Product : Zscaler Private Access
| Version | 1.0 (Still in progress) |
| Date | 16/02/204 |
Author | Bong Si How |
Confidentiality | Public |
Revision History
Version | Effective Date | Prepared/ Amend By | Summary of Changes | Approved By |
1.0 | 16/02/2024 | Bong Si How |
| |
|
|
|
|
|
|
|
|
|
|
1. Introduction
To troubleshoot the issue of user unable to FTP to external server through Zscaler Private Access.
2. Before You Begin
2.1. Preparation Checklist
- Check the issue is related to Zscaler or not.
- Gather the network information such as whether it is hotspot or LAN.
- Check is it only one user or multiple users are affected.
2.2. Safety and Precautions
- Backup the configurations such as the original policy configuration to prevent future confusion.
- If going to do pilot testing policies, always rollback if things go unsuccessful.
3. Step-by-Step Troubleshooting Guides
- Check the traffic going through ZPA or ZIA. Remember ZPA always have higher precedence than ZIA.
- This can be found by turning on/off ZPA or ZIA to find out.
- If turning off ZPA suddenly can work, that means ZPA configuration has issue like port might not be configured.
- If turning off ZPA cannot work, which means traffic should go ZIA:
- If going ZIA cannot work, is because FTP control is not enabled, must enable them in ZIA admin portal.
- If going ZIA can work, that means the application is hosted publicly so may ask user whether they want to maintain using ZIA or not.
- If user FTP application is private, so turning off ZIA / ZPA or on both doesn't work, then we focus on ZPA first.
- This can be found by turning on/off ZPA or ZIA to find out.
- if it is ZPA:
- Check diagnostic logs
- Check app connector health.
- Check policies configuration especially on-health checking, whether it is wildcard, port number is properly configured in the custom-defined application segment.
- If it is ZIA:
- Just to ensure FTP control all FTP related configuration are turned on, if they are not turned on, may inform user to turn them on.
4. Tool used to troubleshoot :
- Putty
- For testing FTP, putty can be used to test the connection, but be aware, if putty managed to establish connection but showing some error, it could indicate server refusing to connect due to several issue, it could be the health checking mechanism.
- Otherwise if putty direct decline the connection request, that means it is totally blocked.
- if putty show time out that could indicate server does not respond or not alive or unreachable.
- Attention, there is a passive/active mode to be enabled/disabled in putty, read the 5th below to understand better. So by tuning this configuration might also achieve some troubleshooting.
- Telnet
- Can try command as below :
- Type ftp ask4keyftp.com in cmd.
- Then type username and password.
- If connection established successfully, then it could mean port is success.
- Can try command as below :
5. Some important knowledge to know:
- File Transfer Protocol (FTP) can run in active or passive mode.
- Active mode FTP requires a TCP connection to be initiated from the server to the client.
- While passive mode FTP requires client-initiated TCP connections only.
- If an FTP client attempts active mode FTP or sends an active mode request in parallel to the passive mode request, the attempt fails.
- ZPA does not support active FTP mode. It only supports passive FTP mode.
- A ZPA Enhancement Request (ER-5700) for active FTP support is under consideration.
- If an FTP client attempts active mode FTP or sends an active mode request in parallel to passive mode request, the attempt will fail.
Also, ensure the following configurations:- TCP Port Ranges to be added: Add all TCP ports (i.e, 1 to 65535)
- Health Reporting: Select None. ZPA App Connector health reporting must be set to None because each FTP data channel is pseudo-random and opened on a per client basis.
