tsukraw
asked on
FileZilla with TLS encryption
Hey Experts,
I am running into a bit of a situation trying to get the encryption in Filezilla working.
What i have is a filezilla server on version 9.4.0
Running on Server 2008R2 with windows firewall off.
FTP is configured for port 211
I have a Sonicwall router.
If i have the "Enable FTP over SSL/TLS Support" turned off i can connect up just fine.
If i turn that on, and on the Filezilla client choose "Require explicit FTP over TLS" It logs in i accept the certificate but then i get
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
I have read all kinds of articals saying to check my network configuration. I have checked it a thousand times and since it works with SSL/TLS off i would think it has to be correct.
My passive mode ports are 3000-4000 and i have those forwarded the same was i do 221.
Any ideas what i could be missing?
I am running into a bit of a situation trying to get the encryption in Filezilla working.
What i have is a filezilla server on version 9.4.0
Running on Server 2008R2 with windows firewall off.
FTP is configured for port 211
I have a Sonicwall router.
If i have the "Enable FTP over SSL/TLS Support" turned off i can connect up just fine.
If i turn that on, and on the Filezilla client choose "Require explicit FTP over TLS" It logs in i accept the certificate but then i get
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
I have read all kinds of articals saying to check my network configuration. I have checked it a thousand times and since it works with SSL/TLS off i would think it has to be correct.
My passive mode ports are 3000-4000 and i have those forwarded the same was i do 221.
Any ideas what i could be missing?
ASKER
I just checked my SOnicwall and i have thing.
I have 211 TCP
3000-4000 TCP
990 TCP
Those are all being forwarded to my filezilla server.
I have 211 TCP
3000-4000 TCP
990 TCP
Those are all being forwarded to my filezilla server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Nice! A tip for the future, always use the public server wizard. It will set things up correctly for you. Glad you got it!
ASKER
Do you notice a speed issue with TLS on for directory browsing?
I am running a FTP sync that connects to the FTP server and compares data in the folders. There is probably around 3,000 items in the folder which is around 1TB of data. With TLS off it takes like 15-20min to verify the data is synced that is with no changes. With TLS on it takes close to 2hours to run with no changes made....
On the server side i have 16meg down and 5meg up.
client side 10down 10 up
Ideas?
I am running a FTP sync that connects to the FTP server and compares data in the folders. There is probably around 3,000 items in the folder which is around 1TB of data. With TLS off it takes like 15-20min to verify the data is synced that is with no changes. With TLS on it takes close to 2hours to run with no changes made....
On the server side i have 16meg down and 5meg up.
client side 10down 10 up
Ideas?
Yikes! That's a big difference. No, we have not noticed that. I'm waiting for a response from my tech that manages the FTP server.
I'm conversing with him now, but realized that you indicated you were connecting with TLS. Did you get the SW to let you through with TLS?
ASKER
Yep. SW is now letting TLS through.
Cool. Do you have any of the security services licensed? I'm wondering if the SW is trying to scan the traffic and it's slowing it down. You might disable all the security services and try a dwn/up transfer to see if that changes anything. If it does, then I would create an exception for your Filezilla server.
ASKER
I have already disabled all the security stuff thinking it could be that as well.
I even have tested with a Global VPN tunnel.
I just finished that test. If i run over the VPN tunnel with TLS off i did 2100 files in 10min. The exact same files with TLS turned on in 10min has done 370.
It is weird though. It will go through a bunch real fast then stop for 30seconds then it will go through a group then stop for a bit. But with TLS off it just runs runs runs runs..
Kind of like there is a service disruption and it has to reestablish its self.
I even have tested with a Global VPN tunnel.
I just finished that test. If i run over the VPN tunnel with TLS off i did 2100 files in 10min. The exact same files with TLS turned on in 10min has done 370.
It is weird though. It will go through a bunch real fast then stop for 30seconds then it will go through a group then stop for a bit. But with TLS off it just runs runs runs runs..
Kind of like there is a service disruption and it has to reestablish its self.
Hmmm, you might increase the TCP timeout for the firewall rule. It's possible the TCP connection is timing out for TLS. Go to Firewall > Access Rules and select your rule for WAN to LAN rule. Then go to Advanced. Notice the TCP timeout and increase it. I usually take it to 60 min if I alter it.
ASKER
Ok i must be missing something. I tested running local to the server and it is super slow so it cant be a bandwidth issue. I setup a second FTP server on a completely different physical server and get the same results....Super slow with TLS on.
Is there any adjustments in FileZilla i should be looking at doing?
Is there any adjustments in FileZilla i should be looking at doing?
OK. I'm looking at a WIKI and it's indicating that the CPU plays a part in TLS as it will have to encrypt and decrypt. What key size are you using for TLS? A bigger key size will require the CPU to perform calculations possibly slowing things down.
http://wiki.filezilla-project.org/FTPS_using_Explicit_SSL/TLS_howto_%28Server%29
http://wiki.filezilla-project.org/FTPS_using_Explicit_SSL/TLS_howto_%28Server%29
ASKER
Yea i seen that also.
All these systems are doing is running the FTP they are brand new builds. one is a dual core 2.13Ghz and the other is a Quadcore 2.4Ghz So i dont think CPU is effecting it. I have watched taskmgr and it almost never goes over 2-4% when TFP is running on the server.
All these systems are doing is running the FTP they are brand new builds. one is a dual core 2.13Ghz and the other is a Quadcore 2.4Ghz So i dont think CPU is effecting it. I have watched taskmgr and it almost never goes over 2-4% when TFP is running on the server.
True. I've done some searches and I can't seem to find anything on the matter. Your workstation end would have to encrypt/decrypt, or at least encrypt. Did you monitor the client as well?
ASKER
Yea, client has better specs then the server. I tested with the client like 10feet from the server on a 1gig connection to rule out bandwidth and same results....
I don't know then. This part of the issue has me stumped. If the connectivity is the same regardless of whether you go through the SW or not, then someone else might no better than me. Click the Request Attention link below your question above and ask a moderator to send out an alert and/or change your zones. This might attract some experts that may have an answer.
ASKER
The issue is with just directory listing it looks. I am using "Syper Flexible File Synchronizer" for this. It compares the local files to the FTP server copies. If i was to copy a it runs great cant tell there is any issues at all. It is just comparing that takes forever it looks like.
Looking at the app help, it looks like the area that's slow is where it enumerates the files/folders to build the list. Go to the link below and search for the section titled, "Building the file list takes too long". Not being familiar with the application, I can only suggest that.
http://www.superflexible.com/docs.htm
http://www.superflexible.com/docs.htm
ASKER
This might be a dumb question.... PPTP vpn would hide all the FTP commands correct? If i ran the FTP over a PPTP tunnel that would essentially get me the same results with the FTP commands being hidden?
ASKER
More detail as to how i got it to work.
FTPS-Services.jpg