Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Determine host blocking FTP

Posted on 2010-08-23
Medium Priority
Last Modified: 2012-05-10
We host a FTP service that works for everyone in our local organization.  However, clients can not use the service from parent or sister organizations.  We believe there is a firewall blocking FTP, but we don't know where.  How can we find the device/host/firewall blocking the FTP connection?

I prefer to use commands or utilities provided with Windows (command line or graphical) because we can’t bring new software on to the network.
Question by:ff10
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

sjl1986 earned 1000 total points
ID: 33507720
It depends on what you mean by parents and sister organizations. Are these organizations on the same network with you or are they connecting through VPN? You'd want to start looking at software firewalls which might be located on the server hosting the FTP services. Likely that is not the case if your local computers are connecting with no problems.

Then you need to check your router/firewall that would filter all of your incoming/outgoing connections. This is where the VPN question comes in. Some routers allow specific rules for VPN users that are not applied to local users, etc.

If they are coming in over the internet using the FTP protocol, then you'd need to check your main router/firewall again here to be sure FTP is allowed over the internet (but I don't recommend you allow port 21 over the internet).

Let's start with that. Let me know what you find and we'll go from there.

Also, do you have a log of the error messages or anything you are getting?

Assisted Solution

fs40490 earned 1000 total points
ID: 33507948
The issue that you have is that you do not have the ability to load additional software.  So you will need to do some investigative reporting and troubleshooting.

One common item that I have seen affect FTP connections is with regards to how FTP works.  You really need to understand which method of connections you are using.  If you are trying to use the passive type of connections (PASSV) you need to have a network boundary device that recognizes and acts on the information passed in the control connection of the FTP exchange.  ACTIVE FTP you have to ensure that the remote end boundary has 20 inbound open.

First go to the server itself and make sure it does not have a software firewall that is configured to only allow connections from the local network (sometimes defined as the trusted network).  If there is nothing there, check your TCP/IP settings and ensure that there is nothing configured in the IP Sec section that would black this traffic (this IPSec is not the VPN IPSec it is MS way of saying ACLs).

If there is nothing there to shed light on the situation you will need to expand your investigation.  This is best started with a nework diagram that outlines the path the traffic will take.  Once you have this you can begin to narrow the point of failure down.  For example, there are FTP servers on the internet that are accessible for use.  You can try to have the users that are having issues try to connect to them.  If they cannot the issue may be with theie firewall (or network gateway).  If they are successful you can have them try to connect to a different FTP server on your network (would require loading FTP on another server).  

Of course you can examine all of the devices (Layer 3 devices, firewalls, etc.) but that can be alot of work.  

All in all FTP is probably one of the more difficult protocols to fully troubleshoot between different networks that have security boundaries between them.

Good luck and I hope this helps.

Author Closing Comment

ID: 33515830
I was hoping someone would provide commands to track this down.  Maybe no one did because you need specialized software to perform this analysis.

Regardless, the solutions were accurate and helpful.  We did resolve the problem.

Expert Comment

ID: 33515947
I'm glad you found the solution and that we were able to help. Sorry we didn't get very specific. There are commands that you can use to find out what is wrong at times, but there are certain times and places for different commands, and we'd need something a little more specific to give you better ideas. Unfortunately there's no "magic button" sort of command that traces the FTP all the way to the end and tells you where the problem occurred. Thanks for the quick solution acceptance.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
How does someone stay on the right and legal side of the hacking world?
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question