Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7347
Views
0
Helpful
10
Replies

Issue with Native FTP on IronPort WSA S670 when using FileZilla

ahamadfaiz
Level 1
Level 1

‎10-22-2012 06:36 AM

Hi All,

I am using IronPort as Proxy in Explicit Forward Mode.

Currently there is an issue related to Native FTP. When we use FileZilla to access an FTP server, it does not work. If we try bypassing the proxy it does work without any issue. Also, FTP over HTTP works well throuhg Proxy.

We tried with Checkpoint authentication and Raptor authentication formats but to no avail. The configuration seems perfect as I have verified it agianst the Admin Guide. I have attached the same for reference.

In the logs it does say 'Allow' however I get the below error in FileZilla:

Status:          Using proxy X.X.X.X:8021

Status:          Connecting to X.X.X.X:8021...

Status:          Connection established, waiting for welcome message...

Response:          220 Test

Command:          USER *******@X.X.X.X:2021

Response:          331 User name okay, need password.

Command:          PASS *******

Response:          421 Service not available, closing control connection.

Error:          Could not connect to server

The proxy details are as follows:

Model: S670

Version: 7.1.4-053

I would really appreciate if anyone could assist me with this issue.

Thanks in advance

Faiz

1 person had this problem
Labels:
Preview file
25 KB
0 Helpful
10 Replies 10

Ken Stieers
VIP
VIP

‎10-22-2012 03:49 PM

Does this article help?

https://ironport.custhelp.com/app/answers/detail/a_id/1401/kw/ftp

0 Helpful

ahamadfaiz
Level 1
Level 1
In response to Ken Stieers

‎10-23-2012 02:38 AM

Hi Ken,

Thank you for the reply.

I did go throuhg the KB article. However, that did not help me fix this issue. I tried with Checkpiont authentication format and it does not successfully authenticate. But when I use Raptor format, it does authenticate but I get the above mentioned error.

So , I presume these settings are not the issue.

Regards

Faiz

0 Helpful

ahamadfaiz
Level 1
Level 1
In response to ahamadfaiz

‎10-24-2012 02:15 AM

I did a packet capture on the WSA as well as on the connected firewall.

I can see that the packets are going to and back from the proxy on port 8021. This clearly indicates that the firewall is not blocking anything.

However, I don’t see any traffic that is going out of the Proxy to the FTP server. It appears that the proxy is not forwarding the packets to the FTP server.

I would appreciate your assistance on this.

Thanks

Faiz

0 Helpful

Tao Yang
Cisco Employee
Cisco Employee
In response to ahamadfaiz

‎10-25-2012 09:23 PM

Hello Faiz,

How did you configure your proxy settings within FileZilla? Please remove the domain name and only input user domain account as proxy user settings within FIleZilla.

Hope it helps.

0 Helpful

ahamadfaiz
Level 1
Level 1
In response to Tao Yang

‎10-27-2012 01:40 PM

Hi Tao,

Thanks for the reply.

I have attached the Filezilla proxy settings configurations. I hope it is correct.

The proxy does notrequire authentication.

What surprises me is that there is no response from the WSA when the filezilla sends FTP traffic to it. I mean, I cannot see anything in the FTP serrver logs related to this communication.

Any assistance will be appreciated.

Regards

Faiz

0 Helpful

Tao Yang
Cisco Employee
Cisco Employee
In response to Tao Yang

‎10-28-2012 07:15 PM

Hi Faiz,

Please take a look at the following KB

Article #1401: How do I enable native FTP proxy on FileZilla? Link: http://tools.cisco.com/squish/4Ed0c

If authentication is not enabled, you need to use one of the following configurations depends on your current FTP proxy authentication format settings.

Native FTP FileZilla configuration without authentication and using "Check Point" authentication

USER %u@%h

PASS %p

or

Native FTP FileZilla configuration without authentication and using "Raptor" authentication

USER %u@%h%u

PASS %p

ACCT %p

Hope it helps.

Regards,

0 Helpful

ahamadfaiz
Level 1
Level 1
In response to Tao Yang

‎10-29-2012 02:03 AM

Hi Tao,

I have gone through this KB article. I tried both formats of authentication in fact.

When I use Checkpoint format, it does not authenticate. But when I use Raptor authentication it does authenticate successfully, but then throws me an error saying "Error:          Could not connect to server".

You may please refer the logs in my question.

I cant see anything wrong with the FileZilla configuration.

Regards

Faiz

0 Helpful

accor
Level 1
Level 1

‎10-30-2012 06:57 AM

Hello Faiz,

It appears the target ftp server is listening on port 2021

I perceive you are impacted by bug # 55044 , reported fixed in 7.5.0 – 826

Regards,

0 Helpful

Alcides Miguel
Level 1
Level 1

‎04-30-2014 04:29 AM

Hi ahamadfaiz,

 

Have you solved you issue?

I've the same issue with one wsa s170 and access to a sftp server, where I can't figure out how to solve this.

 

Any help will be appreciated.

 

Best regards,

Alcides

0 Helpful

kushsriva
Level 1
Level 1

‎04-30-2014 04:50 AM

Hi,

 

Please check CSCzv69205 at https://tools.cisco.com/bugsearch/bug/CSCzv69205.

If you use the authentication method as "anonymous" on the WSA the FTP should work.
 

Regards,

Kush

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents