Thursday, September 20, 2018

Active FTP data channel connection originating from a random port other than 20?

Story: I've noticed a weird issue with FTP at one of my client's sites. They use our FTP client software which is behind a NAT router to connect to another company's FTP server. The FTP company recently migrated to a new server with a new URL and a new IP. I made the change in the FTP client to connect to the new server. I am able to connect to the new FTP server via active FTP, log in, and change directories. Once I attempt a DIR or a file download, it times out with a 550 response 90% of the time. 10% of the time I can complete the connection just fine.

I've obtained a packet capture on the public interface of the router and noticed that when the FTP server attempts to establish the data channel connection back to the client and it fails, the source port is not 20, but something wacky like 925, 9053, or 11973, and is blocked by the firewall. That 10% of the time that the connection is successfully established, the source port is 20, as it should be.

They have a Meraki router so I assume it is FTP aware which is why the active ftp connection works under normal circumstances. For example the router modifies the port command to display it's public IP instead of the FTP client computer's private one. I also assume that the Meraki is then expecting the incoming connection to originate from port 20, which is why it fails when it originates from any other port.

Questions: I've googled my fingers red but can't seem to find any reference to an FTP data channel connection request originating from a port besides 20.

-Can you even configure an FTP server to do that?

-Could this be something like a proxy server or other networking device that is replaying or otherwise modifying the source port in transit?

More than anything I'm curious as to how or why this source port would be anything but 20. Secondarily, if anyone had some advice to get this working on my end that'd be awesome.

I've contacted the company who runs the FTP server, but can't seem to get through to anyone with any technical knowledge directly. I just get emails telling me to whitelist their IP on the router, which supposedly the Meraki MX64 cannot do.



No comments:

Post a Comment