Link to home
Start Free TrialLog in
Avatar of pyroman1
pyroman1

asked on

Unable to access FTP sites from 2000/XP clients, 98/ME can under same network same login.

This one really has me stumped.

I took over administering the network for this small business a couple of years ago.  They are trying to setup their website (located off-site) and need to FTP to the host server to upload the site content.  For some reason they are unable to FTP from any computer running 2000/XP.  They have an old computer running 98 or Me (can't remember) and it is able to FTP just fine.  This is not isolated to this particular site.  I have tried Dell's FTP site, Symantec's, and they have tried several others specific to the services they provide.  There are a few FTP sites that they can connect to using a 2000/XP machine, but most will not work except on 98/Me.

Network Topology:
Single server running Windows 2000 SBS.
Server is configured as router/firewall, running ISA 2000.
Two switches on the network.
Most machines running XP, a couple run 2000 and one runs 98/Me for old legacy app (RealWorld).

I have gone through ISA and made sure FTP is available for port 21 inbound and outbound.  XP firewall is turned off.  I have even tried going through GPO's to see if that is having an effect and could't find anything.  I tried searching some on Google, but couldn't find anything similar to what the user's are experiencing.  The only thing I did find was from Microsoft and it didn't work:
To enable folder view for FTP sites, use the following steps:
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Advanced tab, click to select the Enable folder view for FTP sites check box.

If you can figure this one out you deserve some points!
Avatar of Rick Hobbs
Rick Hobbs
Flag of United States of America image

Is Windows Firewall disabled on the Windows XP machines?
Also, what FTp client are you using?   Have you tried FTP in Passive mode?
Avatar of pyroman1
pyroman1

ASKER

You must have read this while I was editing.  Yes, Windows Firewall has been disabled.
What ftp client are you using?

Have you tried more than one?

Have you tried PASSV mode in a client that supports it?
IE, and I did try passive mode.
haha... rick beat me by one minute....
If you have firefox installed, I would go and get the fireftp extension https://addons.mozilla.org/firefox/684/ and try to see if you can ftp with it in normal and passv mode.
I don't want to make things complicated for the users by making them learn how to use FireFox.  Trust me, that is a disaster waiting to happen.  You question did get me thinking about FTP software.  I'm downloading SmartFTP now to try it.
SOLUTION
Avatar of Jared Luker
Jared Luker
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Log from failed attempt via SmartFTP:

[17:38:56] SmartFTP v2.0.996.36
[17:38:56] Resolving host name "ftp.SITENAME.com"
[17:38:58] Connecting to IPADDRESS Port: 21
[17:39:00] No connection could be made because the target machine actively refused it.
[17:39:00] Client closed the connection.
[17:39:00] Active Help: http://www.smartftp.com/support/kb/index.php/58
I have found other configuration settings in ISA server relating to FTP, especially with regards to uploading - I cannot remember exactly where, but they are there!

Rob
can you tracert out to that address on port 21?
They can't seem to download either.  It's really strange.
I am not familiar with using tracert to a specific port, only telnet.  Can you give a syntax example?
I have always had problem with SmartFTP with connections, currently using Filezilla, http://filezilla.sourceforge.net/ it is free and really good.

Haszan
I'm assuming that you are NATing to your machines behind the firewall.  Is it possible that the win98 machine is in some sort of DMZ or has more rights on the ISA server than the rest of the clients?
Correction on the older error log from SmartFTP, seems I was an idiot and misspelled the host name.  Here is the correct log:

[17:46:49] SmartFTP v2.0.996.36
[17:46:49] Resolving host name "HOSTNAME"
[17:46:49] Connecting to IPADDRESS Port: 21
[17:46:50] 220 COMPANYNAME FTP Server
[17:46:50] Connected to HOSTNAME.
[17:46:50] USER USERNAME
[17:46:50] 331 User name okay, need password.
[17:46:50] PASS (hidden)
[17:46:50] 230 User logged in, proceed.
[17:46:50] SYST
[17:46:50] 215 UNIX Type: L8
[17:46:50] FEAT
[17:46:50] 500 Syntax error, command unrecognized: 'FEAT'
[17:46:50] TYPE I
[17:46:51] 200 Type set to I.
[17:46:51] REST 0
[17:46:51] 350 Restarting at 0. Send STORE or RETRIEVE.
[17:46:51] PWD
[17:46:52] 257 "/" is current directory.
[17:46:52] TYPE A
[17:46:52] 200 Type set to A.
[17:46:52] PASV
[17:46:52] 227 Passive mode entered (IPADDRESS)
[17:46:52] Opening data connection to IPADDRESS Port: 18389
[17:46:52] LIST -aL
[17:46:53] 150 Opening ASCII mode data connection for /bin/ls.
[17:47:15] A socket operation was attempted to an unreachable host.
[17:47:55] Timeout (40s).
[17:47:55] Active Help: http://www.smartftp.com/support/kb/index.php/74
[17:47:55] Client closed the connection.
[17:47:55] Automatic failover of data connection mode from "Passive Mode (PASV)" to "Active Mode (PORT)".

The 98 machine is not on a DMZ and rights are user level.  I can't even FTP directly from the server.  We used to have more 98 machines and they all worked as well, I have slowly bee phasing them out and replacing with XP.
hmm... it is clear that you are connecting and loggging in.  That means that you have a green light on port 21.  That pretty much rules out ISA in my mind.  it looks like there are certain commands that are failing.  It seems that this is a problem with the operating system, but I'm not sure how the remote ftp server knows or even cares what OS you are using.
Someone brought in their own laptop, running XP, and connected it straight to the Intenet (bypassing the server) and they were able to connect.  This is why I am offering max points, it is a real head scratcher and I just got unlimited points for the month.
That smartftp link shows this:

An established connection was aborted by the software in your host machine. Software caused connection abort

This error can occur when the local network system aborts a connection, such as when WinSock closes an established connection after data retransmission fails (receiver never acknowledges data sent on a data stream socket). Possibly due to a data transmission timeout or protocol error.

You may try to set the Connection Timeout higher (Default: 60s). If the problem persists change the Data Connection Mode in the Settings->Connection dialog from "Port Mode (PORT)" to "Passive Mode (PASV)

Try that same with with the toggle of what it is now (if PASV, then do normal)
I installed FileZilla as haszan suggested.  here is the error log:

Status:      Connecting to HOSTNAME ...
Status:      Connected with HOSTNAME. Waiting for welcome message...
Response:      220 COMPANYNAME FTP Server
Command:      USER USERNAME
Response:      331 User name okay, need password.
Command:      PASS ********
Response:      230 User logged in, proceed.
Command:      SYST
Response:      215 UNIX Type: L8
Command:      FEAT
Response:      500 Syntax error, command unrecognized: 'FEAT'
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE A
Response:      200 Type set to A.
Command:      PASV
Response:      227 Passive mode entered (IPADDRESS)
Command:      LIST
Response:      150 Opening ASCII mode data connection for /bin/ls.
Error:      Transfer channel can't be opened. Reason: A socket operation was attempted to an unreachable host.
Error:      Could not retrieve directory listing
Command:      TYPE I
Response:      226 Transfer complete.
Command:      REST 0
Response:      200 Type set to I.
Command:      PWD
Response:      350 Restarting at 0. Send STORE or RETRIEVE.
Command:      TYPE I
Response:      257 "/" is current directory.
I would be interested in seeing if that same laptop could still connect when going through this ISA server.  If it can not, then there might be a gpo in place after all.
I am accessing the site remotely, so I can't check that right now.  I plan to go in the office on Monday to have a look with my laptop.  I can access the site fine from my location.
Scratch my last comment... gpo's would not be a factor unless that laptop was a member of the domain.
To be honest I wasn't there when the direct connection was made, but I don't think they told me the whole story.  They don't know the static IP configuration necessary to bypass the server.  It seems more likely that they did connect using the server as a firewall and just setup the proxy in IE.
"That smartftp link shows this:

An established connection was aborted by the software in your host machine. Software caused connection abort

This error can occur when the local network system aborts a connection, such as when WinSock closes an established connection after data retransmission fails (receiver never acknowledges data sent on a data stream socket). Possibly due to a data transmission timeout or protocol error.

You may try to set the Connection Timeout higher (Default: 60s). If the problem persists change the Data Connection Mode in the Settings->Connection dialog from "Port Mode (PORT)" to "Passive Mode (PASV)

Try that same with with the toggle of what it is now (if PASV, then do normal)"

Tried this, same result.
I'm going home now.  Will check back tomorrow, if anyone thinks of anything post it and I'll give it a whirl.
Don't you have to open port 20 for ftpdata also?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This looks to be a good read, should help you out.

http://www.argosoft.com/rootpages/FtpServer/FAQ.aspx


at the bottom of that link

Quote
"It is not enough for FTP to provide an access just to port 21. Port 21 is used only for control connections (sending login information, changing directories and so on), while, for data connections (directory listings and file transfers) is uses available ports on a server computer. So, you need to open more ports, more than one (21).

It would be the best not to use firewall, you will have less problems, but if you still want to use it, make sure that you are using FTP server, version 1.4.0.0 or higher, then, go to Tools - Options - Advanced, check Use Following Ports for Data Transfers box, and specify certain range of ports, e.g. 9090 low and 9099 high. Then, go to your firewall, and open ports between 9090 - 9099.

But, it is still not enough. When connecting to server, you must use FTP client, which supports passive transfers, and enable passive transfers for connections with your server (for example, in Internet explorer, you do it by going to Tools - Internet Options - Advanced, and putting a checkmark in Use Passive FTP box)."
If I am reading this correctly, that pertains to running an FTP server, which is not the case.  My client is trying to access the FTP server, in addition it works on the 98 machine so I tend to agree with jared_luker that it is probably not an ISA issue.
Hi,

From your log, if you notice under opening Data connection to IPADDRESS Port is 18389
Read this comments below as a reference case to the problem you facing since I presume your remote ftp server is running a unix/linux latform
http://www.fedoraforum.org/forum/archive/index.php/t-95011.html

17:46:49] SmartFTP v2.0.996.36
[17:46:49] Resolving host name "HOSTNAME"
[17:46:49] Connecting to IPADDRESS Port: 21
[17:46:50] 220 COMPANYNAME FTP Server
[17:46:50] Connected to HOSTNAME.
   |
   |
[17:46:52] TYPE A
[17:46:52] 200 Type set to A.
[17:46:52] PASV
[17:46:52] 227 Passive mode entered (IPADDRESS)
[17:46:52] Opening data connection to IPADDRESS Port: 18389
[17:46:52] LIST -aL
[17:46:53] 150 Opening ASCII mode data connection for /bin/ls.
[17:47:15] A socket operation was attempted to an unreachable host.
[17:47:55] Timeout (40s).

From the comment by
jcliburn  2006-02-11, 07:15 AM PST
Ftp sessions consist of two channels: a command channel and a data channel. The data channel employs varying ephemeral ports, which can be problematic in the presence of a firewall. You need to restrict the range of ports used by the server for ftp data connections. The following steps restrict the data channel to use ports xxxxx and xxxxx. You can specify a single port if you wish by setting the relevant max and min parameters equal.
> My client is trying to access the FTP server, in addition it works on the 98 machine so I tend to agree with jared_luker that it is probably not an ISA issue.

Win98 and Win XP may use different TCP port ranges for opening new connections and it may be the reason why firewall is not always working.
Read here for more details: http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html#Problems and http://support.microsoft.com/default.aspx?scid=kb;en-us;196271

So my suggestion is the same as KDCean said before, just try to follow his instrunctions and say what happens.
Also please tell us, do you have some sort of VPN client software in your client machines (it also may be a reason of the problem).

I'm shure, it's a firewall, network or ip range related problem :-)
I can't specify which port the remote FTP servers will use, that is up to them.  Since not everyone will use the same port I can't predict and use port forwarding.  What I have done is the following:
Under Access Policy.
Site and Content Rules -> Allow all destinations, Allow all external destinations to Backoffice Internet Users group.  Deny access to certain blacklisted websites (games, pornography, sports).
Protocol Rules -> Allow all IP traffic.
IP Packet Filters -> TCP, Both directions, Local Port 21, Remote Port All Ports, Default External IP Address.  TCP, Both directions, Local Port All Ports, Remote Port 21, Default External IP Address. Plus a host of others that shouldn't matter, but if you want me to post them I will.

In conclusion, there is no way for me to specify a range to use for the Data Transfers on the server because that is not on my end.  The client is not using any VPN software.  I run RealVNC on the server to connect to it remotely and UltraVNC on my computer when connecting.  Everytime I try to connect using PASV mode the port number changes, the result does not.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
To expand on the problem...

Usually if a connection is established on the clean side of the firewall, communication will be allowed bi-directionally on the port that communications were initiated.  If the ftp server side is trying to communicate with the ftp client on a port other than what was originally opened up, the firewall will deny access to those ports.  Maybe ISA can be set up so that if a connection is established to a remote site, that responses can be received on any port, or some range of ports so that the directory changes and downloads can get through the firewall.
This is all in the windows server setup, it is blocking FTP ports 21 and maybe 2121 to clients responding to the advanced packet filtering features on 2000 and XP.  Another example where 98 is more extensible than other OSs.  If you were using a hardware router for firewall and not a windows server, you would not have this problem. Try that just to prove it is the server setup, irrespective of the clients OSes.
At this point it seems imacgouf may be the closest to having found the solution.  The page linked to has the following information at the very bottom:
<<When you access an FTP server through Internet Explorer, the following error message is displayed:

"Windows cannot access this folder."

This may occur if folder view for FTP sites is enabled in Internet Explorer, because this causes Internet Explorer to attempt to bypass the Web proxy service. To disable folder view, follow the instructions in this article.>>

This completely contradicts the other article I found, but after disabling this feature my client was able to connect via FTP in IE.  (Note: I did follow all of the other steps in the article linked to, so that may have helped as well but it did not solve the problem on its own.) The view does not resemble a typical FTP folder view like that of browsing your folders in My Computer.  The client is going to try uploading files in this manner, if this does not work I will try using SmartFTP and/or FileZilla to see if they work.  Ultimately I want to make things easiest for the client by using IE as they don't really like learning new things.  I will post back when I hear from the client.
UPDATE:
SmartFTP and FileZilla both work using Active connection and specifying no proxy server.  This is likely due to the changes made by following the link above.  My client still hasn't emailed or called to let me know if they can upload using IE.
Final result:
I believe the article imacgouf linked to may have solved the problem, however it did not provide all of the information needed to completely get things working.  After following the steps listed in the article I had to perform the following additional steps to enable users to use IE for FTP access:

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Advanced tab, click to select the Enable folder view for FTP sites check box.
4. On the Advanced tab, clear the use Passive FTP (for firewall and DSL modem compatibility) check box.

Thanks to all for your assistance.
@imacgouf - The article you linked to provided a great amount of detail in properly configuring ISA for FTP client access.
@rickhobbs - You were first to mention opening port 20, the article mentioned previously provided exact steps.
@jared_luker  - Your suggestion to try another FTP program is what helped me determine that I should try turning off Passive FTP in IE to get Enable folder view to work.

I plan on splitting points amongst the three of you.  This was a long thread, so it is entirely possible I missed someone's comment which provided a suggestion before someone else's.  I am going to wait 24 hours to close this and split points with a B grade (I did have to figure out the end part or it would be an A).  If anyone feels they contributed something that I missed please post it here.

Again, thanks for the help!
Glad to be of assistance.  Thank you!
Most welcome. Good work to all. :) Thanks!