"425 Cannot open data connection."


I have a littl strange issue. At least I believe it is strange. I run Gene6 FTP server on Windows Server 2003.
The FTP server is running behind a firewall which does NAT the public IP of the server to its private IP. If a user connects from the outside world to the FTP server
using a FTP client like CuteFTP then everything works just fine.
But if a client uses for example the Windows XP ftp command then he\she is able to connect and authenticate but as soon he\she runs the ls command for example then he\she
sees the following error message;

"425 Cannot open data connection."

Please see output below:
U:\>ftp ftp.domain.com
Connected to ftp.domain.com.
220 FTP Server ready...
User (ftp.customcall.com:(none)): user1
331 Password required for user1.
230 User user1logged in.
ftp> quote pasv
227 Entering Passive Mode (172,24,23,85,255,255)
ftp> ls
200 Port command successful.
425 Cannot open data connection.

I had a look into the firewall logs and the FTP server is actually trying to connect on port 4015 and above back to the client. The port number is changing dynamically.
I have configured the server to allow PASSIV mode only connections and port the FTP server should pass back to the client is 65535. Not 4000.

And again - with a FTP client the issue does not exist. I have to admit that I am not sure what the right approach is to fix that issue because the FTP server in my opinion should not try to connect on port 4000+ to the client. That is why I configured a dedicated port for the PASSIV mode.
If possible I would like to fix the problem without opening the firewall rules for the FTP server.

Thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mc2102Author Commented:
I just did some more research on my own on I found some post in the internet which actually states that the Windows XP ftp command does NOT support PASSIV FTP connections. The command 'quote pasv' only queries the FTP server checking if it could perform a PASSIV FTP connection but it does not trigger to use a PASSIV connection. it also said in the post that there is a registry key which needs to be changed to so Windows XP ftp command supports PASSIV ftp connections.

Does anybody know anything about that?
which sends you to a dead link: instead use this:
But again, it is using a different FTP client than the default XP ftp.exe client...
The registry key you are looking to change will not, to my knowledge, enable PASV for the rudimentary Windows command line client. It will do so for IE (there is a "Use passive mode" setting in the Internet Options).

Ftp.exe cannot and will not use PASV. If you need a command line client, use a different one, like the very good NcFtp, for instance:
You will find the Windows binaries here: ftp://ftp.ncftp.com/ncftp/binaries/Setup%20NcFTP%203.2.4.msi

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
torimar is correct, the MS provided ftp command does not support passive.

However, typically it does not matter.  Most firewalls these days are "ftp aware" and monitor the default ftp command port (tcp 21) for PORT and PASV commands and will dynamically allow the data connection through.

I would check to see if your ftp server is ftp aware.

Now if you do need to change your firewall, the kind of good thing is all you need is one rule that allows outbound TCP connections from your ftp server where the source port is 20 and the destination port is any high port (>1023).
Mc2102Author Commented:
Thanks for all the good and usefull infos.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
File Sharing Software

From novice to tech pro — start learning today.