Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to understand 'debug nat ftp' output for troubleshooting FTP ALG related issues



Article ID: KB31856 KB Last Updated: 26 Jun 2017Version: 1.0
‚ÄčThis article provides a sample output for the command debug nat ftp command and explains how to interpret it. This command can be helpful while troubleshooting FTP Application Layer Gateway (ALG) related issues on the firewall.

When troubleshooting FTP ALG related issues with NAT enabled on the policy, it is recommended that you debug the pin hole creation process for the translated IP addresses by inspecting in the payload of PASV or PORT command datagram.This pin hole (Dynamic policy) is used to allow data channel communication based on the advertised ports


FTP Client ( ------ -- Server (

FTP client establishes a Passive FTP connection with server with source NAT enabled on the FW
Source-IP :
Destination-IP :
Source Translation: -->

Below is the sample output of debug nat ftp captured for passive FTP connection passing through the firewall.

Explanation of debug nat ftp:
  1. The server advertises the IP and random port for data channel in the payload of FTP 227 command which is a response to PASV command from the client:


    ## 2017-04-29 20:12:42 : received PASV command, TCP SEQ 2438690968 ACK 124442715
    ## 2017-04-29 20:12:42 : ftp retcode=0  nsp->diff=0 nsp->nsmp->new_diff=0
    ## 2017-04-29 20:12:42 : received 227 command
    1d643157: 31 37 32 2c 31 36 2c 31  30 2c 31 30 30 2c 34 30   172,16,1 0,100,40,160 )..  <<<< Truncated output
  2. After receiving the FTP 227 command, the firewall calculates the random port by inspecting the payload with the help of FTP ALG .
    ## 2017-04-29 20:12:42 : ftp 227 command: ip, port 10400
  3. Once the data port is calculated, the firewall allocates the resources to create the dynamic policy (pinhole) which will allow the data connection from client ( to the server ( for the advertised port 10400 bound to incoming zone (Trust). The time limit of this pinhole is 10 seconds. Once the data connection is complete, the firewall creates a new session for the data connection and this pinhole will be deleted. In case the client does not initiate the data connection within 10 sec, the firewall will delete the pinhole and resources are released.
    ## 2017-04-29 20:12:42 : nat_pasv_ftp_create_hole
    ## 2017-04-29 20:12:42 : src ip/port 10400 (> xlated to port 10400 DIP(0)
    ## 2017-04-29 20:12:42 : ftp create PASV hole 5258a78>,0-65535,10400-10400,6, 0
    nat:>,0,10400, age 10, Trust, parent id 48050 dip 0
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search