No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

When the USG2210 Adopts the L2TP Connection, the User Cannot Access the Intranet Through the FTP Client

Publication Date:  2012-07-25  |   Views:  2  |   Downloads:  0  |   Author:  anliku  |   Document ID:  EKB1000012921


Issue Description

The client is connected to the intranet in L2TP mode. The upgrade service is performed through the FTP. After the dial-up access is complete, the upgrade service cannot be performed through FTP, as shown in the figure:

Alarm Information


Handling Process

The FTP client only supports the active mode, and the FTP server supports two modes, namely, the active and passive modes. In active mode, after the control channel is established through the FTP service, the data channel is sent by the FTP server to the client. Since there is no session table, the data is implemented by NAT. As a result, the address of the data obtained by the client is inconsistent with that of the data sent. Therefore, the FTP data link is formed, and the upgrade cannot be performed.
1. Add an ACL rule for NAT, denying the data that are sent from the server to the client. In this case, the L2TP data are sent to the client through the VPN without being translated. The data are consistent. Therefore, the upgrade succeeds.
2. Use the IE browser for FTP upgrade. The IE browser adopts the passive mode, and can communicate with the FTP server.

Root Cause

1. The detect ftp service is not applied in the interzone.
2. The interzone packet filtering is disabled. FTP sessions are not formed.


When an FTP problem occurs, you are advised to analyze the active and passive modes of the FTP.