FTP fails when using fully-qualified domain names (FQDN) in an explicit proxy deployment.

FTP is successful when using the origin content server (OCS)/FTP server's IP address. Connecting directly to the Internet also works when either IP address or FQDN is used. 

Note: When this issue occurred, authentication was enabled and the ProxySG appliance username was defined in Raptor login syntax.  

Use the appliance's packet capture utility (PCAP) to compare packet captures from when FTP worked with captures from when FTP failed.

You could use the following PCAP filter expressions:

• ip host <client IP>  
• ip host <FTP server IP>
• host <FQDN of FTP server>
• port 53

Troubleshoot the issue depending on the information in the packet captures. The following are possible causes of the issue and examples of troubleshooting steps:

• Cause 1: The IP address used when FTP works is not the same one that DNS resolves when FTP fails.
  Resolution: Correct DNS server/resolution issues.
  
  
• Cause 2: The username intended for the appliance is being sent to the OCS.
  Possible resolution: The presence of an FQDN trigger can cause the username defined in Raptor login syntax to be sent to the OCS/FTP server; as a result, the appliance would not be able to consume the username information. To determine if this is the case, perform a policy trace to locate the rule (see 000011446 for instructions).You can then create a rule above this rule to authenticate the FQDN.