cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
thant_zin
Ivory

Error while installing FTP server behind CP 15400

Hello,

         I'm newbie and no experience but last year our organization buy CP 15400 install in front of our server zone.

Local engineer install the firewall and guide me how to manage and how to add new host(server), policy, but i'm
not very well .Last day I was installed FTP server behind the CP firewall, in that case client can accept port 21 simple FTP service but when client access the FTPs, client can't access, errors was like this (Response:425 Can't open data connection for transfer of "/" ) . So search how to solve by googling and found to open port ftp-ssl-port and ftp-ssl-data

1023,989 and 990, so follow the instruction but still error. Would you all like to fixed my error.

Best Regards,

3 Replies
Admin
Admin

Re: Error while installing FTP server behind CP 15400

0 Kudos
Highlighted

Re: Error while installing FTP server behind CP 15400

In the FTP server you need to assign a portrange that you want to be used for the Data tranfsers, let's say you use 5000-5099 for that, now you that port-range to the allowed port-list in the rule allowing the FTPs and you should be all ok.

Regards, Maarten
0 Kudos
Dave
Ivory

Re: Error while installing FTP server behind CP 15400

Also, make sure if your FTP server is running on some flavour of Linux OS, to allow your passive ports in iptables and restart the firewall/iptables process.

I cannot stress this enough to have both processes restarted after iptables has been changed.

Witnessed this first hand, troubleshooting FTP passive mode that was working only up to the point for the initial connection to port 21 and not any further.

We saw when passive mode came into action and it was taking one of the ports from the passive ports defined in Checkpoint firewall, but when directory listing needed to complete, the connection timed.
A packet capture was taken to try and help us further in troubleshooting, this showed that when the passive port was negotiated with the FTP server a SYN was being send to the FTP server but the 3-WAY handshake never completed.
So no SYN-ACK and ACK.

Sysadmin assured the config of FTP box was solid and iptables where good, doublechecking and confirming it.
After restarting iptables - which was already configured to allow the passive ports - and restarting the firewall process ... BINGO, everything was working!

Internal Linux iptables/firewall was the culprit, still blocking the allowed passive ports because the processes where not restarted after the config change.

Hope this info is still helping anybody out there.

0 Kudos