Solved

can't get Pure-ftp to work from one location

Posted on 2011-03-18
12
437 Views
Last Modified: 2012-05-11
I just setup a pureftp server on a RHEL6 box and it works great. I've tested it from the LAN and from the WAN and it's okay. However, we have a site-to-site connection and it won't work from there.

It works from the WAN so it's not a question of the firewall rules or SELinux
if you use telnet on port 21 it actually establishes the connection but then closes it

The log on the ftp server shows:

16:08:47ftpserver pure-ftpd: (?@server.domain.com) [INFO] New connection from server.domain.com
16:08:53 ftpserver pure-ftpd: (?@server.domain.com) [INFO] Logout.

The telnet from a linux box in this location shows:

[root@test ~]# telnet 199.99.99.99 21
Trying 199.99.99.99...
Connected to ftp.domain.com (199.99.99.99).
Escape character is '^]'.
Connection closed by foreign host.

So it's not the firewalls because you can see that the connection gets established...but then it gets closed by the server it would seem. But only from this one location. Every other location is fine and I can get in with an ftp client and upload and download files. With an ftp client in that location it just says 'Could not connect to server'....

Anyone have any ideas....I'm stumped.
0
Comment
Question by:willlandymore
  • 6
  • 5
12 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35169177
Just my 2 cents.

Ftp uses port 21 and 20 (for data). Perhaps the other sides firewall has a problem with that (passive/active ftp).
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35169210
I suppose it could be...

I checked the logs of their firewall and it showed nothing. But I guess I can get in there and make a matching rule for 20/21 like I have on ours and then try both the active and passive.

The reason I'm not sure about that is because if you use the telnet it actually establishes the connection so at that point it should have made it through the firewall, but then it looks like the machine closes the connection....
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 35169306
Well, with telnet you only test one port (21). FTP uses two (20/21) and it depends on using passive or active FTP so then there might be a difference.
0
 
LVL 16

Accepted Solution

by:
AlexPace earned 250 total points
ID: 35169680
FWIW most of the time a data channel port will be negotiated on the fly and will be above 1024

But this isnt a data channel problem.  You know its data channel when you can log in but not get a directory listing or transfer files.  This connection is closing before you even authenticate on the control channel... so it is closing before the data channel ever becomes an issue.

Is there possibly an IP address white list?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35169814
well when you install pureftp you don't have to whitelist any addresses unless you want to have it so only certain FQDN's or IP ranges can have access.

erniebeek: that's true that telnet will only test 21 in this case but when you do that from anywhere but this location you get:

220---------- Welcome to Pure-FTPd [privsep] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 19:59. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

So if it's working in this fashion when doing it from the LAN or WAN then it should be working the same way from this VPN network. But in this case it does not.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35171193
So perhaps something is blocked through the vpn or the server doesn't know the route to the clients through the vpn?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:willlandymore
ID: 35171613
Maybe I'll try putting something like ethereal on one of the clients and see what that shows...perhaps there's more information. right now there is basically nothing to go on which is why I'm stumped. Usually you get an error code of some kind!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35171652
Are you able to ping/traceroute from that client to the server and vice versa?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35171767
yeah, ping works and tracert but there never seemed to be a problem establishing the connection...it's just keeping it up.

That's why I'm wondering if Wireshark has some more information that the server might be spitting out instead of the 'connection closed' I'm getting everywhere else.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35171850
Should be worth a try.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35172585
okay, from Wireshark I get:

client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
ftpserver > client   TCP ftp > signal [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [ACK] Seq=1 Ack=1 Win=64240 Len=0

which are normal, but there is:

159      31.421133000      ftpserver      > client   TCP ftp > signal [RST] Seq=1 Win=5840 Len=0

Where it's issuing a reset....
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35184129
Never could get this to work from that one location. I just installed another FTP server and it seems to work so I'm going to chalk that up to a bug with PureFTP.

I just split the points since there was no resolution.

Thanks.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now