Thank you for repies. I have already raised a ticket with the TAC, waiting to see the TAC suggestion.
I experimented the Disable ftp server. Normally i am able to ftp to the controller ip-address from the cmd prompt in my PC. but i am not able to login with any username & password.
But, with the "Disable ftp server" tick marked, I am not able to ftp at all, to the controller, it doesnt give a prompt to login.
i was checking on some latest version 5.0 code. I believed the AP would not able to download image by ftp from the controller with the "Disable ftp server" turned on. On the AP, at apboot prompt, did "clear os" "purge" and "factory_reset" But the AP was able to download the image by ftp. I was watching the show datapath session table <AP IP>, saw the port 21, but i didnt see the ftp-data port 20 there.
still not clear about the purpose of "Disable ftp server" in the global firewall of the controller.