Communication on Passive FTP port is not working
Article ID: CTX217529
Updated On:
Description
The Passive FTP connection via Load balancing LB-VIP was not working and customer wanted to know the reason for the block.
Resolution
Issue with firewall blocking the TCP port 20 from NetScaler to Client.Need to do changes on the Intermediate device.
After reviewing the Packet capture , it has been identified that there is a intermediate device stopping the connection to pass ON from NetScaler to Client. Please check the intermediate device for any issues.We can do a small change in Port Randomization on NetScaler for Active-FTP, but this will have any effect of fix as this is not a NetScaler issue.
System > Settings > Configure Global System Settings Parameter >
:-Analysis-:
Packet 332: Client is sending to NetScaler LB(NS-LB) FTP PORT REQUEST mentioning the ACTIVE PORT:52760
Packet 342: Client is sending FTP LIST Request to LB-VIP
Packet 343: FTP server is initiating communication [TCP-SYN] on Data Port 20 to the advertised FTP active port for NetScaler TCP 32538
Packet 351: NetScaler is initiating communication [TCP-SYN] on Data Port 20 to the advertised FTP active port for Client TCP 52760
Packet 344: Client (or) Intermediate device (firewall) is sending [TCP-RST] to NetScaler initiated communication [TCP-SYN] on Data Port 20 to the advertised FTP active port for Client TCP 52760
Packet 350: NetScaler is sending [TCP-RST] to the FTP server indicating the Client not willing to Client.
From the below packet capture(latest.pcapng) on the client , we can see the FTP-Active Port:52760. We do not see from this trace for any Packet from NetScaler on SRC port TCP 20.
In this Backend capture (trace.pcapng), we can see that when Server is sending on SRCPort FTP 20 , the intermediate device allows the connection to go through, at the same time not allowing for NetScaler.
Problem Cause
There is intermediate device interfering with NetScaler to Client communication.After reviewing the Packet capture , it has been identified that there is a intermediate device stopping the connection to pass ON from NetScaler to Client. Please check the intermediate device for any issues.We can do a small change in Port Randomization on NetScaler for Active-FTP, but this will have any effect of fix as this is not a NetScaler issue.
System > Settings > Configure Global System Settings Parameter >
:-Analysis-:
Packet 332: Client is sending to NetScaler LB(NS-LB) FTP PORT REQUEST mentioning the ACTIVE PORT:52760
Packet 342: Client is sending FTP LIST Request to LB-VIP
Packet 343: FTP server is initiating communication [TCP-SYN] on Data Port 20 to the advertised FTP active port for NetScaler TCP 32538
Packet 351: NetScaler is initiating communication [TCP-SYN] on Data Port 20 to the advertised FTP active port for Client TCP 52760
Packet 344: Client (or) Intermediate device (firewall) is sending [TCP-RST] to NetScaler initiated communication [TCP-SYN] on Data Port 20 to the advertised FTP active port for Client TCP 52760
Packet 350: NetScaler is sending [TCP-RST] to the FTP server indicating the Client not willing to Client.
From the below packet capture(latest.pcapng) on the client , we can see the FTP-Active Port:52760. We do not see from this trace for any Packet from NetScaler on SRC port TCP 20.
In this Backend capture (trace.pcapng), we can see that when Server is sending on SRCPort FTP 20 , the intermediate device allows the connection to go through, at the same time not allowing for NetScaler.
Was this article helpful?
Yes
No
Powered by
