?
Solved

425 Can't open data connection

Posted on 2008-02-12
12
Medium Priority
?
9,660 Views
Last Modified: 2013-11-29
For history, see this thread: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23157809.html

I now cannot execute commands. I have created an alternate FTP port, and opened up the control channel (port 20) to the world, but am still getting the error in the title. I have 2 NICs in the server teamed with the Broadcom driver and the BASP virtual adapter states that the Windows firewall cannot run as ipnat.sys is in use by another process.

Any suggestions?
Thanx
0
Comment
Question by:ahrimann
  • 8
  • 4
12 Comments
 

Author Comment

by:ahrimann
ID: 20880385
This may be significant, here is the entire string of errors:
ftp> put <file>
500 Invalid PORT Command.
150 Opening ASCII mode data connection for <file>.
Aborting any active data connections...
425 Can't open data connection.
0
 

Author Comment

by:ahrimann
ID: 20880508
The problem has to be on the server as I just opened up FTP to the world in both directions on my firewall and am still getting the errors.
0
 

Author Comment

by:ahrimann
ID: 20880582
TRied WS_FTP in both active and passive mode. Since M$ client is active I needed to see what passive did:

230 User <user> logged in.
PWD
257 "/" is current directory.
SYST
215 Windows_NT
Host type (S): Microsoft NT
PASV
227 Entering Passive Mode (<server IP>,216,71).
connecting to <server IP>:55367
- -
connecting to <server IP>:55367
Connected to <server IP> port 55367
LIST
426 Connection closed; transfer aborted.
! Retrieve of folder listing failed (4)

0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 

Author Comment

by:ahrimann
ID: 20880624
If this may help, Filemon reports:
2914      4:13:29 PM      inetinfo.exe:4320      OPEN                  <path>      SUCCESS      Options: Open  Access: Read      
2915      4:13:29 PM      inetinfo.exe:4320      QUERY INFORMATION      <path>      BUFFER OVERFLOW      FileFsVolumeInformation      
2916      4:13:29 PM      inetinfo.exe:4320      QUERY INFORMATION      <path>      BUFFER OVERFLOW      FileAllInformation      
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20898537
FTP uses two types of data connections, passive and active.  When using active the client issues the command PORT.  Your server is rejecting this command, which means it is configured to allow passive data connections only.

You must use a ftp client that supports passive data connections, and configure it to use passive data connections.  The command line ftp client that comes with Windows does NOT support passive data connections.
0
 

Author Comment

by:ahrimann
ID: 20898558
Please read my posts before answering. I have tried passive mode.
Thanx
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20898591
Opps, missed that part, sorry.

How much time passes between the "connecting ... " messages and the 426?

Can/Have you do/done a packet capture to see which side is closing the data connection?

0
 

Author Comment

by:ahrimann
ID: 20899112
It is actually a 425 error, and it times out ( the 425 output just sits there until I Ctl+C -- I detailed that earlier as well).

I have not done any packet capture as I am sure the problem lies with the firewall on the sending end. I know this because I tried FTPing from a public IP address (read: not behind a firewall) and all works flawlessly).
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20899187
I was talking about the "426 connection closed: transfered aborted" error you got when using passive ftp.

Umm, it is possible that the firewall at your end is not "ftp aware".   When using active ftp when the client sends the PORT command your IP address is sent as part of the data.  The firewall is not ftp aware it will pass the packet untouched to the server, so the server will try to connect back to your your computers real IP address which in just about all cases will not work.  It works when you are not behind a firewall because your computer's IP address is a valid public IP address.

When you tried passive, was the IP address in the messages:

     connecting to <server IP>:55367

the servers public IP address?
0
 

Author Comment

by:ahrimann
ID: 20902619
Oh, gotcha. I get the 426 error after I Ctl+C to escape the loop (if there is actually a loop)  I get stuck in so it is impossible to determine how long it takes between the connecting message and the 426 error.


Here is the complete session transcript for passive:
WINSOCK.DLL: WinSock 2.0
WS_FTP LE 5.06 99.07.21, Copyright © 1992-1999 Ipswitch, Inc.
- -
connecting to <public IP>:1021
Connected to <public IP> port 1021
220-Microsoft FTP Service
220 ::: Andi's FTP Site! :::
USER sw
331 Password required for sw.
PASS (hidden)
230-Welcome to Andi's FTP site!!!
230 User sw logged in.
PWD
257 "/" is current directory.
SYST
215 Windows_NT
Host type (S): Microsoft NT
PASV
227 Entering Passive Mode (<server pr,iv,at,e IP>,97,144).
connecting to <server private IP>:24976
- -
connecting to <server private IP>:24976
! Connection failed <server private IP> - connection timed out
! connect: error 0
PORT <client private IP>,4,177
500 Invalid PORT Command.
! Failed "port":
! Retrieve of folder listing failed (0)

What is interesting are the lines

PORT <client private IP>,4,177
500 Invalid PORT Command.

AS you indicate the client private IP is what is failing so I believe you are onto the solution. What I find interesting is that I am (obviously) NATing that client private IP space, so shouldn't the FTP session have the intelligence to be aware of that NAT? Or is that the definition of passive FTP? (And then the question becomes why does active fail then?) I also have another FTP site set up identically to this one, with the exception that the server has a public IP, which obviously is making all the difference.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 1500 total points
ID: 20903021
O.K.,  I think I see your problem.

--> 227 Entering Passive Mode (<server pr,iv,at,e IP>,97,144)

If you notice you are seeing the servers private IP address and not the public one you connected to.  This means that your client will try to connect to the private IP address.  My guess is that you do not have connectivity from your client to the ftp server's private IP address.  

Now, as I stated before, most firewalls today will inspect ftp control/command for PORT and PASV commands and change the private IP address to the public IP address.  However, they do this assuming that all traffic on port 21 is ftp control/command.

Your FTP server is setup to use port 102 for command/control which means the firewalls in between your PC and the server have no clue that the traffic on port 1021 is ftp traffic, so they don't inspect it to look for the PORT/PASV commands.  So they don't change the IP address within the PORT/PASV commands.

You have two options, one setup the ftp server to use port 21 (the normal port), or configure all firewalls (both the one on the client side and the server side) so that they treat port 1021 is ftp command/control.  

I will warn you, I am not sure how many firewalls, or which ones, will allow you to treat ports as ftp command/control ports.  I know that Cisco's PIX can.  I am not saying others will not, but that is the only one I know of.
0
 

Author Closing Comment

by:ahrimann
ID: 31430352
This got me going down the right path, thanx for the help giltjr
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question