Solved

FTP client ls command fail with few client only

Posted on 2011-03-24
5
1,115 Views
Last Modified: 2012-05-11
We have an ftp server behind a firewall and a load balancer. Before, everything was working fine and all our client was able to connect, list and retrieve information without problem.

Chronology:
1- We made a update of the firmware of the load balancer Thursday.

2- In the weekend we got an electric failure and we discover that our secondary link did not relay as expected.

3- So we investigate and found that our DNS did not point to the correct secondary link so we changed it.

After that, some problems  appear when using the secondary(207.x.x.x) link with FTP in active mode only (passive mode was working) so we put the DNS back to normal but the problem still continue. At this moment, ftp work correctly on the primary link.

We contact our load balancer provider and he put a  persist trigger on port 21 and it fix the problem for almost all client except 2 of them (for those, active and passive do not work for the LS command it hang and we got a "time out").

The weird things is that I create another FTP Server and I tried through the secondary link from the client where it doesn't work and it work on my new server?
 
Our settings:

On the load balancer, there is two different link :
     - The first one (205.x.x.x)(main link) have a C class (255 ip)
     - The secondary (207.x.x.x) as 16 ip.  

FTP server is IIS. Client is ftp from command line.

FTP fail at the LS time only. We can connect correctly but when we do a LS, we got "DATA connection failed".

If you need more details, just ask. Thanks a lot.
0
Comment
Question by:TelDig
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:0x6
Comment Utility
Have you tried with Filezilla FTP client?

You should run Network Monitor trace and capture it on both client PC and the FTP server while running the LS command on the client to check whether the server is receiving the directory listing command and vice versa?
0
 
LVL 16

Expert Comment

by:AlexPace
Comment Utility
The clients could be using different implementations of the "ls" verb.

What I'm trying to say is that ls is not an FTP protocol command, it is an FTP client command.  One of the clients might be sending the protocol command LIST and the other sending MLSD.

Also, being able to connect but not send files or list directories is the classic symptom of an FTP connection where the control channel (port 21) is fine but the data channel (#### > 1024)  is blocked.  

In Active Mode, your server opens the data channel on the client's machine.  They'll tell you which port to connect to by sending the PORT command.

In Passive Mode, the client sends PASV to request that your server allow them, the client, to open a data channel port on the server.  The server's affirmative response to PASV specifies which port the client should use.

So it is active or passive from the point of view of the server, in active mode the server opens a connection back on the client and in passive mode the client opens a connection to the server.

0
 

Author Comment

by:TelDig
Comment Utility
No, I don't tried the Filezilla client cause I have to be able with the FTP command Line. The program that I have to use for the FTP use the ftp command only. And I can't install anything on the client side.

The server receive the LIST command. He try to respond with 150 Opening ASCII Mode... After the I got 425 Can't open data connection.

I tried ls and dir command on the client side. One give the command NLST and the other give LIST. Both doesn't work. But if I go on the primary link, both work.

Active and passive doesn't work. I can connect, login, cd, but I can't get the LS to work.
0
 
LVL 16

Accepted Solution

by:
AlexPace earned 500 total points
Comment Utility
The data channel is blocked on the secondary link.  Changing client programs won't help that.  

You can look for a firewall issue by examining the last two numbers of the PORT command the client sends in Active Mode or the last two numbers of the server's response to the PASV command in Passive Mode.  Suppose the last two numbers are 209,25 the way you decode this is first convert each number to hex.  The windows calculator program can do it in programmer or scientific mode.

209 = D1
25 = 19

Next you combine the two hex values into one big number and convert that back to decimal to find the port number:
D119 = 53529

So if the last two numbers of the PORT command or the PASV response were 209,25 then the client and server were trying to establish a data channel on port 53529.  Make sure the firewall isn't blocking that port.

Many FTP servers allow you to specify a port range to use for Passive Mode because in this mode the server chooses the port to use for the data channel whereas in Active Mode it is dictated by the client.  Choose a range that is at least twice as wide as the maximum number of clients you expect will connect to you servrer at any given time.  The firewall administrator can make a special rule allowing that specific port range to pass.

Some FTP servers also allow you to specify an IP address to use for Passive Mode.  If your server is configured this way with a rule forcing passive mode onto the 205.x.x.x address then the client may be rejecting that offer as insecure when the control channel is connected to a 207.x.x.x address it might want to see a data channel to the same address. I think this second scenario is less likely than a firewall problem.
0
 

Author Closing Comment

by:TelDig
Comment Utility
Thanks
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
Resolve DNS query failed errors for Exchange
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now