After waiting a week I upgraded one of our PA-500 boxes to software version 4.1.0.
One of the services that are no longer working correctly is FTP. The MLSD command is causing an error at the client connecting to the service:
Status: Resolving address of mev.blahdieblah.com
Status: Connecting to 87.249.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 Hello
Command: USER xxxx
Response: 331 Password required for amag
Command: PASS *******
Response: 230 Logged on
Status: Retrieving directory listing...
Response: 257 "/" is current directory.
Status: Directory listing successful
Status: Retrieving directory listing...
Command: CWD Blah
Response: 250 CWD successful. "/Blah" is current directory.
Response: 257 "/Blah" is current directory.
Command: TYPE I
Response: 200 Type set to I
Response: 227 Entering Passive Mode (87,249,xxx,xxx,20,176)
Error: Connection timed out
Error: Failed to retrieve directory listing
This was working before with software version 4.0.5 - nothing has changed except the software on the Palo Alto firewall.
Anyone have an idea how to troubleshoot and fix this?
I encourage you to contact your Authorized Support provider to open a case for this issue.
This will help us to determine the root cause of the issue. The information that you have provided might be enough for us to replicate this in our lab, but having a case open will help us track the issue and determine all of the variables (hardware, content version, etc. etc)
Got the same here.
(000180)14/11/2011 14:52:31 - user (220.127.116.11)> 230 Logged on
(000180)14/11/2011 14:52:31 - user (18.104.22.168)> opts utf8 on
(000180)14/11/2011 14:52:31 - user (22.214.171.124)> 200 UTF8 mode enabled
(000180)14/11/2011 14:52:31 - user (126.96.36.199)> PWD
(000180)14/11/2011 14:52:31 - user (188.8.131.52)> 257 "/" is current directory.
(000180)14/11/2011 14:52:31 - user (184.108.40.206)> CWD /
(000180)14/11/2011 14:52:31 - user (220.127.116.11)> 250 CWD successful. "/" is current directory.
(000180)14/11/2011 14:52:31 - user (18.104.22.168)> TYPE A
(000180)14/11/2011 14:52:31 - user (22.214.171.124)> 200 Type set to A
(000180)14/11/2011 14:52:31 - user (126.96.36.199)> PASV
(000180)14/11/2011 14:52:31 - user (188.8.131.52)> 227 Entering Passive Mode (xxx,xxx,xxx,xxx,247,129)
Upon further investigation I seem to have a problem with selective customers.
When trying to open the FTP site using soemthing like filezilla it works. If I use Internet Explorer in passive mode it connects but cannot read the contents of the folder. Internet Explorer in active mode works no problem.
Therefore is it a problem using passive mode some how?
I only run L3 interfaces.
I tried everything. Custom servics, specified FTP outbound ports, creating my own ftp custom application, no checking, no logging, disabling injection response.
I gave up in the end. After two days of messing about with different settings on the firewall i'd had enough.
If i tried using filezilla in passive/active mode it worked. If I tried using Internet explorer in passive mode it would allow me to logon but then the server disconncted and IE couldn't see anything, eventually returning an error. As soon as I switched IE to active mode it worked.
My reseller wanted me to leave it as it was so we could debug it with them but it was a pain in the backside for my company.
I am also seeing this issue with some internet based users trying to ftp to servers on our DMZ and using passive mode.
This is effecting business critical servers as we are using ftp for some of our EDI orders.
I would rather not have to down grade back to 4.0.7 as 4.1 fixes some other issues that we were having with VPN connections.
Can anyone from Paloalto Networks tell us how long are we likely to have to wait before we see a version 4.1.1 to fix this issue please?
I just got word from Palo Alto Networks that they have fixed this issue by updating the application database to version 278-1187 (and higher). I also heard PAN-OS 4.1.1 is coming soon. Since there are some other critical issues with PAN-OS 4.1, my premium support advised me to wait for 4.1.1, which is coming within a week or 2.
Update: Today I have updated my firewall to PAN OS version 4.1.2 and Applications and Threats to version 290-1273. FTP related fixes from the release notes of PAN OS 4.1.2:
35009 – Active FTP not working properly through the firewall due to App-ID queue counters not incrementing properly causing the connection to fail
34353 – Clients behind the firewall are not able to establish passive FTP connections to external servers due to a mismatch in the NAT pool IDs
One would guess it's fixed now after months, but no... *double face palm*
I am sending a support file to Palo Alto Networks again but if they can't fix this soon I want my thousands of euros back!!! This is getting really rediculous!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!