Passive FTP issue after upgrade to v4.1.0 (NAT issue?)

Reply
L0 Member

Passive FTP issue after upgrade to v4.1.0 (NAT issue?)

After upgrading to version 4.1.0 on my PA2050 in HA (Active-passive) passive FTP is no longer possible to our FTP server.

When users logon they timeout on the MLSD command (in binary mode)

I'm looking at NAT because the issue does not arise when accessing the same server from within the network. The FTP server is in the DMZ and doesn't NAT for internal users, but it has a bi-directional NAT behind a static public IP for untrusted users.

Active FTP works fine.

I did remove the vulnerability profile to test: problem still exists

.

Tags (3)

Accepted Solutions
L3 Networker

I was just notified that the bug has been fixed in the 278 Content version.  I have not yet confirmed this as the 278 isn't available for download/install yet.

When it is available, you will go to Device -> Dynamic Updates.  At the bottom of the screen press "Check Now" to update the page with the latest release information.  Under Applications and Threats check for 278 or greater and download/install.

View solution in original post


All Replies
L0 Member

surfright1 appears to have had the same issue forcing him to downgrade.

Problem with MLSD command on FTP after upgrade to 4.1.0

L4 Transporter

I've seen this happen before on other PAN-OS releases. This first time I was able to just reinstall the OS, and that fixed it. The next time it happened support had me run a command to either clear or reset the NAT pool, but I can't find the command anywhere.

L3 Networker

I am having the same problem as well.

L1 Bithead

I am also seeing this issue with some internet based users trying to ftp to servers on our DMZ and using passive mode.

This is effecting business critical servers as we are using ftp for some of our EDI orders.

I would rather not have to down grade back to 4.0.7 as 4.1 fixes some other issues that we were having with VPN connections.

Can anyone from Paloalto Networks tell us how long are we likely to have to wait before we see a version 4.1.1 to fix this issue please?

L3 Networker

I was just notified that the bug has been fixed in the 278 Content version.  I have not yet confirmed this as the 278 isn't available for download/install yet.

When it is available, you will go to Device -> Dynamic Updates.  At the bottom of the screen press "Check Now" to update the page with the latest release information.  Under Applications and Threats check for 278 or greater and download/install.

View solution in original post

L6 Presenter

content version 278 appears to be available for download at this time on the update servers.

-Benjamin

L1 Bithead

I've upgraded the Application and Threat content to version 278 and in my tests this problem still exists.

It would appear that it allows the ftp file upload but the file is corrupted and the ftp session itself will hang and has to be forced closed.

Come on Palo we need a fix for this ASAP please. This is seriously going to impact our business communications.

L1 Bithead

We had the same problem as well for a couple of weeks and problem was resolved after Content Update 278.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!