Solved

Can't access certain FTP site

Posted on 2010-08-26
10
810 Views
Last Modified: 2013-12-09
One of the database applications needs to have some updates installed.  However when the vendor rep remotes in to update it and starts it the software says that it can't connect to the site to get the download.  He is saying that our firewall or something is blocking ftp traffic.  However (from this server) I can access some of my friends FTP sites and even Microsofts FTP site.  But whats confusing me is that from outside out network we can access the ftp site that he gave up.  It is however asking for a login when someone goes there.  But if you try from inside our company network you can't connect to it at all.  We've checked our sonicwall and no one can find any rules that would be causing this.  Anyone have any ideas?
0
Comment
Question by:adml_shake
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 3

Accepted Solution

by:
init2winit_Dan earned 42 total points
Comment Utility
on the remote FTP server check ban or auto ban setting
0
 
LVL 8

Assisted Solution

by:jimmyray7
jimmyray7 earned 42 total points
Comment Utility
Is it running on a custom port?  There is an option on the sonicwall to block non-standard FTP ports.  It's disabled by default I think.   That's the only thing I can think of.
0
 
LVL 3

Assisted Solution

by:Fr0zT
Fr0zT earned 125 total points
Comment Utility
FTP is a little more tricky than most people give it credit for.  You might think all you need to do is allow ports 20 and 21 inbound and thats it but it's not so simple.  When FTP is running in PASV mode(default) a client comes in on port 21, then the server picks a port at random from the Ephemeral port range which on a windows machine will be something like 1025-4999.  Then it tells the client that is the port it must come on to get it's data.  The problem is that if the server doesn't have that port open, then the client will get blocked.  The best way to deal with this is to have your firewall do inspection on FTP traffic.  Any decent firewall should do this.  If you just have a cheap firewall that can't do it, then what I recommend you do is change then port range your FTP server is using to send data to a much smaller port range, then open those ports to the server. Use an obscure port range.  In Microsoft Servers you have to modify the registry to do that.
http://support.microsoft.com/kb/555022

Another problem could be that the clients firewall restricts outbound ports and also does not support FTP inspection, so it won't allow an outbound connection on the Ephemeral port range.  One possibility would be to change the Ephemeral port range to 1 port, something common like port 53(DNS) or 80(HTTP) or 443(HTTPS).  THIS WILL ONLY WORK IF YOU DON'T HAVE THOSE SERVICES RUNNING ALREADY. Also the major impact with this would be that only 1 client at a time would be able to connect.

The other option is to try and use FTP Active mode, which would require the server to be able to talk directly to the client, and if the client has a firewall that won't work either...

All that being said, FTP is a very unsecure protocol, I wouldn't use it in production environment for anything.  Use SCP instead.
0
 
LVL 1

Author Comment

by:adml_shake
Comment Utility
It's not running on a custom port that i know of.  The tech I talked to never mentioned anything about that.  And like I said nobody outside of the network seemed to have any problems when they just put in the default ftp address to this company.  

Does the autoban setting kick in if too many failed login attempts are tried?  I'm wondering if this database app tried to go out and get the update it's self, but since a log in seems to be required our IP was banned because the software didn't have it, but kept trying to log in.

0
 
LVL 3

Assisted Solution

by:Fr0zT
Fr0zT earned 125 total points
Comment Utility
From this link:
http://help.mysonicwall.com/sw/eng/general/ui1/6600/Access/Services.htm

FTP

Force inbound and outbound FTP data connections to use the default port: 20 - The default SonicWALl configuration allows FTP connections from port 20 but remaps outbound traffic to a port such as 1024. If the check box is selected, any FTP data connection through the SonicWALL must come from port 20 or the connection is dropped. The event is then logged as an event on the SonicWALL.

Make sure that is not checked.  There could be a difference between connecting to Active or Passive FTP servers, which is why it might work for you in some cases, and not in others.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 33

Assisted Solution

by:digitap
digitap earned 41 total points
Comment Utility
Do you have any of the security services licensed on the sonicwall?  The intrusion prevention service, will block some FTP access if it sees it as intrusive.  I typically create an exception for the internal IP or the public one so it bypasses this service for FTP...or, I allow FTP traffic to be detected but not blocked.  To test, you could login to the sonicwall admin console, then try to access the FTP site from that computer.  The sonicwall allows the workstation connected to the admin console to bypass all the security services for the duration of the login.  If it's successful, then you know what it is.
0
 
LVL 3

Assisted Solution

by:Fr0zT
Fr0zT earned 125 total points
Comment Utility
It's definitely an Inspection / Blocking rule on your Sonicwall.  Iether FTP traffic is not being inspected, or it is being inspected and it's being dropped as digitap suggested. Do you have outbound traffic rules because generally if the database application server was allowed to go outbound on ports 1025-65535 to the FTP server it should work unless the Sonicwall is inspecting and forcing Active as I suggested earlier.

The reason you are able to use FTP to other servers is because when you FTP to a Microsoft FTP server, it first tries to use Passive FTP, but if that fails it will default back to Active.  Your Sonicwall only wants to see Active FTP connections, probably because of the option I mentioned in my last comment.  So the FTP connection will be established.  The database application FTP server probably only uses Passive, and will not attempt an active connection so the Sonicwall refuses it.  To test this use an FTP client like CoreFTP, connect to an FTP site that works from behind your Sonicwall, it will probably show that the connection failed in PASV and accepted in Active.  Then from home use it to connect to the database application FTP site and you will see it will be PASV, then try forcing it to use Active and it probably won't work.  That test would confirm the problem.
0
 
LVL 1

Author Comment

by:adml_shake
Comment Utility
Well after some digging around and talking to someone else in our company who is our un-official sonicwall guy he took a look at it and thought that it just needed rebooted (it's a old sonicwall) and so we did it that night and it seems to have cleared the issue up.  Thanks for your help everyone.  I learned some new stuff about FTP through this issue.
0
 
LVL 1

Author Closing Comment

by:adml_shake
Comment Utility
Didn't give me the resolution we used to solve our problem.  But was still full of good tips and helpful information.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
well...it's always the one thing that you never think of or think has already been done!  Glad you got it resolved.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Online collaboration is quickly becoming embedded in the workplace, and its benefits are tangible. See what the current landscape looks like and what the future holds for collaboration tools and the future of work.
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now