Problem with MLSD command on FTP after upgrade to 4.1.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problem with MLSD command on FTP after upgrade to 4.1.0

Not applicable

Hi everybody,

After waiting a week I upgraded one of our PA-500 boxes to software version 4.1.0.

One of the services that are no longer working correctly is FTP. The MLSD command is causing an error at the client connecting to the service:

Status:     Resolving address of mev.blahdieblah.com

Status:     Connecting to 87.249.xxx.xxx:21...

Status:     Connection established, waiting for welcome message...

Response:     220 Hello

Command:     USER xxxx

Response:     331 Password required for amag

Command:     PASS *******

Response:     230 Logged on

Status:     Connected

Status:     Retrieving directory listing...

Command:     PWD

Response:     257 "/" is current directory.

Status:     Directory listing successful

Status:     Retrieving directory listing...

Command:     CWD Blah

Response:     250 CWD successful. "/Blah" is current directory.

Command:     PWD

Response:     257 "/Blah" is current directory.

Command:     TYPE I

Response:     200 Type set to I

Command:     PASV

Response:     227 Entering Passive Mode (87,249,xxx,xxx,20,176)

Command:     MLSD

Error:     Connection timed out

Error:     Failed to retrieve directory listing

This was working before with software version 4.0.5 - nothing has changed except the software on the Palo Alto firewall.

Anyone have an idea how to troubleshoot and fix this?

Thanks!

Mark

18 REPLIES 18

We're experiencing the same issue with all the latest versions (PAN OS and app database), is there any progress on this or at least a known work-around?

I'm running into this as well. I'd fixed it in the past with a policy work-around specific to the inbound passive FTP IP address, but since I upgraded to PAN-OS 4.1.4, it no longer works again. I'd love to see this bug fixed for good, instead of showing up again each time I update the OS. Any information on how to address this would be appreciated.

Yesterday, after months of trying and complaining, a technical support engineer from a local Palo Alto Networks distributor came to our office to once and for all investigate the problem with FTP. We upgraded our PA-500 appliance to PAN-OS 4.1.5 and, as always FTP was no longer working. So we started to compare the traffic using Wireshark captures from FTP traffic through PAN-OS 4.0.10 and PAN-OS 4.1.5.

After 20 minutes we stumbled upon a lead and the support engineer phoned official Palo Alto Networks support directly. For over an hour Palo Alto Networks worked with the local engineer to solve the problem and they found the bug! The exact phrase was "oh shit". So FTP is broken (like many said before) and it seems that it's caused by the prediction engine in the firewall.

The technical engineer from the local distributor wrote an application override for our ftp server. Palo Alto Networks is working on an update to solve the bug. So currently, PAN-OS 4.1.x and FTP is working for us now using the workaround!

Wow, that sounds extremely frustrating.  I'm happy my version of the problem was resolved back in November then they released an app definition update.  Your persistance though in getting this resolved is a benefit to all of us. So thank you!

  • 7709 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!