Go Premium for a chance to win a PS4. Enter to Win


Determine host blocking FTP

Posted on 2010-08-23
Medium Priority
Last Modified: 2012-05-10
We host a FTP service that works for everyone in our local organization.  However, clients can not use the service from parent or sister organizations.  We believe there is a firewall blocking FTP, but we don't know where.  How can we find the device/host/firewall blocking the FTP connection?

I prefer to use commands or utilities provided with Windows (command line or graphical) because we can’t bring new software on to the network.
Question by:ff10
  • 2

Accepted Solution

sjl1986 earned 1000 total points
ID: 33507720
It depends on what you mean by parents and sister organizations. Are these organizations on the same network with you or are they connecting through VPN? You'd want to start looking at software firewalls which might be located on the server hosting the FTP services. Likely that is not the case if your local computers are connecting with no problems.

Then you need to check your router/firewall that would filter all of your incoming/outgoing connections. This is where the VPN question comes in. Some routers allow specific rules for VPN users that are not applied to local users, etc.

If they are coming in over the internet using the FTP protocol, then you'd need to check your main router/firewall again here to be sure FTP is allowed over the internet (but I don't recommend you allow port 21 over the internet).

Let's start with that. Let me know what you find and we'll go from there.

Also, do you have a log of the error messages or anything you are getting?

Assisted Solution

fs40490 earned 1000 total points
ID: 33507948
The issue that you have is that you do not have the ability to load additional software.  So you will need to do some investigative reporting and troubleshooting.

One common item that I have seen affect FTP connections is with regards to how FTP works.  You really need to understand which method of connections you are using.  If you are trying to use the passive type of connections (PASSV) you need to have a network boundary device that recognizes and acts on the information passed in the control connection of the FTP exchange.  ACTIVE FTP you have to ensure that the remote end boundary has 20 inbound open.

First go to the server itself and make sure it does not have a software firewall that is configured to only allow connections from the local network (sometimes defined as the trusted network).  If there is nothing there, check your TCP/IP settings and ensure that there is nothing configured in the IP Sec section that would black this traffic (this IPSec is not the VPN IPSec it is MS way of saying ACLs).

If there is nothing there to shed light on the situation you will need to expand your investigation.  This is best started with a nework diagram that outlines the path the traffic will take.  Once you have this you can begin to narrow the point of failure down.  For example, there are FTP servers on the internet that are accessible for use.  You can try to have the users that are having issues try to connect to them.  If they cannot the issue may be with theie firewall (or network gateway).  If they are successful you can have them try to connect to a different FTP server on your network (would require loading FTP on another server).  

Of course you can examine all of the devices (Layer 3 devices, firewalls, etc.) but that can be alot of work.  

All in all FTP is probably one of the more difficult protocols to fully troubleshoot between different networks that have security boundaries between them.

Good luck and I hope this helps.

Author Closing Comment

ID: 33515830
I was hoping someone would provide commands to track this down.  Maybe no one did because you need specialized software to perform this analysis.

Regardless, the solutions were accurate and helpful.  We did resolve the problem.

Expert Comment

ID: 33515947
I'm glad you found the solution and that we were able to help. Sorry we didn't get very specific. There are commands that you can use to find out what is wrong at times, but there are certain times and places for different commands, and we'd need something a little more specific to give you better ideas. Unfortunately there's no "magic button" sort of command that traces the FTP all the way to the end and tells you where the problem occurred. Thanks for the quick solution acceptance.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question