Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

FTP SSL Nightmare

Posted on 2014-03-31
7
Medium Priority
?
1,239 Views
Last Modified: 2014-04-02
I cannot get ftp to work over FTP.

settings for SSL have been Allow, Require and Custom (Require for Auth / Require for Data Channel.

Firewall opens 21,20, and 65400-65535 - same ports are open in IIS

ftp-ssl I can connect but cannot list anything in the folder. Says 150 Opening ASCII mode data connection.

Tried via FileZilla Again I can connect using passive mode - but get Error:
Connection timed out
Failed to retrieve directory listing

Please help
0
Comment
Question by:sparkis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39969036
In passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side, however, only outgoing connections need to be allowed (which will already be the case most of the time).

Most normal FTP servers use port 21, SFTP servers use port 22 and FTP over SSL/TLS (implicit mode) use port 990 by default. These ports are not mandatory, however, so it's best to allow outgoing connections to arbitrary remote ports.

Taking reference to the Filezilla configure, below are point to note in setting.

In passive mode, the client has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you'll have to allow outgoing connections to all ports in your firewall.

Important to note the server end to support Passive mode

Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases.

Some notes include

- If you are trying to setup a server and it works fine within your LAN but is not reachable from the outside, try changing the listening port. Some ISPs don't like their customers to host servers and they may block ports with numbers under 1024.

- If you encounter "cannot open data connection" on a random basis (i.e., the ftp client can connect to the ftp server without problem for many connections until it encounters this problem), one possible reason may be that your client PC anti-virus software is configured to block outgoing connections on certain ranges of ports. When your ftp connections are running in pasv mode, the client-side outgoing ports are selected randomly and some of those randomly selected ports may be blocked by the anti-virus software. To identify this problem, read your anti-virus log on the client. In general, any software that can block certain ranges of outgoing ports (such as PC firewalls) can cause similar FTP grief.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39969040
Another means although not the best way is if you have a similar problem with Filezilla, and the problem persists even when the Windows Firewall is disabled, here is what you can test again:

Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
Press OK.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39969153
You need to make sure the firewall policies are coded correctly.

Is the firewall on the "server" side or the "client" side.

If the firewall is on the server side, the firewall has to allow inbound TCP connection from any high port to the port range 65400-65535.  I would also make the rule specific to the IP address used by the FTP server .

If the firewall is on the client side, then you need to allow a rule allows outbound TCP connections from any high port to  the port range 65400-65535.  I will still make the rule specific to the IP address used by the FTP server.
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 

Author Closing Comment

by:sparkis
ID: 39970578
That is exactly what I did - I left the FTP server configured on port 21, forced implicit tls over ssl and then made filezilla connect using active mode. That worked!

Thanks,
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39971007
That means that a firewall some place was not properly configure to allow the port range  65400-65535 through.
0
 

Author Comment

by:sparkis
ID: 39972648
No it specifically is. I have the Nat rules setup w/ 21,20 and 6500-65535 allowed
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39972856
Do you have the 65400-65535 set up correctly?

For active FTP the server initiates the connection outbound to the client.
For passive FTP the client initiates initiates the connection inbound to the server.

Active:
Client:>1023 < --------- Server:20

Passive:
Client:>1023 -----------> Server:65400-65535
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question