[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 492
  • Last Modified:

can't get Pure-ftp to work from one location

I just setup a pureftp server on a RHEL6 box and it works great. I've tested it from the LAN and from the WAN and it's okay. However, we have a site-to-site connection and it won't work from there.

It works from the WAN so it's not a question of the firewall rules or SELinux
if you use telnet on port 21 it actually establishes the connection but then closes it

The log on the ftp server shows:

16:08:47ftpserver pure-ftpd: (?@server.domain.com) [INFO] New connection from server.domain.com
16:08:53 ftpserver pure-ftpd: (?@server.domain.com) [INFO] Logout.

The telnet from a linux box in this location shows:

[root@test ~]# telnet 199.99.99.99 21
Trying 199.99.99.99...
Connected to ftp.domain.com (199.99.99.99).
Escape character is '^]'.
Connection closed by foreign host.

So it's not the firewalls because you can see that the connection gets established...but then it gets closed by the server it would seem. But only from this one location. Every other location is fine and I can get in with an ftp client and upload and download files. With an ftp client in that location it just says 'Could not connect to server'....

Anyone have any ideas....I'm stumped.
0
willlandymore
Asked:
willlandymore
  • 6
  • 5
2 Solutions
 
Ernie BeekCommented:
Just my 2 cents.

Ftp uses port 21 and 20 (for data). Perhaps the other sides firewall has a problem with that (passive/active ftp).
0
 
willlandymoreAuthor Commented:
I suppose it could be...

I checked the logs of their firewall and it showed nothing. But I guess I can get in there and make a matching rule for 20/21 like I have on ours and then try both the active and passive.

The reason I'm not sure about that is because if you use the telnet it actually establishes the connection so at that point it should have made it through the firewall, but then it looks like the machine closes the connection....
0
 
Ernie BeekCommented:
Well, with telnet you only test one port (21). FTP uses two (20/21) and it depends on using passive or active FTP so then there might be a difference.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
AlexPaceCommented:
FWIW most of the time a data channel port will be negotiated on the fly and will be above 1024

But this isnt a data channel problem.  You know its data channel when you can log in but not get a directory listing or transfer files.  This connection is closing before you even authenticate on the control channel... so it is closing before the data channel ever becomes an issue.

Is there possibly an IP address white list?
0
 
willlandymoreAuthor Commented:
well when you install pureftp you don't have to whitelist any addresses unless you want to have it so only certain FQDN's or IP ranges can have access.

erniebeek: that's true that telnet will only test 21 in this case but when you do that from anywhere but this location you get:

220---------- Welcome to Pure-FTPd [privsep] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 19:59. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

So if it's working in this fashion when doing it from the LAN or WAN then it should be working the same way from this VPN network. But in this case it does not.
0
 
Ernie BeekCommented:
So perhaps something is blocked through the vpn or the server doesn't know the route to the clients through the vpn?
0
 
willlandymoreAuthor Commented:
Maybe I'll try putting something like ethereal on one of the clients and see what that shows...perhaps there's more information. right now there is basically nothing to go on which is why I'm stumped. Usually you get an error code of some kind!
0
 
Ernie BeekCommented:
Are you able to ping/traceroute from that client to the server and vice versa?
0
 
willlandymoreAuthor Commented:
yeah, ping works and tracert but there never seemed to be a problem establishing the connection...it's just keeping it up.

That's why I'm wondering if Wireshark has some more information that the server might be spitting out instead of the 'connection closed' I'm getting everywhere else.
0
 
Ernie BeekCommented:
Should be worth a try.
0
 
willlandymoreAuthor Commented:
okay, from Wireshark I get:

client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
ftpserver > client   TCP ftp > signal [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [ACK] Seq=1 Ack=1 Win=64240 Len=0

which are normal, but there is:

159      31.421133000      ftpserver      > client   TCP ftp > signal [RST] Seq=1 Win=5840 Len=0

Where it's issuing a reset....
0
 
willlandymoreAuthor Commented:
Never could get this to work from that one location. I just installed another FTP server and it seems to work so I'm going to chalk that up to a bug with PureFTP.

I just split the points since there was no resolution.

Thanks.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now