Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-12-2011 02:39 AM
Hi everybody,
After waiting a week I upgraded one of our PA-500 boxes to software version 4.1.0.
One of the services that are no longer working correctly is FTP. The MLSD command is causing an error at the client connecting to the service:
Status: Resolving address of mev.blahdieblah.com
Status: Connecting to 87.249.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 Hello
Command: USER xxxx
Response: 331 Password required for amag
Command: PASS *******
Response: 230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Status: Directory listing successful
Status: Retrieving directory listing...
Command: CWD Blah
Response: 250 CWD successful. "/Blah" is current directory.
Command: PWD
Response: 257 "/Blah" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (87,249,xxx,xxx,20,176)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
This was working before with software version 4.0.5 - nothing has changed except the software on the Palo Alto firewall.
Anyone have an idea how to troubleshoot and fix this?
Thanks!
Mark
11-12-2011 09:02 AM
Because the firewall is part of a critical system I was forced to downgrade the device back to 4.0.5. Please look into this issue Palo Alto Networks. Version 4.1.0 is not usable in a production environment.
Mark
11-12-2011 11:44 AM
I encourage you to contact your Authorized Support provider to open a case for this issue.
This will help us to determine the root cause of the issue. The information that you have provided might be enough for us to replicate this in our lab, but having a case open will help us track the issue and determine all of the variables (hardware, content version, etc. etc)
Thank you,
Benjamin
11-14-2011 06:57 AM
Got the same here.
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 230 Logged on
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> opts utf8 on
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 200 UTF8 mode enabled
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> PWD
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 257 "/" is current directory.
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> CWD /
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 250 CWD successful. "/" is current directory.
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> TYPE A
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 200 Type set to A
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> PASV
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 227 Entering Passive Mode (xxx,xxx,xxx,xxx,247,129)
11-14-2011 09:21 AM
Upon further investigation I seem to have a problem with selective customers.
When trying to open the FTP site using soemthing like filezilla it works. If I use Internet Explorer in passive mode it connects but cannot read the contents of the folder. Internet Explorer in active mode works no problem.
Therefore is it a problem using passive mode some how?
11-16-2011 12:38 AM
I have also had to downgrade to a prior version. Couldnt get version 4.1.0 to work correctly with FTP.
11-16-2011 03:51 AM
Same thing for us: ftp is not working reliable since upgrade to 4.1.0
11-16-2011 07:04 AM
Just out of curiosity do you guys have your PA's in VWire or L3?
I only ask because my setup is a little more complex where my edge FWs are Cisco ASA5550's and the PA's are a bump in the wire for our Internet connection.
11-16-2011 07:06 AM
We are running L3 interfaces only.
11-16-2011 07:11 AM
I only run L3 interfaces.
I tried everything. Custom servics, specified FTP outbound ports, creating my own ftp custom application, no checking, no logging, disabling injection response.
I gave up in the end. After two days of messing about with different settings on the firewall i'd had enough.
If i tried using filezilla in passive/active mode it worked. If I tried using Internet explorer in passive mode it would allow me to logon but then the server disconncted and IE couldn't see anything, eventually returning an error. As soon as I switched IE to active mode it worked.
My reseller wanted me to leave it as it was so we could debug it with them but it was a pain in the backside for my company.
11-16-2011 08:43 AM
I am having this problem as well, yet, filezilla also fails in addition trying IE.
11-22-2011 04:43 AM
I am also seeing this issue with some internet based users trying to ftp to servers on our DMZ and using passive mode.
This is effecting business critical servers as we are using ftp for some of our EDI orders.
I would rather not have to down grade back to 4.0.7 as 4.1 fixes some other issues that we were having with VPN connections.
Can anyone from Paloalto Networks tell us how long are we likely to have to wait before we see a version 4.1.1 to fix this issue please?
11-22-2011 05:01 AM
For everyone having this issue: Palo Alto Networks is aware of the problem and we sent them a pcap network dump of our FTP traffic, along with a Tech Support File of our device.
12-06-2011 12:23 PM
I just got word from Palo Alto Networks that they have fixed this issue by updating the application database to version 278-1187 (and higher). I also heard PAN-OS 4.1.1 is coming soon. Since there are some other critical issues with PAN-OS 4.1, my premium support advised me to wait for 4.1.1, which is coming within a week or 2.
02-07-2012 04:17 AM
Update: Today I have updated my firewall to PAN OS version 4.1.2 and Applications and Threats to version 290-1273. FTP related fixes from the release notes of PAN OS 4.1.2:
35009 – Active FTP not working properly through the firewall due to App-ID queue counters not incrementing properly causing the connection to fail
34353 – Clients behind the firewall are not able to establish passive FTP connections to external servers due to a mismatch in the NAT pool IDs
One would guess it's fixed now after months, but no... *double face palm*
I am sending a support file to Palo Alto Networks again but if they can't fix this soon I want my thousands of euros back!!! This is getting really rediculous!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
