FTP upload error

it's something on the other end: getting a 150 return code from the FTP server means that there isn't anything wrong with your own end.

The only thing I can think of is that the TCP port number chosen for the data connection is being blocked.

Are you 510% sure that you have the write permisson on the server (is it by any chance an AS/400?)

Try active connection? (yes, I notice that it must be passive mode, but just for the sake of trying)

IIS 7 with windows Firewall OFF

Any other firewall between you and the ftp server?

cisco asa 5510

Do you have 'inspect ftp' in place in the ASA?

no,  shall i enable it?

Please do.

I did it, and it crashes  when it goes to passive

Not the ASA I hope?

Could you check the (ASDM) logs when trying to set up the ftp and see if that shows anything.

in the description field there is

ftp port command defferent addresss 192.168.1... (IP address) to  another **IP**

Hm, that should mean: A client issued an ftp port command and supplied an address other than the address used in the connection
Is there any other networking device (NATting) in between that might cause problems?

nop

What are you using as an ftp client?

filezila

What happens if you try another client? Or if you do it from a cmd windows using ftp -d ?

yes the same issue

So could you post what's showing when doing the ftp -d session (sanitized) ?

sure
ftp> open 192.168.**.***
Connected to 192.168.**.***.
220-Microsoft FTP Service
220 COMPANY NAME
User (192.168. 168.**.***:(none)):
331 Password required for ftp.user@domainname.

230-Welcome to *** FTP Site
    Directory has 232,557,346,816 bytes of disk space available.
230 User logged in.
ftp> bin
200 Type set to I.
ftp> LITERAL PASV
227 Entering Passive Mode (192,168,**,*,***,***).
ftp> put new.bmp
200 PORT command successful.
150 Opening BINARY mode data connection.
> Netout :Software caused connection abort
425 Cannot open data connection.
ftp: 65535 bytes sent in 0,11Seconds 595,77Kbytes/sec.
ftp> quit

Just to check, the values under the starts are all the same?

Looking at the ip, are you connecting from the inside or a dmz or the outside?

outside behind other  asa

You sent PASV and then sent PORT.  

When you send PASV you ask the server to go into passive mode.  If you look at the server's response  (192,168,**,*,***,***) ... those last 2 numbers after the IP address are the port number that the server was waiting offering up to use for a passive mode transfer.

Then when you did the PUT the software sent a PORT command, which is an Active Mode trasnfer.  If your log was better it would actually show the full port command which is in the same format at the servers PASV response except it is your IP address and the port you are inviting the server to open a connection to you for an Active Mode transfer.

So I guess I am saying that you are not using passive mode at all in this log.  You ask for it.  The server says OK, then you turn around and actually attempt to use active mode instead, and that fails.

how did u find that I turn around to active mode instead? ( when the server says ok....)

How can I fix this?


thanks a lot for yiour immediate response

You sent a literal PASV to the server and the server agreed to do it so at least you know that the server is willing to play ball in passive mode.

Unfortunately, the FTP client that generated the log you posted sent a PORT raw ftp command when you used the "put" client verb.  PUT is not a raw ftp command it is a meta command created by the client... it may combine multiple raw ftp commands line one to enable binary mode, another to set active/passive mode, and finally a raw STOR to actually upload the file.

what ftp client will u suggest me? and finally fix my issue? How can I configure the cleint

Robo-FTP more of a development tool for creating scripts that do repetitive upload tasks but it has nice logging and a 30-day eval that you could use to at least get a handle on the issue.  Also it defaults to passive mode for all transfers so that should help.  After installing it, type these commands into the console window:  (use server ip, username and password)

TRACELOG "problem_trace.log"
FTPLOGON "192.168.XXX.XXX" /user="MyUserID" /pw="MySecret"  
SENDFILE "readme.txt"
FTPLOGOFF

Select allOpen in new window

This should cause Robo-FTP to upload its own readme.txt file to your FTP server... but thats not why you are doing it... what you really want is the log files.  Look under the Robo-FTP installation folder and find a new file named problem_trace.log and it will show the actual low-level raw FTP conversation between the client and the server.  If it fails, post the lower part of the log starting with the PASV command and the server's response so we can help troubleshoot.

Please find attached the error

Robo-FTP(4460) v3.7.8.1 TRACE LOG FILE        [ SN: *EVAL* ]

Thu Mar 17 14:40:16  => OS: WIN.NETSRV
Thu Mar 17 14:40:16  => UserName: ********
Thu Mar 17 14:40:22  => Error: Could not read settings for site 192.168.19.** from registry: ServerName: QueryString size failed: The handle is invalid.
Thu Mar 17 14:40:22  => *Logging on to <192.168.19.***> as FTP.
Thu Mar 17 14:40:22  => Connection object created
Thu Mar 17 14:40:22  => wodFtpDLX.dll version 3.0.9.618, wodCertifcate.dll version (null)
Thu Mar 17 14:40:22  => Logging on...
Thu Mar 17 14:40:22  => Connecting to "192.168.*****"...
Thu Mar 17 14:40:22  => Status: Connecting to server
Thu Mar 17 14:40:22  => -<- 220-Microsoft FTP Service
Thu Mar 17 14:40:22  => 220 HELLAS  SAT
Thu Mar 17 14:40:22  => Status: Sending authentication data
Thu Mar 17 14:40:22  => ->- USER username.
Thu Mar 17 14:40:22  => -<- 331 Password required for ftp.user@*****t..
Thu Mar 17 14:40:22  => ->- PASS **********
Thu Mar 17 14:40:22  => -<- 230-Welcome to  FTP Site
Thu Mar 17 14:40:22  => Directory has 232,556,949,504 bytes of disk space available.
Thu Mar 17 14:40:22  => 230 User logged in.
Thu Mar 17 14:40:22  => ->- FEAT
Thu Mar 17 14:40:23  => -<- 211-Extended features supported:
Thu Mar 17 14:40:23  => LANG EN*
Thu Mar 17 14:40:23  => UTF8
Thu Mar 17 14:40:23  => AUTH TLS;TLS-C;SSL;TLS-P;
Thu Mar 17 14:40:23  => PBSZ
Thu Mar 17 14:40:23  => PROT C;P;
Thu Mar 17 14:40:23  => CCC
Thu Mar 17 14:40:23  => HOST
Thu Mar 17 14:40:23  => SIZE
Thu Mar 17 14:40:23  => MDTM
Thu Mar 17 14:40:23  => REST STREAM
Thu Mar 17 14:40:23  => 211 END
Thu Mar 17 14:40:23  => ->- OPTS UTF8 ON
Thu Mar 17 14:40:23  => -<- 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Thu Mar 17 14:40:23  => ->- PWD
Thu Mar 17 14:40:23  => -<- 257 "/" is current directory.
Thu Mar 17 14:40:23  => Status: Connected to server - idle
Thu Mar 17 14:40:23  => Log on successful.
Thu Mar 17 14:40:23  => ->- PWD
Thu Mar 17 14:40:23  => Status: Executing command on the server
Thu Mar 17 14:40:23  => Status: Connected to server - idle
Thu Mar 17 14:40:23  => -<- 257 "/" is current directory.
Thu Mar 17 14:40:23  => RawSend returning 257
Thu Mar 17 14:40:30  => Sending file C:\Users\*****\Documents\Robo-FTP 3.7\Readme.txt as Readme.txt: timeout set to 30
Thu Mar 17 14:40:30  => Status: Sending data to server
Thu Mar 17 14:40:30  => Status: Setting transfer mode
Thu Mar 17 14:40:30  => ->- TYPE I
Thu Mar 17 14:40:30  => -<- 200 Type set to I.
Thu Mar 17 14:40:30  => Status: Changing current directory
Thu Mar 17 14:40:30  => truncating extraneous CWD request
Thu Mar 17 14:40:30  => Status: Sending data to server
Thu Mar 17 14:40:30  => Status: Getting secondary data channel
Thu Mar 17 14:40:30  => ->- PASV
Thu Mar 17 14:40:30  => -<- 227 Entering Passive Mode (192,168,19,1,219,153).
Thu Mar 17 14:40:30  => Status: Sending data to server
Thu Mar 17 14:40:30  => ->- STOR Readme.txt
Thu Mar 17 14:40:30  => -<- 150 Opening BINARY mode data connection.
Thu Mar 17 14:41:01  => Connection timed out. Timeout set to 30
Thu Mar 17 14:41:01  => Status: Disconnected from server
Thu Mar 17 14:41:01  => Error: The current connection has timeout. (10060)
Thu Mar 17 14:41:01  => Error: file transfer failed or incomplete
Thu Mar 17 14:44:52  => <**Console window output suppressed when minimized.
Thu Mar 17 14:44:52  => <**Trace window logging suppressed when minimized.

So it appears your attempt to connect to the server's passive port timed out.  Here is the relevant portion of the log:

Thu Mar 17 14:40:30  => ->- PASV
Thu Mar 17 14:40:30  => -<- 227 Entering Passive Mode (192,168,19,1,219,153).
Thu Mar 17 14:40:30  => Status: Sending data to server
Thu Mar 17 14:40:30  => ->- STOR Readme.txt
Thu Mar 17 14:40:30  => -<- 150 Opening BINARY mode data connection.
Thu Mar 17 14:41:01  => Connection timed out. Timeout set to 30

Your computer sent PASV to request a passive mode transfer.
The server replied saying you should connect to 192.168.19.1 on port 56217 for the data channel.
Your computer timed out trying to connect to port 192.168.19.1 port 56217

So, that is the root problem.  If the server IP is correct then something is blocking that port.  Most likely a firewall... although it does seem strange because 192.168 is a private address range so that server should be "internal" to your network.  Maybe the built-in windows firewall?

Many server programs allow you to specify a port range to use for passive FTP transfers.  If you control the server, specify a range of maybe 100 ports and then make sure there is an exception for that port range in any firewall between the server and client.

thanks! the windows firewall on the ftp server is disabled.

but where did u see the  56217 port in the logs?  the 192.168.19.1 is the asa firewall....

The server's response to your request to go into passive mode was:
227 Entering Passive Mode (192,168,19,1,219,153).

This means your client was told to connect to 192.168.19.1 on port 56217

The port number is encoded in those last 2 digits: 219, 153

To decode the, open your calculator program in Scientific or Programmer mode and convert to hex:
219 = DB  (hi byte)
153 = 99  (lo byte)

Now combine them and convert back to decimal:
DB99 = 56217

So now the question remains of why the FTP server would tell you to open a data channel by connecting to the firewall.  It probably didnt.  Most likely your firewall is "ftp protocol aware" meaning that it is snooping on your FTP connection and changing the server response before you get it, acting as a sort of a man-in-the-middle between your computer and the FTP server.  Maybe think of it as a NAT proxy except on a protocol level.  You can probably disable this feature.

I have disables the FTP inpect in the ASA....

Many FTP servers allow you to specify an IP address (other than the actual IP address) to use for passive mode.  Prehaps this field is misconfigured on the server.  

Another way to determine if the firewall is changing the value is to enable low-level logging on the FTP server.  Then you could check the server logs for "227 Entering Passive Mode" and verify that the server actually specified the 192.168.19.1 address or if it specified something else that was later changed before arriving at your client.

in the FTP server windows firewall is completely disable.

Check the FTP Server's log to verify that the server is actually returning 192.168.19.1 as the passive address.

but tihs address is not the ftp server is the asa address...