Determine host blocking FTP

We host a FTP service that works for everyone in our local organization.  However, clients can not use the service from parent or sister organizations.  We believe there is a firewall blocking FTP, but we don't know where.  How can we find the device/host/firewall blocking the FTP connection?

I prefer to use commands or utilities provided with Windows (command line or graphical) because we can’t bring new software on to the network.
Who is Participating?
sjl1986Connect With a Mentor Commented:
It depends on what you mean by parents and sister organizations. Are these organizations on the same network with you or are they connecting through VPN? You'd want to start looking at software firewalls which might be located on the server hosting the FTP services. Likely that is not the case if your local computers are connecting with no problems.

Then you need to check your router/firewall that would filter all of your incoming/outgoing connections. This is where the VPN question comes in. Some routers allow specific rules for VPN users that are not applied to local users, etc.

If they are coming in over the internet using the FTP protocol, then you'd need to check your main router/firewall again here to be sure FTP is allowed over the internet (but I don't recommend you allow port 21 over the internet).

Let's start with that. Let me know what you find and we'll go from there.

Also, do you have a log of the error messages or anything you are getting?
fs40490Connect With a Mentor Commented:
The issue that you have is that you do not have the ability to load additional software.  So you will need to do some investigative reporting and troubleshooting.

One common item that I have seen affect FTP connections is with regards to how FTP works.  You really need to understand which method of connections you are using.  If you are trying to use the passive type of connections (PASSV) you need to have a network boundary device that recognizes and acts on the information passed in the control connection of the FTP exchange.  ACTIVE FTP you have to ensure that the remote end boundary has 20 inbound open.

First go to the server itself and make sure it does not have a software firewall that is configured to only allow connections from the local network (sometimes defined as the trusted network).  If there is nothing there, check your TCP/IP settings and ensure that there is nothing configured in the IP Sec section that would black this traffic (this IPSec is not the VPN IPSec it is MS way of saying ACLs).

If there is nothing there to shed light on the situation you will need to expand your investigation.  This is best started with a nework diagram that outlines the path the traffic will take.  Once you have this you can begin to narrow the point of failure down.  For example, there are FTP servers on the internet that are accessible for use.  You can try to have the users that are having issues try to connect to them.  If they cannot the issue may be with theie firewall (or network gateway).  If they are successful you can have them try to connect to a different FTP server on your network (would require loading FTP on another server).  

Of course you can examine all of the devices (Layer 3 devices, firewalls, etc.) but that can be alot of work.  

All in all FTP is probably one of the more difficult protocols to fully troubleshoot between different networks that have security boundaries between them.

Good luck and I hope this helps.
ff10Author Commented:
I was hoping someone would provide commands to track this down.  Maybe no one did because you need specialized software to perform this analysis.

Regardless, the solutions were accurate and helpful.  We did resolve the problem.
I'm glad you found the solution and that we were able to help. Sorry we didn't get very specific. There are commands that you can use to find out what is wrong at times, but there are certain times and places for different commands, and we'd need something a little more specific to give you better ideas. Unfortunately there's no "magic button" sort of command that traces the FTP all the way to the end and tells you where the problem occurred. Thanks for the quick solution acceptance.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.