vvarag
asked on
FTP problem - 425 Use PORT or PASV first.
A client is using NAS WD ShareSpace with a build in FTP server, running on port 21. Everything works fine, but one of their supplier (just the one!) have problem to connect to the FTP server. Exactly - he's able to log on, but the rest looks like that:
ftp> open ftp.estat.cz
Conencted to ftp.estat.cz
220 vsFTP 2.0.4+ (ext.3) ready...
User (ftp.estat.cz:(none): ftpestat
Password:
230 Login succesful.
ftp> ls
500 Illegal PORT command.
425 Use PORT or PASV first.
ftp> PORT
Invalid command.
Does anyone have an idea, where the problem could be?
ftp> open ftp.estat.cz
Conencted to ftp.estat.cz
220 vsFTP 2.0.4+ (ext.3) ready...
User (ftp.estat.cz:(none): ftpestat
Password:
230 Login succesful.
ftp> ls
500 Illegal PORT command.
425 Use PORT or PASV first.
ftp> PORT
Invalid command.
Does anyone have an idea, where the problem could be?
Dave Baldwin
Yes, their FTP client is not operating correctly. FTP has to select an 'ephemeral' port from the client or server before it continues and that isn't happening for some reason. This page shows some of the sequence. Actually, it looks like they are trying to use telnet to connect. LIST is the driectory command in FTP, not 'ls'. Here is a better list of FTP commands: http://en.wikipedia.org/wiki/File_Transfer_Protocol
Most likely your FTP client sent a PORT command that included its internal address in the 10.x.x.x range or ghe 192.168.x.x range. The server is rejecting that address as invalid or unreachable.
If you are using the DOS command-line FTP client you can lhave it show you whats happening on the raw protocol level if you launch it like this: ftp -d This would allow you to examine the PORT command send by your FTP client. The syntax of the PORT command is that the first four numbers are the IP address and the last two are the hex encoded port number.
The DOS command-line FTP client has some fairly significant limitations as far as its ability to deviate from standard vanilla FTP so you might need a different FTP client to actually USE this particular server (depending on your firewall and the configuration of the remote server.)
If you are using the DOS command-line FTP client you can lhave it show you whats happening on the raw protocol level if you launch it like this: ftp -d This would allow you to examine the PORT command send by your FTP client. The syntax of the PORT command is that the first four numbers are the IP address and the last two are the hex encoded port number.
The DOS command-line FTP client has some fairly significant limitations as far as its ability to deviate from standard vanilla FTP so you might need a different FTP client to actually USE this particular server (depending on your firewall and the configuration of the remote server.)
Forgot the first link: http://www.troubleshootingnetworks.com/ftpinfo.html
ASKER
AlexPace: I tried the command-line ftp -d command and lots of various FTP clients any you're right, it ends on:
[09:00:04] PORT 192,168,1,106,234,24
[09:00:04] 500 Illegal PORT command.
But how can I make the ftp client not to send the internal IP address?
[09:00:04] PORT 192,168,1,106,234,24
[09:00:04] 500 Illegal PORT command.
But how can I make the ftp client not to send the internal IP address?
CoreFTP on my computer is 'forcing' the use of PASV which makes the remote server send it's IP address. I just looked up Microsoft command line FTP and it does not appear to have that command.
I don't know if it is possible to force the DOS command line FTP client to send an external address on the PORT command but DaveBaldwin's suspiciion is correct regarding the DOS client's inabiliy to do passive mode data channels: it can only do active mode.
There are a few possible work arounds for your situation:
1. Some firewalls have a feature that allows them to actively monitor the FTP control channel and watch for the PORT command. These firewalls are able to modify the data stream on the fly to substitue an external IP address in the message that goes to the server. The coolest thing is that they then automatically do port-forwarding for the server's incoming active mode data connection. So this allows you to use a program like the DOS command line FTP client in situations where it is not otherwise possible. Check with your network administrator to see if your organization's firewall has this feature
2. Run the DOS command line FTP client on a computer with an external IP address, like in the network's DMZ area.
3. Use a different FTP client that supports passive mode data channels. This is the easiest approach because you don't need anyone else's help to do it. There are lots of good FTP clients available with windows interface instead of command-line interfaces, many of them at low or zero cost. Internet Explorer browser can even do passive mode FTP if you enable it under Tools -> Options -> Advanced -> Browsing. If you feel like you a command-line interface for scripting purposes you could use Robo-FTP, which is better for automation purposes anyway.
There are a few possible work arounds for your situation:
1. Some firewalls have a feature that allows them to actively monitor the FTP control channel and watch for the PORT command. These firewalls are able to modify the data stream on the fly to substitue an external IP address in the message that goes to the server. The coolest thing is that they then automatically do port-forwarding for the server's incoming active mode data connection. So this allows you to use a program like the DOS command line FTP client in situations where it is not otherwise possible. Check with your network administrator to see if your organization's firewall has this feature
2. Run the DOS command line FTP client on a computer with an external IP address, like in the network's DMZ area.
3. Use a different FTP client that supports passive mode data channels. This is the easiest approach because you don't need anyone else's help to do it. There are lots of good FTP clients available with windows interface instead of command-line interfaces, many of them at low or zero cost. Internet Explorer browser can even do passive mode FTP if you enable it under Tools -> Options -> Advanced -> Browsing. If you feel like you a command-line interface for scripting purposes you could use Robo-FTP, which is better for automation purposes anyway.
You know it could be as simple as telling the supplier to use PASV mode when they connect. They may be using an FTP client that doesn't do it automatically.
ASKER
I tried to bypass the firewall on a supplier side, so I connected a notebook directly to the ISP''s cable, configured it with a static IP given from ISP, but the result was the same :(
Unfortunately the PASV mode doesn't work aswell. I tried few FTP clients and when I turnet the PASV mode on, it looked like:
PASV
Get directory
...
Connection lost
Unfortunately the PASV mode doesn't work aswell. I tried few FTP clients and when I turnet the PASV mode on, it looked like:
PASV
Get directory
...
Connection lost
This page http://wdc.custhelp.com/app/answers/detail/a_id/2680/p/247%2C244/session/L3RpbWUvMTMxOTQ0Mjc1NS9zaWQvN25UaHFsSGs%3D has teh rather minimal instructions on using FTP.
This page http://www.wdc.com/en/products/products.aspx?id=270 makes it look like your device is only made for LAN use, not really internet use.
ASKER
DaveBaldwin: I've browsed the WD pages and forums but haven't found any helpful information for me. And the WD ShareSpace is designed for internet use and it works fine over the internet for all the clients. The described problem occures just to the one supplier.
When i try to connect from my place everything works fine (PORT 10,123,46,29,10,222), but the mentioned supplier gets PORT 10,0,1,5,194,189 and he's unable to do anything (except the succesful logon).
When i try to connect from my place everything works fine (PORT 10,123,46,29,10,222), but the mentioned supplier gets PORT 10,0,1,5,194,189 and he's unable to do anything (except the succesful logon).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
MS ftp client does not support passive (a.k.a firewall friendly) data connections.
It appears that the FTP server is configured only to allow passive data connections, even though it is issuing a message that says to use PORT or PASV.
Whomever is having the problem needs to use a ftp client that supports passive ftp data connections. CuteFTP and Filezilla are two that do and have a GUI interface.
It appears that the FTP server is configured only to allow passive data connections, even though it is issuing a message that says to use PORT or PASV.
Whomever is having the problem needs to use a ftp client that supports passive ftp data connections. CuteFTP and Filezilla are two that do and have a GUI interface.