Solved

Fortigate FTPS - 425 Can't open data connection.

Posted on 2009-04-06
9
9,822 Views
Last Modified: 2013-12-02
We have just replaced our ISA Firewall Cluster with two Fortigate 110C units.

The FTP server runs FileZilla FTP Server, configured to use FTPS (TCP 990) as the command port and 50000-51000 as the data ports.

I have setup the Virtual IP's to forward the 990 traffic to the server and created a firewall policy to allow 990,50000-51000.

When making a client connection I get the following:
Status:      Connecting to xxx.xxx.xxx.xxx:990...
Status:      Connection established, initializing TLS...
Status:      Verifying certificate...
Status:      TLS/SSL connection established, waiting for welcome message...
Response:      220-FileZilla Server version 0.9.27 beta
Response:      220 Welcome to xyz server
Command:      USER myusername
Response:      331 Password required for myusername
Command:      PASS **************
Response:      230 Logged on
Command:      PBSZ 0
Response:      200 PBSZ=0
Command:      PROT P
Response:      200 Protection level set to P
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I
Command:      PASV
Response:      227 Entering Passive Mode (xxx,xxx,xxx,xxx,195,247)
Command:      LIST
Response:      425 Can't open data connection.
Error:      Failed to retrieve directory listing

From that log I can determine that the connection to the server via port 990 is successful and authenticates however the client can not connect to the data port 50167 (195*256+247)

Now what I am assuming is that the Fortigates are not allowing the connection because the data ports are not forwarded and I somehow have to tell the fortigate to allow the connection through (i thought it might be NAT so I enabled this option on the firewall policy but this made no difference) and i don't think forwarding the whole 50000-51000 range is the correct method either.

I also tried applying a protection profile that has no Anti-Virus etc applied to it but still didn't fix it.

Does anyone have any ideas where I'm going wrong?

I know FTPS is ugly and it wasn't my choice but I have to get it working none the less. It worked fine with the ISA cluster (YUCK!) so what the hell was ISA doing that I need to tell the fortigates to do?
0
Comment
Question by:ZeeBOBNZ
9 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24082165
You will need to configure the Fortigate to allow inbound traffic to the ftp server for the whole port range.  If you are doing a static one-to-one NAT for the ftp server that should be all you need to do.  If you are doing port mapping, then you need to port map the whole range.

Also is the IP address in the 227 message actually reachable by the client?

If not:

Does the server and client support extended passive?   If so, use that.

If the client or the server does not support extended passive, then you will need to configure Filezilla to use the public IP address for passive connections.
0
 

Author Comment

by:ZeeBOBNZ
ID: 24082239
Hi,

Yes the 227 message does have the correct IP address.
I understand what you mean about the one-to-one NAT I just don't know how to configure this on the Fortigates...

Thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24082939
Which model do you have and what is the firmware/software level?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:ZeeBOBNZ
ID: 24083305
Fortigate 110C

FG110C-3.00-FW-build733-081122
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 24083424
It appears that Fortigate uses virtual IP (VIP) to setup static one-to-one NAT:

http://kc.forticare.com/default.asp?id=1765&SID=&Lang=1

Does this help?
0
 

Author Closing Comment

by:ZeeBOBNZ
ID: 31566935
Thanks for the link, i must have read that article about 10 times and missed the crucial instruction.

Thanks!
0
 

Expert Comment

by:Admins_A
ID: 36179190
0
 

Expert Comment

by:aijazans
ID: 38884183
Dear all,

I am facing similar problem on my network.i Have done the above workaround but still facing the same problem..

Please help me
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38884196
You will need to open your own question.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hardening ScreenOS 8 109
Eigrp versus OSPF in a ring topology 3 73
extend vlan through a layer 3 connection 31 144
Content Filtering by Search Term with a Smoothwall Firewall 1 121
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question