We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Can not access external FTP server. Result Code:0xc0040017 fwx_e_tcp_not_syn_packet_dropped

Medium Priority
Last Modified: 2012-05-06
I keep gettin the Denied connection with code Result Code:0xc0040017 fwx_e_tcp_not_syn_packet_dropped whenerver i try to access an external ftp server. Clients are acting as SecureNAT and Web Proxy. I have created a rule :
Name:Allow FTP
From ;internal,  To:External , All Users
and In configure FTP i have unchecked the Read Only option.

FTP access filter is enabled.

Watch Question


You may check the following issue:

This issue may happen, if you either connect via ISA to the target and the packages are coming back without touching ISA or vice versa. You have to make sure, that ISA either both directions or none of them are touching the ISA server.

Check your gateway settings on the devices, which are involved in internet traffic. Maybe there is another device in front of ISA, which allowes the outgoing traffic from ISA, but do not route the response back to ISA.
Raj-GTSystems Engineer

Try the following...

1. Install the Firewall client on the client PC and try again
2. Try connecting using IE with ftp://username:password@url



Hello and thanks for the reply,

I have made some headway,before i was not even able to get to the authentication part but i added both port 20 and 21 to the FTP access rule in the TMG server and now i am getting this.
Looks like something is blocking it.

C:\Documents and Settings\abc>ftp
Connected to
220 Microsoft FTP Service
User ( bandm
331 Password required for bandm.
230 User bandm logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
ftp: get :Connection reset by peer
Raj-GTSystems Engineer

Do you have any router/firewall in front of your TMG box?



Yes i have a firewall in front but at the moment i have let everything IN and OUT.
Moreover i just found out i can acces the external ftp site from the TMG server itself which sits in the DMZ.

Doesnt it mean that the router is not blocking anything and its the TMG that is not allowing the data into the internal network or maybe the client can not get it back...

Doesnt it mean that the router....

If the traffic is blocked, you will see this, if you log the traffic in ISA (Monitoring - Logging)
This may be the second issue.

If you say, ISA sits in a DMZ, what does this mean? The only configuration with ISA in a DMZ is having 2 firewalls and ISA between them in a single NIC configuration, working as Proxy.

Installing Firewall Client has nothing to do with FTP.

Check your firewall in front of your network.
You have to seperate two things: Web traffic and all other
Web (HTTP / HTPPS / FTP) traffic is set on the clients via IE settings (Proxy)
All other traffic is set by the default gateway on the clients.

If the Web traffic is setup in that way, that your ISA is the proxy for your clients, you have to make sure, that the external firewall forwards all this traffic back to ISA.

If the default gateway on the clients is set to ISA, ISA handles the outgoing traffic. In that case, you have to config your firewall in front of ISA, to forward all other responses back to ISA, otherwise your described error will occur.

If the default gateway on the clients points to the external firewall, the firewall must not forward this traffic back to ISA.

I'm quite sure, that this is a routing issue, but this needs more information on how your network is setup, to follow up the traffic flow.

The fact, that you can access FTP via ISA itself does only mean, that the external firewall is routing back the traffic to the source device. ISA uses the same rules for it own as for the clients. If this works for local host, it should also work for the clients (from ISA perspective).

Raj-GTSystems Engineer

Install the firewall client and try again. You will need it to connect to an outside FTP Server. Otherwise you have to disable FTP Access Filter from the FTP protocol and manually create protocol with FTP ports etc.

ISA Firewall Client - http://www.microsoft.com/DownLoads/details.aspx?FamilyID=05c2c932-b15a-4990-b525-66380743da89&displaylang=enhttp://www.microsoft.com/DownLoads/details.aspx?FamilyID=05c2c932-b15a-4990-b525-66380743da89&displaylang=en

More about FTP - http://slacksite.com/other/ftp.html



Thanks both,

i cant understand how it finally worked and why was not it working before. Will be really glad if one of you can make me understand.

As i said my TMG was behind a router. All my clients have there DG pointing to the TMG and not to the router so they are acting as a SecureNAT.
I had setup the netork relationship between the internal to external as ROUTE and not as NAT.
Natting was taking place at the Router.

Now that i changed the relationship to NAT on the TMG i can access all the external ftp sites, but as of now am i not doubling natting?First at the TMG and then at the ROUTER.
Why wasnt it working when i was ROuting the traffic from Internal to External instead of NAT ??

I didnt need to install the firewall client.
Following up the Syn_Drops, the explanation is, that routing has a differnt mechanism than network address translation. Also they are working on different ISO levels.

So the question is, what the router can see and how routing / NAT works.
If ISA is in NAT mode, all traffice through the router seems to be from ISA (from the router persepective). Therefore, the router forwards back all responses back to ISA as the router does not have any information about the original source. ISA stores the original sources within own tables so that ISA knows, which machine has requested the traffic. The router can not see the client behind ISA, the router sees only the ISA server. Therefore the traffic flow is correct.

If ISA routes the traffic, the router in front of ISA determines, that the target device is part of the network an may route the traffic directly back to the client or via other devices. Routers are usually using the shortest path to the target. As ISA do not get any response, it will drop the connection. The roting mechanism of ISA follows the routing mechanism and settings on the ISA machine. So all settings like gateways on this machine, static routes or also RAS settings are in effect on this machine.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Well that explains everything i guess.Thanks a lot for the explanation.
Finally are there any consequnces of double nat taking place ?

> are there any consequnces of double nat taking place
In practise, not really from my point of perspective. As the external connection is the real bandwidth limitation, ISA and all other NAT devices has only to handle, what the external connection can deliver. This should be not a problem for the most of the connections.  

You may make a simple FTP download upload test to an external server to see, if you reach the performance you expect. If you reach the maximum of your bandwidth, I would not take care about double natting it. You may also have a look onto the work load on ISA, if you make a full speed up / download. This gives you an idea, if you can expect any load issues.

Nevertheless, what is valid for FTP may also be valid for all other protocols. It may be a little more logical work to do to publish things through your ISA, as you have usually always to touch both firewalls.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.