FTPES differs from FTPS in that while FTPS listens on port 990 and is encrypted from the start (implicitly), FTPES listens on port 21, and the initial conversation is in clear text before the client issues an AUTH TLS command to enable encryption (but the connection remains on port 21).
I can connect to both servers and successfully enable FTPES from a client on my LAN or guest network, but not from anywhere outside the firewall. The initial plaintext connection works fine, and the AUTH TLS request and its response are passed through OK, but that's as far as it gets.
By running Wireshark on both the client and server, I can see the client send the next command to start the certificate exchange:
221 16:42:02.424480000 172.20.10.2 70.112.***.*** FTP 64 Request: AUTH TLS
222 16:42:02.426294000 70.112.***.*** 172.20.10.2 TCP 54 21→49838 [ACK] Seq=331 Ack=11 Win=262112 Len=0
223 16:42:03.114219000 70.112.***.*** 172.20.10.2 FTP 89 Response: 234 Using authentication type TLS
224 16:42:03.115114000 172.20.10.2 70.112.***.*** FTP 307 Request: \026\003\001\000\370\001\000\000\364\003\003UZ\026\025\360\216\274\365\340\252j(\315(\311TJ\320E8\377h\212/n\250\365\367\337;\233\177\000\000p\300,\300\207\300$\300
225 16:42:03.138889000 70.112.***.*** 172.20.10.2 TCP 54 21→49838 [ACK] Seq=366 Ack=264 Win=261888 Len=0
but that command never arrives at the server:
18 16:49:23.084656000 107.107.***.*** 192.168.0.9 FTP 64 Request: AUTH TLS
19 16:49:23.125744000 192.168.0.9 107.107.***.*** FTP 89 Response: 234 Using authentication type TLS
20 16:49:23.264895000 107.107.***.*** 192.168.0.9 TCP 60 38531→21 [ACK] Seq=11 Ack=366 Win=524160 Len=0
21 16:49:48.475935000 107.107.***.*** 192.168.0.9 TCP 66 20192→21 [SYN] Seq=0 Win=65535 Len=0 MSS=1370 WS=64 SACK_PERM=1
22 16:49:48.475959000 192.168.0.9 107.107.***.*** TCP 66 21→20192 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=1 SACK_PERM=1
I don't see anything in the Intrusion Protection log or the Firewall log. I've tried disabling Intrusion Protection; I've tried turning off the FTP connection tracking helper; I've tried different FTP clients, and I've tried a different FTP server on a different platform - all without success.
[Edit] Forgot to mention, FTP proxy is disabled - I've never used it.
Any and all suggestions gratefully accepted.
This thread was automatically locked due to age.
