Solved

can't get Pure-ftp to work from one location

Posted on 2011-03-18
12
457 Views
Last Modified: 2012-05-11
I just setup a pureftp server on a RHEL6 box and it works great. I've tested it from the LAN and from the WAN and it's okay. However, we have a site-to-site connection and it won't work from there.

It works from the WAN so it's not a question of the firewall rules or SELinux
if you use telnet on port 21 it actually establishes the connection but then closes it

The log on the ftp server shows:

16:08:47ftpserver pure-ftpd: (?@server.domain.com) [INFO] New connection from server.domain.com
16:08:53 ftpserver pure-ftpd: (?@server.domain.com) [INFO] Logout.

The telnet from a linux box in this location shows:

[root@test ~]# telnet 199.99.99.99 21
Trying 199.99.99.99...
Connected to ftp.domain.com (199.99.99.99).
Escape character is '^]'.
Connection closed by foreign host.

So it's not the firewalls because you can see that the connection gets established...but then it gets closed by the server it would seem. But only from this one location. Every other location is fine and I can get in with an ftp client and upload and download files. With an ftp client in that location it just says 'Could not connect to server'....

Anyone have any ideas....I'm stumped.
0
Comment
Question by:willlandymore
  • 6
  • 5
12 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35169177
Just my 2 cents.

Ftp uses port 21 and 20 (for data). Perhaps the other sides firewall has a problem with that (passive/active ftp).
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35169210
I suppose it could be...

I checked the logs of their firewall and it showed nothing. But I guess I can get in there and make a matching rule for 20/21 like I have on ours and then try both the active and passive.

The reason I'm not sure about that is because if you use the telnet it actually establishes the connection so at that point it should have made it through the firewall, but then it looks like the machine closes the connection....
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 35169306
Well, with telnet you only test one port (21). FTP uses two (20/21) and it depends on using passive or active FTP so then there might be a difference.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 16

Accepted Solution

by:
AlexPace earned 250 total points
ID: 35169680
FWIW most of the time a data channel port will be negotiated on the fly and will be above 1024

But this isnt a data channel problem.  You know its data channel when you can log in but not get a directory listing or transfer files.  This connection is closing before you even authenticate on the control channel... so it is closing before the data channel ever becomes an issue.

Is there possibly an IP address white list?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35169814
well when you install pureftp you don't have to whitelist any addresses unless you want to have it so only certain FQDN's or IP ranges can have access.

erniebeek: that's true that telnet will only test 21 in this case but when you do that from anywhere but this location you get:

220---------- Welcome to Pure-FTPd [privsep] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 19:59. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

So if it's working in this fashion when doing it from the LAN or WAN then it should be working the same way from this VPN network. But in this case it does not.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35171193
So perhaps something is blocked through the vpn or the server doesn't know the route to the clients through the vpn?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35171613
Maybe I'll try putting something like ethereal on one of the clients and see what that shows...perhaps there's more information. right now there is basically nothing to go on which is why I'm stumped. Usually you get an error code of some kind!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35171652
Are you able to ping/traceroute from that client to the server and vice versa?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35171767
yeah, ping works and tracert but there never seemed to be a problem establishing the connection...it's just keeping it up.

That's why I'm wondering if Wireshark has some more information that the server might be spitting out instead of the 'connection closed' I'm getting everywhere else.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35171850
Should be worth a try.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35172585
okay, from Wireshark I get:

client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
ftpserver > client   TCP ftp > signal [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
client > ftpserver   TCP signal > ftp [ACK] Seq=1 Ack=1 Win=64240 Len=0

which are normal, but there is:

159      31.421133000      ftpserver      > client   TCP ftp > signal [RST] Seq=1 Win=5840 Len=0

Where it's issuing a reset....
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35184129
Never could get this to work from that one location. I just installed another FTP server and it seems to work so I'm going to chalk that up to a bug with PureFTP.

I just split the points since there was no resolution.

Thanks.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fibre channel switch - sfp needed? 2 37
Map local drive to folder for all rdp users 7 42
centos linux 65 127
Cisco 3650 switch 7 32
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question