This article discusses the Known Issues and Limitations with using either Active or Passive FTP with the VMware SD-WAN service.

There are known limitations when an FTP application is used and these limitations depend on which type of FTP is being used (Active or Passive). This article covers both the limitations for each FTP type and the workarounds.

Active FTP

   Active FTP

The first point that should be made is that VMware SD-WAN does not support Active FTP via NAT. This is not a bug, but a conscious decision made from Day 1 due to the security implications of Active FTP. There is a workaround if the customer is willing to accept the security risks that we will describe below.

The issues with Active FTP arise from the fact that after the control session is opened by the client, the server needs to open a second data connection using a different source and destination port. The security risks and limitations associated with Active FTP are a result of allowing this second flow to be initiated from the server.

Active FTP scenarios in a standard customer network:

1. Active FTP works properly for VMware SD-WAN Edge-to-Edge traffic because both sides are allowed to freely create new flows to each other and there is no NAT in between.
    
2. If the FTP server is located on the LAN-side of the Edge, and the client is in the cloud, then the initial control plane flow will need to be explicitly permitted. This may be done with a 1:1 NAT rule translating the server's public IP to its private IP. Since the secondary flow will be initiated by the server on the LAN side, the flow would not have any restrictions.

Note: There is a limitation to this method. 1:1 NAT rules that configure the allowed ports as 20-21 will not work. The reason is that a port 20-21 filter rule affects inbound traffic, but not outbound traffic. As a result, incoming traffic will be allowed per the rule but FTP traffic would use a random port for returning. Since there is no outbound rule for ports 20-21, there is no return path for the FTP flow, and the connection fails. As a result, a user should never configure a 1:1 NAT rule with allowed ports 20-21.

1. If the FTP server is on the public internet (and the client is on the LAN behind the Edge) the secondary data session will not be permitted. This is by design and there are currently no plans to support Active FTP for this setup. However, there are two workarounds which both carry security risks:
   1. The typical method is to configure a 1:1 NAT rule which allows all inbound traffic from the FTP Server’s Public IP. This will allow the inbound data connections from the server unilaterally regardless of the random port chosen.
   2. Another option is to disable NAT on the Edge and use an external NAT device which supports Active FTP.

Active FTP may fail when the FTP server is on a public network and the client is on a private network.

1. Windows FTP Client (FTP not working)

2. FileZilla FTP client (FTP Working)

The FileZilla FTP client has special settings to use a public IP address when the FTP client is behind a NAT device like a VMware SD-WAN Edge.