- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-12-2011 02:39 AM
Hi everybody,
After waiting a week I upgraded one of our PA-500 boxes to software version 4.1.0.
One of the services that are no longer working correctly is FTP. The MLSD command is causing an error at the client connecting to the service:
Status: Resolving address of mev.blahdieblah.com
Status: Connecting to 87.249.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 Hello
Command: USER xxxx
Response: 331 Password required for amag
Command: PASS *******
Response: 230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Status: Directory listing successful
Status: Retrieving directory listing...
Command: CWD Blah
Response: 250 CWD successful. "/Blah" is current directory.
Command: PWD
Response: 257 "/Blah" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (87,249,xxx,xxx,20,176)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
This was working before with software version 4.0.5 - nothing has changed except the software on the Palo Alto firewall.
Anyone have an idea how to troubleshoot and fix this?
Thanks!
Mark
02-24-2012 04:40 AM
We're experiencing the same issue with all the latest versions (PAN OS and app database), is there any progress on this or at least a known work-around?
04-17-2012 01:26 PM
I'm running into this as well. I'd fixed it in the past with a policy work-around specific to the inbound passive FTP IP address, but since I upgraded to PAN-OS 4.1.4, it no longer works again. I'd love to see this bug fixed for good, instead of showing up again each time I update the OS. Any information on how to address this would be appreciated.
04-18-2012 05:48 AM
Yesterday, after months of trying and complaining, a technical support engineer from a local Palo Alto Networks distributor came to our office to once and for all investigate the problem with FTP. We upgraded our PA-500 appliance to PAN-OS 4.1.5 and, as always FTP was no longer working. So we started to compare the traffic using Wireshark captures from FTP traffic through PAN-OS 4.0.10 and PAN-OS 4.1.5.
After 20 minutes we stumbled upon a lead and the support engineer phoned official Palo Alto Networks support directly. For over an hour Palo Alto Networks worked with the local engineer to solve the problem and they found the bug! The exact phrase was "oh shit". So FTP is broken (like many said before) and it seems that it's caused by the prediction engine in the firewall.
The technical engineer from the local distributor wrote an application override for our ftp server. Palo Alto Networks is working on an update to solve the bug. So currently, PAN-OS 4.1.x and FTP is working for us now using the workaround!
04-18-2012 07:09 AM
Wow, that sounds extremely frustrating. I'm happy my version of the problem was resolved back in November then they released an app definition update. Your persistance though in getting this resolved is a benefit to all of us. So thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!