ScreenOS Firewalls (NOT SRX)
Reply
Visitor
RSweet
Posts: 6
Registered: ‎03-11-2009
0

Passive FTP...

I am having a issue with VIP service to a Windows 2003 server running WS_FTP server and passive mode. If I connect to FTP server using PASSIVE mode, directory listing (ls) times out. If I change to active mode, I have no issues. I cannot dig up any settings to make passive mode work. Any help would greatly be appreciated. I spent 2 hours on the phone with JTAC and couldn't resolve issue. I have tried various incantations for the policy with no luck. Thank you.
Visitor
RSweet
Posts: 6
Registered: ‎03-11-2009
0

Re: Passive FTP...

Forgot to add, this is for a SSG-5 running ScreenOS 6.1.r2
Recognized Expert
PentinProcessor
Posts: 258
Registered: ‎11-06-2007
0

Re: Passive FTP...

In the ScreenOS 6.1.0r5 Release Notes, http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/rn_610_r5.pdf, I see a potentially related fix:

302566—When NAT source and destination is configured in the same policy,
passive FTP fails.

 

1.  I would upgrade your SSG to ScreenOS 6.1.0r5.

2.  If the problem is still happening, please include the output of 'get policy id <id>'.

 

Let us know how it goes,

Josine

Visitor
RSweet
Posts: 6
Registered: ‎03-11-2009
0

Re: Passive FTP...

Upgraded to latest 6.2.0r1 screenOS. Client is using FileZilla which uses passive mode, which I get  a timeout for LIST command.
From command line ctrl+c break out, enter passive mode, works correctly.  
 
From command line I get same behavior as FileZilla ftp client:
 
Connected to xxx.xxx.xxx.xxx.
220 xxx.xxx.xxx.xxx X2 WS_FTP Server 5.0.4 (1632239126)
Name (xxx.xxx.xxx.xxx): #####
331 Password required
Password: 
230 user logged in
Remote system type is UNIX.
ftp> ls
500 illegal command
227 Entering Passive Mode (xxx,xxx,xxx,xxx).
^C
receive aborted. Waiting for remote to finish abort.
ftp> pass
Passive mode: off; fallback to active mode: off.
ftp> ls
200 command successful
150 Opening ASCII data connection for directory listing
drwxr-xrwx  2 system   System            0 Mar 12 13:35 imo_IN
drwxr-xrwx  2 system   System            0 Mar 12 14:01 imo_OUT
dr-x------  2 Primo    System            0 Mar 11  2005 .
dr-x------  2 Primo    System            0 Mar 11  2005 ..
dr-x------  2 Primo    System            0 Mar 11  2005 users
226 transfer complete
 
 
name:"FTP" (id 10), zone Untrust -> Trust,action Permit, status "enabled"
src "Any", dst "VIP(ethernet0/0)", serv "FTP"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00010000, session backup: on, idle reset: on
traffic shaping off, scheduler n/a, serv flag 00
log close, log count 10, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 18766, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set

ML
Contributor
ML
Posts: 19
Registered: ‎12-06-2008
0

Re: Passive FTP...

Hi Rsweet,

 

 

Can you try typing this command and let me know the outcome ? :smileyhappy: 

 

 

->set ftp non-rfc-support [Enter]

Visitor
RSweet
Posts: 6
Registered: ‎03-11-2009
0

Re: Passive FTP...

Still same behavior. :smileysad:
ML
Contributor
ML
Posts: 19
Registered: ‎12-06-2008
0

Re: Passive FTP...

Hi RSweet,

 

 

Can double check weather alg is enable for ftp or not by following command?

 

 

-> get alg | i FTP

 

 

at the same time, please post the debug output.

 

 

Regards,

ML

Trusted Contributor
ric0
Posts: 65
Registered: ‎05-21-2008
0

Re: Passive FTP...

Try to make sure there is no other (personal) firewall in between.

Then check if ALG for FTP is enable (globally and for the policy), like suggested.

Do a debug to see what happens.

JNCIA-FWV - JNCIA-IDP - Proud JNet Expert shirt owner :smileyhappy:
Visitor
RSweet
Posts: 6
Registered: ‎03-11-2009
0

Re: Passive FTP...

ALG is enabled. Spent a couple of hours on phone with JTAC and they couldn't get it to work. There was a D-Link 604 in place before and FTP worked fine both in passive and active mode.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.