The client is connected to the intranet in L2TP mode. The upgrade service is performed through the FTP. After the dial-up access is complete, the upgrade service cannot be performed through FTP, as shown in the figure:
The FTP client only supports the active mode, and the FTP server supports two modes, namely, the active and passive modes. In active mode, after the control channel is established through the FTP service, the data channel is sent by the FTP server to the client. Since there is no session table, the data is implemented by NAT. As a result, the address of the data obtained by the client is inconsistent with that of the data sent. Therefore, the FTP data link is formed, and the upgrade cannot be performed.
1. Add an ACL rule for NAT, denying the data that are sent from the server to the client. In this case, the L2TP data are sent to the client through the VPN without being translated. The data are consistent. Therefore, the upgrade succeeds.
2. Use the IE browser for FTP upgrade. The IE browser adopts the passive mode, and can communicate with the FTP server.
1. The detect ftp service is not applied in the interzone.
2. The interzone packet filtering is disabled. FTP sessions are not formed.
When an FTP problem occurs, you are advised to analyze the active and passive modes of the FTP.