FTP/Windows 7 Firewall - Filezilla Control Socket Error

dcass
dcass used Ask the Experts™
on
Hi -
I gave up on Windows FTP, am now attempting to get FileZilla server working.  Spent too many hours on this and would like some help with:
Error:      Connection timed out
Trace:      CFtpControlSocket::ResetOperation(2114)
Trace:      CControlSocket::ResetOperation(2114)
Error:      Could not connect to server

Checked out Google - says it's trying on active but it's set to passive.
Using Windows Firewall - added Filezilla entry  - settings: Allow the Connection,
All Programs, All Computers, Any Protocols (all ports), Scope - restricted to my remote IP (static), Advanced- Domain, Private, Public, No specific users.

FileZilla server log:
Closing all listening sockets
Creating listen socket on port 50000...
Listen socket port changed

FileZilla server settings:
Listen on 50000 to 50100 - rest defaults
No IP Bindings
No IP Filter
Passive - 50000 to 50100
Retrieve IP from http://ip.filezilla-project.org/ip.php  ????  Why did they suggest this?
Block incoming & outgoing server to server transfers
All else is defaults

FileZilla Client settings:
Settings: Passive, Allow Fallback
Use the Servers external IP Address
Active: Don't use external IP address on local connections
Active: Use ports: 50000 - 50100

Filezilla Test:
More Info:
Connecting to probe.filezilla-project.org
Response: 220 FZ router and firewall tester ready
USER FileZilla
Response: 331 Give any password.
PASS 3.5.3
Response: 230 logged on.
Checking for correct external IP address
IP 99.999.99.999 (my IP hidden)
Response: 200 OK
PREP 50062
Response: 200 Using port 50062, data token 1073258773
PORT 99,999,99,999,195,142  - 9's are my external IP (hidden) why is it using these ports?  they change every time.
Connection lost
Connection closed

Thanks for any help -
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
PORT 99,999,99,999,195,142  - 9's are my external IP (hidden) why is it using these ports?  they change every time

Normal for PASV ftp perhaps you should look at http://slacksite.com/other/ftp.html so you know the difference.

Just for testing try connecting using your local ip address to eliminate any NAT errors
if things work to your satisfaction..

now configure your router to allow tcp/udp traffic incoming port 21 and forward it to your internal ip, it will autoconfigure from there.

Author

Commented:
I connected on the server to the Filezilla server - no problem.
Went back to client, turned off all firewalls - exact same error.
Have a router on both ends - must be set up wrong.
Can you tell me what that error means and what ports should be open where and where they should be entered?
You need to forward port 21 in the router to the ip address of your FileZilla server on the server end.  You shouldn't need to do anything at the client end.
http://www.instructables.com/id/Setting-up-an-FTP-server-using-filezilla/?ALLSTEPS
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
I checked, rechecked, had someone else check - all the necessary ports are open.
I'm thinking I just didn't set up the Filezilla server correctly.
Also, it keep saying a password is required and I did enter a password and I've done it many times and I know it's correct, but it's like it's not seeing that I even entered the password.

Author

Commented:
OK - let me run down the ports because it's completely ignoring the password I'm inputting.  I don't know what else to do.
On the server, I have Filezilla General Settings to listen on these ports:
21, 14147, 50000 but wanted 50000-50100 - won't let me input the range - rest are defaults.
All tabs are defaults until Passive Mode - use custom ports 50000-50100.
I set to use the following IP address set to the IP of the server.
All the rest is defaults.

On the Windows firewall, I have incoming ports:
TCP,
Local: 50000-50100, 21, 14147
Remote: 6000-6010
But I did not set up a rule for any outgoing.

On the server router, I have 21, 6000-6010 open and ever since I installed Filezilla, I have to have the co-lo reset the router (10.10.1.1) because I can't access it - it just eventually times out - I've seen this as a problem on the net before.  I can't use FZ if it's causing  this problem!

Then on my Vipre firewall on my PC, I have an application rule to allow Filezilla exe any port in or out.  I have turned this completely off and have the same problems.  

On the local router, I have 21, 6000-6010 and 14147 open.

What else can I do?
Top Expert 2016

Commented:
On the server, I have Filezilla General Settings to listen on these ports:
21, 14147, 50000 but wanted 50000-50100 - won't let me input the range - rest are defaults.


Get rid of 14147 and 50000 from the general settings just use port 21, custom pasv is ok but not needed.

Client settings leave at the defaults, allow outgoing port 21, don't worry about incoming as the ftp client is the originator of the requests.

On the server router, I have 21, 6000-6010 open and ever since I installed Filezilla, I have to have the co-lo reset the router (10.10.1.1) because I can't access it - it just eventually times out - I've seen this as a problem on the net before.  I can't use FZ if it's causing  this problem!


Again only 21 needs to be open and port forwarded to the machines ip address that has the ftp server, (don't worry about the rest)

Which router are you using?

Why you just did not just set it up to the defaults, test locally via command line ftp, then try using the external address. Only after everything works, then start customizing, after each change test..

Author

Commented:
Did start with all defaults and put it all back to them - same error no matter what I do - it does not recognize that I've typed in a password.

Again - if I use the client on the server, it connects but only if I use localhost, not the ip  - maybe it can't find my host ip from the client (yes, I'm sure I'm using the right IP - double checked)?  I'm just using my IPaddress on the client to connect.  That's gotta be it - what to do?  
I can't ping the ip.

Don't know what I did, but am now getting this error even connecting to localhost.

Don't know if this has anything to do with it, but I have both the FTP and the Retank folder in IIS using FTP Authentication - Basic with this error:

Status:      Resolving address of localhost
Status:      Connecting to [::1]:21...
Status:      Connection established, waiting for welcome message...
Trace:      CFtpControlSocket::OnReceive()
Response:      220 Microsoft FTP Service
Trace:      CFtpControlSocket::SendNextCommand()
Command:      USER Retank
Trace:      CFtpControlSocket::OnReceive()
Response:      331 Password required for Retank.
Trace:      CFtpControlSocket::SendNextCommand()
Command:      PASS ***********
Trace:      CFtpControlSocket::OnReceive()
Response:      530-User cannot log in.
Response:       Win32 error:   The specified domain either does not exist or could not be contacted.
Response:       Error details: Home directory lookup failed.
Response:      530 End


When set to IisManagerAuth, I get a different error:
Response:      331 Password required for Retank.
Trace:      CFtpControlSocket::SendNextCommand()
Command:      PASS ***********
Trace:      CFtpControlSocket::OnReceive()
Response:      530-User cannot log in.
Response:       Win32 error:   Access is denied.
Response:       Error details: Filename: \\?\C:\Windows\system32\inetsrv\config\redirection.config
Response:       Error: Cannot read configuration file due to insufficient permissions

But I gave WMSVC full permissions to this file.

But all this sounds like it's trying to use IIS instead of Filezilla, so I removed all FTP from IIS and then I get this error:
Status:      Resolving address of localhost
Status:      Connecting to [::1]:21...
Status:      Connection attempt failed with "ECONNREFUSED - Connection refused by server", trying next address.
Status:      Connecting to 127.0.0.1:21...
Status:      Connection attempt failed with "ECONNREFUSED - Connection refused by server".
I'll bet the MS FTP service is still running. Run SERVICES.MSC, stop it, and then set it to manual startup.
Now what does FileZilla do?
There isn't another local PC so you could try FTP://192.168.0.10:21<server's ip> to test?

Author

Commented:
Unfortunately, no I don't have another local server or PC to test on.  If that will help, I'll go up to the co-lo on Tuesday and have one set up, but right now, stopping MS FTP helped a lot.
Things are running much better - it's accepting the user name and password, verifying the IP, but still not finishing the connection - the test results are:

Connecting to probe.filezilla-project.org
Response: 220 FZ router and firewall tester ready
USER FileZilla
Response: 331 Give any password.
PASS 3.5.3
Response: 230 logged on.
Checking for correct external IP address
IP 99.999.99.999 (local IP)
Response: 200 OK
PREP 6008
Response: 200 Using port 6008, data token 250579668
PORT 99,999,99,999,23,120
Connection lost
Connection closed

Do I need to have port 6008 open on the server firewall/router or the client firewall/router?  What about ports 23 & 120?
21 ought to be all you need and, if you go to http://www.mywanip.com , it will display your public ip which you need to set in the "external IP" box in FileZilla.

Author

Commented:
It's showing that the IP is correct in the error message and I know 21 is open everywhere.
Please take a look at my system setup (all with fixed IP):
Client Filezilla is set to passive, but if it tries active, set to use port 6000-6010.  All else is default.
Server Filezilla - edit settings: Passive mode settings: custom port range 50000-50100, use IP xx.xx.xx.210 - all else default.

Server (using xx.xx.xx.210):
  Windows firewall - added new inbound, Filezilla: all ports, local and remote with Programs and Services set to "%ProgramFiles% (x86)\FileZilla Server\FileZilla server.exe" and added an outbound one exactly the same.
I disabled the default FTP inbound ( I've tried with it enabled).

Server  Router (Netgear - 10.10.1.1) - set up 3 rules just to cover all the bases.
Under DHCP addresses:
10.10.1.12 - no device name
10.10.1.11 - the web server (Windows 2008 R2) that I'm working with here
FTP rules - TCP 21, 50000-50100 and 6000-6010 - all to 10.10.1.11
Router msg on attempt:
Sun, 2012-05-27 11:13:28 - TCP packet - Source: 99.99.999.234 - Destination: xx.xx.xx.210 - [Service access request successful Src 55641 Dst 21 from WAN]

Client  Router (Linksys - http://192.168.0.1) -       
IP Address :        10.10.5.2
Gateway: 10.10.5.1
FTP rules - TCP 20,21,  6000-6010 - all to http://192.168.0.1


Client  Router (Netgear - 10.10.5.1) .
Under DHCP addresses:
10.10.5.2 - no device name
IP Address - 99.99.99.241
FTP rules - inbound: TCP 20,21, 6000-6010 - to 10.10.5.5 (that's where http is pointed) but also tried 10.10.5.2.

The Netgears are supposed to talk to each other but because of an IKE setting (IP address) that I cannot change, they do not.

The Filezilla log on the client is completely empty.

Filezilla attempt error now:
12:12:24      Status:      Connecting to xx.xx.xx.210:21...
12:12:45      Status:      Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
12:12:45      Trace:      CRealControlSocket::OnClose(10060)
12:12:45      Trace:      CControlSocket::DoClose(64)
12:12:45      Trace:      CFtpControlSocket::ResetOperation(66)
12:12:45      Trace:      CControlSocket::ResetOperation(66)
12:12:45      Error:      Could not connect to server

I upped the connection timeout to 30 seconds - no change.
Get rid of all of the port forwarding in the client routers.  The ones you set in the Linksys won't ever work anyway.
And, from the client system, go to FTP://<MYWANIP-ADDRESS> in IE to test it.
Top Expert 2016

Commented:
there is NO reason at all on a client machine to set up any forwarding at all..  the router already knows which machine has initiated the connection. The port forwarding rules are for unsolicited inbound connections ONLY.

on the SERVER disable any other ftp server software other than filezilla server
from the command prompt on the server type
ftp
o localhost
do you see the filezilla banner

do you also see the connection in the filezilla ftp server

as shown in this small video

Author

Commented:
There is no other ftp software enabled.  
Closing ports doesn't help the problem.

Turned Windows Firewall off (but can't stop service because that interrupts remote connection) - inbound rule allowing all ports for program filezilla.exe is not working, so turning it off allowed me to get further.

I was able to connect from IE once but cannot now - something needs resetting - I restarted IIS and Filezilla, & rebooted Netgear router but still can't connect again, but it only connected - did not show directory listing.

Error:
FTP FZ Server (I ran this from http://ftptest.net, but is the same from my IP):
(000007)5/28/2012 7:26:05 AM - (not logged in) (62.75.138.232)> PASS ***********
(000007)5/28/2012 7:26:05 AM - rethink (62.75.138.232)> 230 Logged on
(000007)5/28/2012 7:26:05 AM - rethink (62.75.138.232)> SYST
(000007)5/28/2012 7:26:05 AM - rethink (62.75.138.232)> 215 UNIX emulated by FileZilla
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> FEAT
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> 211-Features:
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)>  MDTM
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)>  REST STREAM
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)>  SIZE
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)>  MLST type*;size*;modify*;
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)>  MLSD
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)>  UTF8
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)>  CLNT
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)>  MFMT
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> 211 End
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> PWD
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> 257 "/" is current directory.
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> TYPE I
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> 200 Type set to I
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> PASV
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> 227 Entering Passive Mode (68,90,69,210,195,86)
(000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> disconnected.

Why does it have "/" is the current directory when it's set (as home folder) to Rethink?

FTPTest says:
Error: Could not read from socket: Connection reset by peer
    A common cause for this problem are broken routers and/or firewalls that interrupt the connection.
    Some broken or badly configured servers can also interrupt the connection prematurely.

Could it be a timeout on the router?  TCP is 600 seconds, UDP is 75.


From FZ Client:
07:16:44      Command:      USER Rethink
07:16:44      Trace:      CFtpControlSocket::OnReceive()
07:16:44      Response:      331 Password required for rethink
07:16:44      Trace:      CFtpControlSocket::SendNextCommand()
07:16:44      Command:      PASS ***********
07:16:44      Trace:      CFtpControlSocket::OnReceive()
07:16:44      Response:      230 Logged on
07:16:44      Status:      Connected
07:16:44      Trace:      CFtpControlSocket::ResetOperation(0)
07:16:44      Trace:      CControlSocket::ResetOperation(0)
07:16:44      Trace:      CFileZillaEnginePrivate::ResetOperation(0)
07:16:44      Status:      Retrieving directory listing...
07:16:44      Trace:      CFtpControlSocket::SendNextCommand()
07:16:44      Trace:      CFtpControlSocket::ChangeDirSend()
07:16:44      Command:      PWD
07:16:44      Trace:      CFtpControlSocket::OnReceive()
07:16:44      Response:      257 "/" is current directory.
07:16:44      Trace:      CFtpControlSocket::ResetOperation(0)
07:16:44      Trace:      CControlSocket::ResetOperation(0)
07:16:44      Trace:      CFtpControlSocket::ParseSubcommandResult(0)
07:16:44      Trace:      CFtpControlSocket::ListSubcommandResult()
07:16:44      Trace:        state = 1
07:16:44      Trace:      CFtpControlSocket::SendNextCommand()
07:16:44      Trace:      CFtpControlSocket::TransferSend()
07:16:44      Trace:        state = 1
07:16:44      Command:      TYPE I
07:16:44      Trace:      CFtpControlSocket::OnReceive()
07:16:44      Response:      200 Type set to I
07:16:44      Trace:      CFtpControlSocket::TransferParseResponse()
07:16:44      Trace:        code = 2
07:16:44      Trace:        state = 1
07:16:44      Trace:      CFtpControlSocket::SendNextCommand()
07:16:44      Trace:      CFtpControlSocket::TransferSend()
07:16:44      Trace:        state = 2
07:16:44      Command:      PASV
07:16:51      Trace:      CRealControlSocket::OnClose(10053)
07:16:51      Error:      Disconnected from server: ECONNABORTED - Connection aborted
07:16:51      Trace:      CControlSocket::DoClose(64)
07:16:51      Trace:      CFtpControlSocket::ResetOperation(66)
07:16:51      Trace:      CControlSocket::ResetOperation(66)
07:16:51      Trace:      CFtpControlSocket::ResetOperation(66)
07:16:51      Trace:      CControlSocket::ResetOperation(66)
07:16:51      Error:      Failed to retrieve directory listing
07:16:51      Trace:      CFileZillaEnginePrivate::ResetOperation(66)
07:19:33      Trace:      CFileZillaEnginePrivate::ResetOperation(0)

Router log:
Mon, 2012-05-28 08:06:52 - TCP packet - Source: [myIP]- Destination: [serverIP] - [Service access request successful Src 58919 Dst 21 from WAN]


This is NOT a virtual directory and it is set up in IIS correctly and has an index.html and has permissions: Authenticated Users, System, Administrators, IIS_IUSRS.

FZ is set to all defaults except for Passive to use ports 50000-50100 and those ports are open on server router (firewall is off).

Please Help if you can.  Must have some form of FTP working by tomorrow.
Please advise as to other products instead of Filezilla.

Author

Commented:
So - since I followed all the directions, turned off the server firewall, made sure the router was passing the request successfully and it's still timing out (disconnecting) - where would I look for a timeout?  Would it be on the router, the server itself or the client or client router/firewall?
1.  The instructions for setting up the Windows Firewall explicitely say to use the Browse button and navigate to the FileZilla server executable.  Do not pick it from the list.

2.  FTP Test thinks your server is at 62.75.138.232; but FileZilla has been set to 68.90.69.210.  They have to match each other and that is why it disconnects.  Did you check the MYWANIP entry on the server?

Author

Commented:
1) That's exactly what I did but Windows Firewall is off now.
2) That's the FROM IP - not the FTP server IP and yes, I did.
It connects fine - something is disconnecting it before it (or when it attempts) to list the directory.
No, the internal FileZilla ip (that you entered) and the external WAN ip have to match or it disconnects as soon as it tries to enter passive mode.
The first four digit sets of this message are where that ip is found: (000007)5/28/2012 7:26:06 AM - rethink (62.75.138.232)> 227 Entering Passive Mode (68,90,69,210,195,86)

Author

Commented:
OK -
On the FTP Server, on Passive Mode,  Use the following IP = 68.90.69.210.
The Wan is 68.90.69.210 - it's on the router and I ran a check.
On the client, I have (on Passive) to use the server's external IP - it doesn't let you put in an IP there.
I'm connecting using that IP as the host on the client, along with the username and password.

I see your point - when it goes to Passive, it disconnects.
So I don't know where else to enter it.

In active mode, it won't display the contents of the folder, but it let me create a new folder, so that looks like a permissions problem, but I've shared the directory and also given Authenticated Users, System, Administrators, and IIS_IUSRS full control.

In Passive mode:
When I run it from my laptop I get my laptop IP (changed it for security purposes):
(000013) 5/28/2012 13:17:23 PM - (not logged in) (99.999.99.234)> Connected, sending welcome message...
(000013) 5/28/2012 13:17:23 PM - (not logged in) (99.999.99.234)> 220-FileZilla Server version 0.9.41 beta
(000013) 5/28/2012 13:17:23 PM - (not logged in) (99.999.99.234)> 220 Welcome to CSI
(000013) 5/28/2012 13:17:23 PM - (not logged in) (99.999.99.234)> USER Rethink
(000013) 5/28/2012 13:17:23 PM - (not logged in) (99.999.99.234)> 331 Password required for rethink
(000013) 5/28/2012 13:17:23 PM - (not logged in) (99.999.99.234)> PASS ***********
(000013) 5/28/2012 13:17:23 PM - rethink (99.999.99.234)> 230 Logged on
(000013) 5/28/2012 13:17:24 PM - rethink (99.999.99.234)> PWD
(000013) 5/28/2012 13:17:24 PM - rethink (99.999.99.234)> 257 "/" is current directory.
(000013) 5/28/2012 13:17:24 PM - rethink (99.999.99.234)> TYPE I
(000013) 5/28/2012 13:17:24 PM - rethink (99.999.99.234)> 200 Type set to I
(000013) 5/28/2012 13:17:24 PM - rethink (99.999.99.234)> PASV
(000013) 5/28/2012 13:17:24 PM - rethink (99.999.99.234)> 227 Entering Passive Mode (68,90,69,210,195,92)
(000013) 5/28/2012 13:17:24 PM - rethink (99.999.99.234)> disconnected.

Author

Commented:
I've read that over and over and everything looks right to me - but I'm not a systems person.  I'm just trying to get it working for a demo tomorrow - in passive mode.
Top Expert 2016
Commented:
I've never had the trials and tribulations that you are having.  Install the server, setup port forwarding from the router to the serving machine, open the firewall for the server.

a 5 minute operation now to add more users and groups. The only time I've ever had problems is when the ISP blocked a common usage port i.e. 21

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial