can't get Pure-ftp to work from one location

I just setup a pureftp server on a RHEL6 box and it works great. I've tested it from the LAN and from the WAN and it's okay. However, we have a site-to-site connection and it won't work from there.

It works from the WAN so it's not a question of the firewall rules or SELinux
if you use telnet on port 21 it actually establishes the connection but then closes it

The log on the ftp server shows:

16:08:47ftpserver pure-ftpd: (?@server.domain.com) [INFO] New connection from server.domain.com
16:08:53 ftpserver pure-ftpd: (?@server.domain.com) [INFO] Logout.

The telnet from a linux box in this location shows:

[root@test ~]# telnet 199.99.99.99 21
Trying 199.99.99.99...
Connected to ftp.domain.com (199.99.99.99).
Escape character is '^]'.
Connection closed by foreign host.

So it's not the firewalls because you can see that the connection gets established...but then it gets closed by the server it would seem. But only from this one location. Every other location is fine and I can get in with an ftp client and upload and download files. With an ftp client in that location it just says 'Could not connect to server'....

Anyone have any ideas....I'm stumped.
LVL 1
willlandymoreAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
AlexPaceConnect With a Mentor Commented:
FWIW most of the time a data channel port will be negotiated on the fly and will be above 1024

But this isnt a data channel problem.  You know its data channel when you can log in but not get a directory listing or transfer files.  This connection is closing before you even authenticate on the control channel... so it is closing before the data channel ever becomes an issue.

Is there possibly an IP address white list?
0
 
Ernie BeekExpertCommented:
Just my 2 cents.

Ftp uses port 21 and 20 (for data). Perhaps the other sides firewall has a problem with that (passive/active ftp).
0
 
willlandymoreAuthor Commented:
I suppose it could be...

I checked the logs of their firewall and it showed nothing. But I guess I can get in there and make a matching rule for 20/21 like I have on ours and then try both the active and passive.

The reason I'm not sure about that is because if you use the telnet it actually establishes the connection so at that point it should have made it through the firewall, but then it looks like the machine closes the connection....
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Ernie BeekConnect With a Mentor ExpertCommented:
Well, with telnet you only test one port (21). FTP uses two (20/21) and it depends on using passive or active FTP so then there might be a difference.
0
 
willlandymoreAuthor Commented:
well when you install pureftp you don't have to whitelist any addresses unless you want to have it so only certain FQDN's or IP ranges can have access.

erniebeek: that's true that telnet will only test 21 in this case but when you do that from anywhere but this location you get:

220---------- Welcome to Pure-FTPd [privsep] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 19:59. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

So if it's working in this fashion when doing it from the LAN or WAN then it should be working the same way from this VPN network. But in this case it does not.
0
 
Ernie BeekExpertCommented:
So perhaps something is blocked through the vpn or the server doesn't know the route to the clients through the vpn?
0
 
willlandymoreAuthor Commented:
Maybe I'll try putting something like ethereal on one of the clients and see what that shows...perhaps there's more information. right now there is basically nothing to go on which is why I'm stumped. Usually you get an error code of some kind!
0
 
Ernie BeekExpertCommented:
Are you able to ping/traceroute from that client to the server and vice versa?
0
 
willlandymoreAuthor Commented:
yeah, ping works and tracert but there never seemed to be a problem establishing the connection...it's just keeping it up.

That's why I'm wondering if Wireshark has some more information that the server might be spitting out instead of the 'connection closed' I'm getting everywhere else.
0
 
Ernie BeekExpertCommented:
Should be worth a try.
0
 
willlandymoreAuthor Commented:
okay, from Wireshark I get:

client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
ftpserver > client   TCP ftp > signal [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [ACK] Seq=1 Ack=1 Win=64240 Len=0

which are normal, but there is:

159      31.421133000      ftpserver      > client   TCP ftp > signal [RST] Seq=1 Win=5840 Len=0

Where it's issuing a reset....
0
 
willlandymoreAuthor Commented:
Never could get this to work from that one location. I just installed another FTP server and it seems to work so I'm going to chalk that up to a bug with PureFTP.

I just split the points since there was no resolution.

Thanks.
0
All Courses

From novice to tech pro — start learning today.