This article covers how the causes of the “Server sent passive reply with unroutable address. Using server address instead” for FTPS traffic when traffic flow is as explained below:
FTP client --> Internet --> FortiGate --> FortiWeb --> FTP server (passive mode).
FTP clients access the FTP server using implicit SSL using the public VIP configured on FortiGate over the internet.
FortiGate performs NAT from the public IP address to the VIP of the server-policy configured on Fortiweb, whose server-policy is set for implicit SSL for FTP traffic.
FortiWeb checks the traffic before sending traffic to the FTP server.
The FTP server, is set in passive mode and modified to respond with the public IP address in an embedded message in its reply. ~
The client finds the error 'Server sent passive reply with unroutable address. Using server address instead'.
The issue is caused by the fact that FortiWeb will modify the public IP address in the embedded message to its VIP IP address and FortiGate by default will not modify the traffic as it is encrypted so the embedded message received by the client will contain the FortiWeb’s VIP and since it is a private IP address that is unroutable to the client, the error is witnessed.
Scope
FortiWeb.
Solution
There are multiple options to resolve the issue:
Deploy SSL inspection in the firewall policy on FortiGate.
Deploy the public IP address on FortiWeb as its server-policy VIP and modify the flow accordingly. i.e. FortiWeb will be the device facing the internet and will modify the message with its public IP address.
