Solved

can't get Pure-ftp to work from one location

Posted on 2011-03-18
12
478 Views
Last Modified: 2012-05-11
I just setup a pureftp server on a RHEL6 box and it works great. I've tested it from the LAN and from the WAN and it's okay. However, we have a site-to-site connection and it won't work from there.

It works from the WAN so it's not a question of the firewall rules or SELinux
if you use telnet on port 21 it actually establishes the connection but then closes it

The log on the ftp server shows:

16:08:47ftpserver pure-ftpd: (?@server.domain.com) [INFO] New connection from server.domain.com
16:08:53 ftpserver pure-ftpd: (?@server.domain.com) [INFO] Logout.

The telnet from a linux box in this location shows:

[root@test ~]# telnet 199.99.99.99 21
Trying 199.99.99.99...
Connected to ftp.domain.com (199.99.99.99).
Escape character is '^]'.
Connection closed by foreign host.

So it's not the firewalls because you can see that the connection gets established...but then it gets closed by the server it would seem. But only from this one location. Every other location is fine and I can get in with an ftp client and upload and download files. With an ftp client in that location it just says 'Could not connect to server'....

Anyone have any ideas....I'm stumped.
0
Comment
Question by:willlandymore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35169177
Just my 2 cents.

Ftp uses port 21 and 20 (for data). Perhaps the other sides firewall has a problem with that (passive/active ftp).
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35169210
I suppose it could be...

I checked the logs of their firewall and it showed nothing. But I guess I can get in there and make a matching rule for 20/21 like I have on ours and then try both the active and passive.

The reason I'm not sure about that is because if you use the telnet it actually establishes the connection so at that point it should have made it through the firewall, but then it looks like the machine closes the connection....
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 35169306
Well, with telnet you only test one port (21). FTP uses two (20/21) and it depends on using passive or active FTP so then there might be a difference.
0
Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

 
LVL 16

Accepted Solution

by:
AlexPace earned 250 total points
ID: 35169680
FWIW most of the time a data channel port will be negotiated on the fly and will be above 1024

But this isnt a data channel problem.  You know its data channel when you can log in but not get a directory listing or transfer files.  This connection is closing before you even authenticate on the control channel... so it is closing before the data channel ever becomes an issue.

Is there possibly an IP address white list?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35169814
well when you install pureftp you don't have to whitelist any addresses unless you want to have it so only certain FQDN's or IP ranges can have access.

erniebeek: that's true that telnet will only test 21 in this case but when you do that from anywhere but this location you get:

220---------- Welcome to Pure-FTPd [privsep] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 19:59. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

So if it's working in this fashion when doing it from the LAN or WAN then it should be working the same way from this VPN network. But in this case it does not.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35171193
So perhaps something is blocked through the vpn or the server doesn't know the route to the clients through the vpn?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35171613
Maybe I'll try putting something like ethereal on one of the clients and see what that shows...perhaps there's more information. right now there is basically nothing to go on which is why I'm stumped. Usually you get an error code of some kind!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35171652
Are you able to ping/traceroute from that client to the server and vice versa?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35171767
yeah, ping works and tracert but there never seemed to be a problem establishing the connection...it's just keeping it up.

That's why I'm wondering if Wireshark has some more information that the server might be spitting out instead of the 'connection closed' I'm getting everywhere else.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35171850
Should be worth a try.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35172585
okay, from Wireshark I get:

client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
ftpserver > client   TCP ftp > signal [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [ACK] Seq=1 Ack=1 Win=64240 Len=0

which are normal, but there is:

159      31.421133000      ftpserver      > client   TCP ftp > signal [RST] Seq=1 Win=5840 Len=0

Where it's issuing a reset....
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35184129
Never could get this to work from that one location. I just installed another FTP server and it seems to work so I'm going to chalk that up to a bug with PureFTP.

I just split the points since there was no resolution.

Thanks.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question