Problem with MLSD command on FTP after upgrade to 4.1.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problem with MLSD command on FTP after upgrade to 4.1.0

Not applicable

Hi everybody,

After waiting a week I upgraded one of our PA-500 boxes to software version 4.1.0.

One of the services that are no longer working correctly is FTP. The MLSD command is causing an error at the client connecting to the service:

Status:     Resolving address of mev.blahdieblah.com

Status:     Connecting to 87.249.xxx.xxx:21...

Status:     Connection established, waiting for welcome message...

Response:     220 Hello

Command:     USER xxxx

Response:     331 Password required for amag

Command:     PASS *******

Response:     230 Logged on

Status:     Connected

Status:     Retrieving directory listing...

Command:     PWD

Response:     257 "/" is current directory.

Status:     Directory listing successful

Status:     Retrieving directory listing...

Command:     CWD Blah

Response:     250 CWD successful. "/Blah" is current directory.

Command:     PWD

Response:     257 "/Blah" is current directory.

Command:     TYPE I

Response:     200 Type set to I

Command:     PASV

Response:     227 Entering Passive Mode (87,249,xxx,xxx,20,176)

Command:     MLSD

Error:     Connection timed out

Error:     Failed to retrieve directory listing

This was working before with software version 4.0.5 - nothing has changed except the software on the Palo Alto firewall.

Anyone have an idea how to troubleshoot and fix this?

Thanks!

Mark

18 REPLIES 18

Not applicable

Because the firewall is part of a critical system I was forced to downgrade the device back to 4.0.5. Please look into this issue Palo Alto Networks. Version 4.1.0 is not usable in a production environment.

Mark

I encourage you to contact your Authorized Support provider to open a case for this issue.

This will help us to determine the root cause of the issue. The information that you have provided might be enough for us to replicate this in our lab, but having a case open will help us track the issue and determine all of the variables (hardware, content version, etc. etc)

Thank you,

Benjamin

Not applicable

Got the same here.

(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 230 Logged on
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> opts utf8 on
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 200 UTF8 mode enabled
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> PWD
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 257 "/" is current directory.
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> CWD /
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 250 CWD successful. "/" is current directory.
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> TYPE A
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 200 Type set to A
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> PASV
(000180)14/11/2011 14:52:31 - user (81.179.47.27)> 227 Entering Passive Mode (xxx,xxx,xxx,xxx,247,129)

Upon further investigation I seem to have a problem with selective customers.

When trying to open the FTP site using soemthing like filezilla it works.  If I use Internet Explorer in passive mode it connects but cannot read the contents of the folder.  Internet Explorer in active mode works no problem.

Therefore is it a problem using passive mode some how?

Not applicable

I have also had to downgrade to a prior version.  Couldnt get version 4.1.0 to work correctly with FTP.

Same thing for us: ftp is not working reliable since upgrade to 4.1.0

L1 Bithead

Just out of curiosity do you guys have your PA's in VWire or L3?

I only ask because my setup is a little more complex where my edge FWs are Cisco ASA5550's and the PA's are a bump in the wire for our Internet connection.

We are running L3 interfaces only.

I only run L3 interfaces.

I tried everything. Custom servics, specified FTP outbound ports, creating my own ftp custom application, no checking, no logging, disabling injection response.

I gave up in the end.  After two days of messing about with different settings on the firewall i'd had enough.

If i tried using filezilla in passive/active mode it worked.  If I tried using Internet explorer in passive mode it would allow me to logon but then the server disconncted and IE couldn't see anything, eventually returning an error.  As soon as I switched IE to active mode it worked.

My reseller wanted me to leave it as it was so we could debug it with them but it was a pain in the backside for my company.

I am having this problem as well, yet, filezilla also fails in addition trying IE.

L1 Bithead

I am also seeing this issue with some internet based users trying to ftp to servers on our DMZ and using passive mode.

This is effecting business critical servers as we are using ftp for some of our EDI orders.

I would rather not have to down grade back to 4.0.7 as 4.1 fixes some other issues that we were having with VPN connections.

Can anyone from Paloalto Networks tell us how long are we likely to have to wait before we see a version 4.1.1 to fix this issue please?

For everyone having this issue: Palo Alto Networks is aware of the problem and we sent them a pcap network dump of our FTP traffic, along with a Tech Support File of our device.

Not applicable

I just got word from Palo Alto Networks that they have fixed this issue by updating the application database to version 278-1187 (and higher). I also heard PAN-OS 4.1.1 is coming soon. Since there are some other critical issues with PAN-OS 4.1, my premium support advised me to wait for 4.1.1, which is coming within a week or 2.

Not applicable

Update: Today I have updated my firewall to PAN OS version 4.1.2 and Applications and Threats to version 290-1273. FTP related fixes from the release notes of PAN OS 4.1.2:

35009 – Active FTP not working properly through the firewall due to App-ID queue counters not incrementing properly causing the connection to fail

34353 – Clients behind the firewall are not able to establish passive FTP connections to external servers due to a mismatch in the NAT pool IDs

One would guess it's fixed now after months, but no... *double face palm*

I am sending a support file to Palo Alto Networks again but if they can't fix this soon I want my thousands of euros back!!! This is getting really rediculous!

  • 7696 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!