Solved

Determine host blocking FTP

Posted on 2010-08-23
4
845 Views
Last Modified: 2012-05-10
We host a FTP service that works for everyone in our local organization.  However, clients can not use the service from parent or sister organizations.  We believe there is a firewall blocking FTP, but we don't know where.  How can we find the device/host/firewall blocking the FTP connection?

I prefer to use commands or utilities provided with Windows (command line or graphical) because we can’t bring new software on to the network.
0
Comment
Question by:ff10
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
sjl1986 earned 250 total points
ID: 33507720
It depends on what you mean by parents and sister organizations. Are these organizations on the same network with you or are they connecting through VPN? You'd want to start looking at software firewalls which might be located on the server hosting the FTP services. Likely that is not the case if your local computers are connecting with no problems.

Then you need to check your router/firewall that would filter all of your incoming/outgoing connections. This is where the VPN question comes in. Some routers allow specific rules for VPN users that are not applied to local users, etc.

If they are coming in over the internet using the FTP protocol, then you'd need to check your main router/firewall again here to be sure FTP is allowed over the internet (but I don't recommend you allow port 21 over the internet).

Let's start with that. Let me know what you find and we'll go from there.

Also, do you have a log of the error messages or anything you are getting?
0
 
LVL 2

Assisted Solution

by:fs40490
fs40490 earned 250 total points
ID: 33507948
The issue that you have is that you do not have the ability to load additional software.  So you will need to do some investigative reporting and troubleshooting.

One common item that I have seen affect FTP connections is with regards to how FTP works.  You really need to understand which method of connections you are using.  If you are trying to use the passive type of connections (PASSV) you need to have a network boundary device that recognizes and acts on the information passed in the control connection of the FTP exchange.  ACTIVE FTP you have to ensure that the remote end boundary has 20 inbound open.

First go to the server itself and make sure it does not have a software firewall that is configured to only allow connections from the local network (sometimes defined as the trusted network).  If there is nothing there, check your TCP/IP settings and ensure that there is nothing configured in the IP Sec section that would black this traffic (this IPSec is not the VPN IPSec it is MS way of saying ACLs).

If there is nothing there to shed light on the situation you will need to expand your investigation.  This is best started with a nework diagram that outlines the path the traffic will take.  Once you have this you can begin to narrow the point of failure down.  For example, there are FTP servers on the internet that are accessible for use.  You can try to have the users that are having issues try to connect to them.  If they cannot the issue may be with theie firewall (or network gateway).  If they are successful you can have them try to connect to a different FTP server on your network (would require loading FTP on another server).  

Of course you can examine all of the devices (Layer 3 devices, firewalls, etc.) but that can be alot of work.  

All in all FTP is probably one of the more difficult protocols to fully troubleshoot between different networks that have security boundaries between them.

Good luck and I hope this helps.
0
 

Author Closing Comment

by:ff10
ID: 33515830
I was hoping someone would provide commands to track this down.  Maybe no one did because you need specialized software to perform this analysis.

Regardless, the solutions were accurate and helpful.  We did resolve the problem.
0
 
LVL 8

Expert Comment

by:sjl1986
ID: 33515947
I'm glad you found the solution and that we were able to help. Sorry we didn't get very specific. There are commands that you can use to find out what is wrong at times, but there are certain times and places for different commands, and we'd need something a little more specific to give you better ideas. Unfortunately there's no "magic button" sort of command that traces the FTP all the way to the end and tells you where the problem occurred. Thanks for the quick solution acceptance.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now