425 Can't open data connection

For history, see this thread: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23157809.html

I now cannot execute commands. I have created an alternate FTP port, and opened up the control channel (port 20) to the world, but am still getting the error in the title. I have 2 NICs in the server teamed with the Broadcom driver and the BASP virtual adapter states that the Windows firewall cannot run as ipnat.sys is in use by another process.

Any suggestions?
Thanx
ahrimannAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahrimannAuthor Commented:
This may be significant, here is the entire string of errors:
ftp> put <file>
500 Invalid PORT Command.
150 Opening ASCII mode data connection for <file>.
Aborting any active data connections...
425 Can't open data connection.
0
ahrimannAuthor Commented:
The problem has to be on the server as I just opened up FTP to the world in both directions on my firewall and am still getting the errors.
0
ahrimannAuthor Commented:
TRied WS_FTP in both active and passive mode. Since M$ client is active I needed to see what passive did:

230 User <user> logged in.
PWD
257 "/" is current directory.
SYST
215 Windows_NT
Host type (S): Microsoft NT
PASV
227 Entering Passive Mode (<server IP>,216,71).
connecting to <server IP>:55367
- -
connecting to <server IP>:55367
Connected to <server IP> port 55367
LIST
426 Connection closed; transfer aborted.
! Retrieve of folder listing failed (4)

0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

ahrimannAuthor Commented:
If this may help, Filemon reports:
2914      4:13:29 PM      inetinfo.exe:4320      OPEN                  <path>      SUCCESS      Options: Open  Access: Read      
2915      4:13:29 PM      inetinfo.exe:4320      QUERY INFORMATION      <path>      BUFFER OVERFLOW      FileFsVolumeInformation      
2916      4:13:29 PM      inetinfo.exe:4320      QUERY INFORMATION      <path>      BUFFER OVERFLOW      FileAllInformation      
0
giltjrCommented:
FTP uses two types of data connections, passive and active.  When using active the client issues the command PORT.  Your server is rejecting this command, which means it is configured to allow passive data connections only.

You must use a ftp client that supports passive data connections, and configure it to use passive data connections.  The command line ftp client that comes with Windows does NOT support passive data connections.
0
ahrimannAuthor Commented:
Please read my posts before answering. I have tried passive mode.
Thanx
0
giltjrCommented:
Opps, missed that part, sorry.

How much time passes between the "connecting ... " messages and the 426?

Can/Have you do/done a packet capture to see which side is closing the data connection?

0
ahrimannAuthor Commented:
It is actually a 425 error, and it times out ( the 425 output just sits there until I Ctl+C -- I detailed that earlier as well).

I have not done any packet capture as I am sure the problem lies with the firewall on the sending end. I know this because I tried FTPing from a public IP address (read: not behind a firewall) and all works flawlessly).
0
giltjrCommented:
I was talking about the "426 connection closed: transfered aborted" error you got when using passive ftp.

Umm, it is possible that the firewall at your end is not "ftp aware".   When using active ftp when the client sends the PORT command your IP address is sent as part of the data.  The firewall is not ftp aware it will pass the packet untouched to the server, so the server will try to connect back to your your computers real IP address which in just about all cases will not work.  It works when you are not behind a firewall because your computer's IP address is a valid public IP address.

When you tried passive, was the IP address in the messages:

     connecting to <server IP>:55367

the servers public IP address?
0
ahrimannAuthor Commented:
Oh, gotcha. I get the 426 error after I Ctl+C to escape the loop (if there is actually a loop)  I get stuck in so it is impossible to determine how long it takes between the connecting message and the 426 error.


Here is the complete session transcript for passive:
WINSOCK.DLL: WinSock 2.0
WS_FTP LE 5.06 99.07.21, Copyright © 1992-1999 Ipswitch, Inc.
- -
connecting to <public IP>:1021
Connected to <public IP> port 1021
220-Microsoft FTP Service
220 ::: Andi's FTP Site! :::
USER sw
331 Password required for sw.
PASS (hidden)
230-Welcome to Andi's FTP site!!!
230 User sw logged in.
PWD
257 "/" is current directory.
SYST
215 Windows_NT
Host type (S): Microsoft NT
PASV
227 Entering Passive Mode (<server pr,iv,at,e IP>,97,144).
connecting to <server private IP>:24976
- -
connecting to <server private IP>:24976
! Connection failed <server private IP> - connection timed out
! connect: error 0
PORT <client private IP>,4,177
500 Invalid PORT Command.
! Failed "port":
! Retrieve of folder listing failed (0)

What is interesting are the lines

PORT <client private IP>,4,177
500 Invalid PORT Command.

AS you indicate the client private IP is what is failing so I believe you are onto the solution. What I find interesting is that I am (obviously) NATing that client private IP space, so shouldn't the FTP session have the intelligence to be aware of that NAT? Or is that the definition of passive FTP? (And then the question becomes why does active fail then?) I also have another FTP site set up identically to this one, with the exception that the server has a public IP, which obviously is making all the difference.
0
giltjrCommented:
O.K.,  I think I see your problem.

--> 227 Entering Passive Mode (<server pr,iv,at,e IP>,97,144)

If you notice you are seeing the servers private IP address and not the public one you connected to.  This means that your client will try to connect to the private IP address.  My guess is that you do not have connectivity from your client to the ftp server's private IP address.  

Now, as I stated before, most firewalls today will inspect ftp control/command for PORT and PASV commands and change the private IP address to the public IP address.  However, they do this assuming that all traffic on port 21 is ftp control/command.

Your FTP server is setup to use port 102 for command/control which means the firewalls in between your PC and the server have no clue that the traffic on port 1021 is ftp traffic, so they don't inspect it to look for the PORT/PASV commands.  So they don't change the IP address within the PORT/PASV commands.

You have two options, one setup the ftp server to use port 21 (the normal port), or configure all firewalls (both the one on the client side and the server side) so that they treat port 1021 is ftp command/control.  

I will warn you, I am not sure how many firewalls, or which ones, will allow you to treat ports as ftp command/control ports.  I know that Cisco's PIX can.  I am not saying others will not, but that is the only one I know of.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ahrimannAuthor Commented:
This got me going down the right path, thanx for the help giltjr
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.