work maybe your blocking the outgoing connection from your server? As Active mode you connect to me for Data.

    I have never known a FTP server not being able to do Active mode unless setup not too.


Sign In to comment.