FTP traffic sometimes may not match the NSX-T FTP DFW rule
search cancel

FTP traffic sometimes may not match the NSX-T FTP DFW rule


Article ID: 324228


Updated On:


VMware NSX Networking


The following conditions are met
  • NSX-T environments running versions earlier than NSX-T Data Center 2.5.0
  • A DFW FTP rule has been created to allow FTP Traffic
  • FTP traffic is seen to match the default rule or another rule below the configured FTP rule. If this is a drop rule, FTP traffic will be dropped
  • The FTP application is using Extended Passive Mode when sharing the dynamic FTP port with the Client, as can be seen in this sample packet capture
  11:40:13.693223 00:50:56:a6:7a:13 > 00:50:56:ad:f2:12, ethertype IPv4 (0x0800), length 114: > Flags [P.], seq 271:319, ack 143, win 114, options [nop,nop,TS val 1193338955 ecr 2358453075], length 48: FTP: 229 Entering Extended Passive Mode (|||48561|)


VMware NSX-T Data Center
VMware NSX-T Data Center 2.x


FTP protocol uses an architecture with two channels of communication. First a control connection is established on port 21.
Then depending on the mode, Client and Server exchange a dynamic port which they use for a parallel data channel.
In Passive mode, the FTP server sends the Client both the server's IP address and dynamic port on which it is listening.
In Extended Passive Mode (EPSV), the FTP server sends only the dynamic port number, as seen in the sample packet capture above.
Due to this software issue when Extended Passive Mode is used, the ALG rule will match the control connection but may fail to learn the the dynamic port and so will not match the data channel traffic.


This issue is resolved in NSX-T Data Center 2.5.0

Configure the FTP application to use standard Passive mode instead of Extended Passive Mode
Add another DFW allow rule to allow the high port dynamic traffic between FTP Client and Server