FTP blocked on client but works on Gateway Server
When I access FTP sites on my Windows XP Pro SP2 machine I get "Internet Explorer cannot display the web page". The same problem occurs on different clients and different FTP sites including ftp://ftp.microsoft.com/. Normal HTTP access is OK. I ran the network diagnostic program on XP and it reports "FTP (Passive): Error 12031 connecting to ftp.microsoft.com: The connection with the server was reset ".
I'm using a windows server 2003 standard edtion SP2 as a gateway. It has a broadband router connected to one NIC and the internal network connected to the other. I have routing and remote access enabled with a static route, and NAT.
Strange thing is I can access FTP sites from my gateway windows server, but not from any clients or other servers. I've tried disabling virus scan/firewall on my client but it didn't help.
Any suggestions would be gladly received! Thanks, Peter.
I'm using a windows server 2003 standard edtion SP2 as a gateway. It has a broadband router connected to one NIC and the internal network connected to the other. I have routing and remote access enabled with a static route, and NAT.
Strange thing is I can access FTP sites from my gateway windows server, but not from any clients or other servers. I've tried disabling virus scan/firewall on my client but it didn't help.
Any suggestions would be gladly received! Thanks, Peter.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Guys,
Thanks for the input. Answers to the best of my knowledge are:
- Standard windows firewall not applied to internal NIC or NIC connected to broadband router (this is disabled as we use routing and remote access).
- Routing and remote access NAT/Basic firewall has no inbound or outbound filters on internal or internet NIC.
- Port 21 open in NAT/Basic firewall.
- No restrictions on NAT device except for NAT/BASIC firewall (port 21 open). Not sure where else to check.
- This problem affects all clients when connected to the network. However I can connect laptop directly to broadband router and without changing anything FTP works OK. I assume problem is server related.
- FTP from command window asks for username but then immediately disconnects after entering "anonymous" with message "connection closed by remote host".
Hope this helps. Many thanks, Peter.
Thanks for the input. Answers to the best of my knowledge are:
- Standard windows firewall not applied to internal NIC or NIC connected to broadband router (this is disabled as we use routing and remote access).
- Routing and remote access NAT/Basic firewall has no inbound or outbound filters on internal or internet NIC.
- Port 21 open in NAT/Basic firewall.
- No restrictions on NAT device except for NAT/BASIC firewall (port 21 open). Not sure where else to check.
- This problem affects all clients when connected to the network. However I can connect laptop directly to broadband router and without changing anything FTP works OK. I assume problem is server related.
- FTP from command window asks for username but then immediately disconnects after entering "anonymous" with message "connection closed by remote host".
Hope this helps. Many thanks, Peter.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I opened ports 20,989 and 990 (in addition to 21 already open) on the NAT/Basic firewall in RRAS but it didn't help. When I tried FTP site the packet rejected count in NAT/BASIC firewall didn't go up so I doubt this is blocking it.
As I understand it RRAS NAT/Basic firewall deals with inbound connections only, so would changing this help? When users are off the system I'll reconfigure the interface for a short time to open all ports and see it that fixes it.
Is there something else blocking ports on the server? Is there a bug in Win Server 2003 NAT/Routing?
Going to find a brick wall to bang my head against....
I opened ports 20,989 and 990 (in addition to 21 already open) on the NAT/Basic firewall in RRAS but it didn't help. When I tried FTP site the packet rejected count in NAT/BASIC firewall didn't go up so I doubt this is blocking it.
As I understand it RRAS NAT/Basic firewall deals with inbound connections only, so would changing this help? When users are off the system I'll reconfigure the interface for a short time to open all ports and see it that fixes it.
Is there something else blocking ports on the server? Is there a bug in Win Server 2003 NAT/Routing?
Going to find a brick wall to bang my head against....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dragonjim,
Sorry this is proving such a hassle.
We had a very similar problem before with SMTP traffic. When telnet'ing from outside on port 25 you saw a welcome message from our exchange server then the connection dropped immediately with the same "connection closed by remote host" message. That time I fixed it by restarting RRAS and re-booting our broadband router. I'll try that again tonight.
Thanks, Peter.
Sorry this is proving such a hassle.
We had a very similar problem before with SMTP traffic. When telnet'ing from outside on port 25 you saw a welcome message from our exchange server then the connection dropped immediately with the same "connection closed by remote host" message. That time I fixed it by restarting RRAS and re-booting our broadband router. I'll try that again tonight.
Thanks, Peter.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Sorry that didn't help. I stopped the service but got the same problem when accessing FTP.MICROSOFT.COM in IE7. I'll leave this open for another week then if no solution found will raise a ticket with MS Professional services. They do no win no fee!
Thanks anyway for your help.
Regards, Peter.
Sorry that didn't help. I stopped the service but got the same problem when accessing FTP.MICROSOFT.COM in IE7. I'll leave this open for another week then if no solution found will raise a ticket with MS Professional services. They do no win no fee!
Thanks anyway for your help.
Regards, Peter.
ASKER
Thanks everyone for your help. Will raise the issue with MS Tech support. Regards, Peter.
Hi everybody !
I have the excact same problem. No XP SP2 client can FTP anywhere, but the SBS 2003 R2 DC can. I do not have ISA installed, just RRAS. POrts 20 and 21 are open and the client machine local firewall is diisable (for now). I can FTP out to ftp.microsoft.com, but get ther immediate disconnection message when I enter the anonymous user name from the dos prompt.
Doesn't ftp need a data port in additon to the connection port 21 ? I read comments on the web saying the "return" port is really a temporary port in the range of 1000 to 5000 and you can never tell where the data comes back, thus the behavior that I can get to the site, but can't logon or communicate ?
I have ALG service running on the server.....documentation says that the only app supporting this service is FTP. Any insight if I need this service for anything else? Can I trial and error and shut it down ?
Just poking around......I have been pretty desparate to get this resolved !!
Any help is welcome
Gerd
I have the excact same problem. No XP SP2 client can FTP anywhere, but the SBS 2003 R2 DC can. I do not have ISA installed, just RRAS. POrts 20 and 21 are open and the client machine local firewall is diisable (for now). I can FTP out to ftp.microsoft.com, but get ther immediate disconnection message when I enter the anonymous user name from the dos prompt.
Doesn't ftp need a data port in additon to the connection port 21 ? I read comments on the web saying the "return" port is really a temporary port in the range of 1000 to 5000 and you can never tell where the data comes back, thus the behavior that I can get to the site, but can't logon or communicate ?
I have ALG service running on the server.....documentation says that the only app supporting this service is FTP. Any insight if I need this service for anything else? Can I trial and error and shut it down ?
Just poking around......I have been pretty desparate to get this resolved !!
Any help is welcome
Gerd
Gerd, you will need to open your own question. On Experts-exchange suggestions are for the original question/poster only. This is primarily so that a thread will not continue indefinitely. Also this particular question has been closed.
Following link will outline posting questions and other common topics if you need a hand.
https://www.experts-exchange.com/help.jsp#hs7
For the record, the only incoming "un-solicited" traffic is on port 21, so only that port needs to be opened, though FTP actually uses 4 ports (2 are random). Most firewalls, such as the workstations' Windows firewall, will allow outgoing traffic by default. If you have a 3rd party firewall however, such as ZoneAlarm or Symantec Security suite it may need other ports opened.
Walk through the above solutions and see if any apply to your problem and/or post your own question and we will be glad to help.
Cheers !
--Rob
Following link will outline posting questions and other common topics if you need a hand.
https://www.experts-exchange.com/help.jsp#hs7
For the record, the only incoming "un-solicited" traffic is on port 21, so only that port needs to be opened, though FTP actually uses 4 ports (2 are random). Most firewalls, such as the workstations' Windows firewall, will allow outgoing traffic by default. If you have a 3rd party firewall however, such as ZoneAlarm or Symantec Security suite it may need other ports opened.
Walk through the above solutions and see if any apply to your problem and/or post your own question and we will be glad to help.
Cheers !
--Rob
ASKER
I don't think it's a firewall on the client as I can connect my laptop directly to the broadband router and access FTP sites OK without changing anything on the laptop or router. On the server I have symantec antivirus but not symantec firewall. Within Routing and Remote access there is NAT/Basic firewall but as far as I can tell this only restricts inbound traffic. Not sure where else to check.
Regards, Peter.