Determine host blocking FTP

Posted on 2010-08-23
Last Modified: 2012-05-10
We host a FTP service that works for everyone in our local organization.  However, clients can not use the service from parent or sister organizations.  We believe there is a firewall blocking FTP, but we don't know where.  How can we find the device/host/firewall blocking the FTP connection?

I prefer to use commands or utilities provided with Windows (command line or graphical) because we can’t bring new software on to the network.
Question by:ff10
  • 2

Accepted Solution

sjl1986 earned 250 total points
ID: 33507720
It depends on what you mean by parents and sister organizations. Are these organizations on the same network with you or are they connecting through VPN? You'd want to start looking at software firewalls which might be located on the server hosting the FTP services. Likely that is not the case if your local computers are connecting with no problems.

Then you need to check your router/firewall that would filter all of your incoming/outgoing connections. This is where the VPN question comes in. Some routers allow specific rules for VPN users that are not applied to local users, etc.

If they are coming in over the internet using the FTP protocol, then you'd need to check your main router/firewall again here to be sure FTP is allowed over the internet (but I don't recommend you allow port 21 over the internet).

Let's start with that. Let me know what you find and we'll go from there.

Also, do you have a log of the error messages or anything you are getting?

Assisted Solution

fs40490 earned 250 total points
ID: 33507948
The issue that you have is that you do not have the ability to load additional software.  So you will need to do some investigative reporting and troubleshooting.

One common item that I have seen affect FTP connections is with regards to how FTP works.  You really need to understand which method of connections you are using.  If you are trying to use the passive type of connections (PASSV) you need to have a network boundary device that recognizes and acts on the information passed in the control connection of the FTP exchange.  ACTIVE FTP you have to ensure that the remote end boundary has 20 inbound open.

First go to the server itself and make sure it does not have a software firewall that is configured to only allow connections from the local network (sometimes defined as the trusted network).  If there is nothing there, check your TCP/IP settings and ensure that there is nothing configured in the IP Sec section that would black this traffic (this IPSec is not the VPN IPSec it is MS way of saying ACLs).

If there is nothing there to shed light on the situation you will need to expand your investigation.  This is best started with a nework diagram that outlines the path the traffic will take.  Once you have this you can begin to narrow the point of failure down.  For example, there are FTP servers on the internet that are accessible for use.  You can try to have the users that are having issues try to connect to them.  If they cannot the issue may be with theie firewall (or network gateway).  If they are successful you can have them try to connect to a different FTP server on your network (would require loading FTP on another server).  

Of course you can examine all of the devices (Layer 3 devices, firewalls, etc.) but that can be alot of work.  

All in all FTP is probably one of the more difficult protocols to fully troubleshoot between different networks that have security boundaries between them.

Good luck and I hope this helps.

Author Closing Comment

ID: 33515830
I was hoping someone would provide commands to track this down.  Maybe no one did because you need specialized software to perform this analysis.

Regardless, the solutions were accurate and helpful.  We did resolve the problem.

Expert Comment

ID: 33515947
I'm glad you found the solution and that we were able to help. Sorry we didn't get very specific. There are commands that you can use to find out what is wrong at times, but there are certain times and places for different commands, and we'd need something a little more specific to give you better ideas. Unfortunately there's no "magic button" sort of command that traces the FTP all the way to the end and tells you where the problem occurred. Thanks for the quick solution acceptance.

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question