Solved

FTP SSL Nightmare

Posted on 2014-03-31
7
1,193 Views
Last Modified: 2014-04-02
I cannot get ftp to work over FTP.

settings for SSL have been Allow, Require and Custom (Require for Auth / Require for Data Channel.

Firewall opens 21,20, and 65400-65535 - same ports are open in IIS

ftp-ssl I can connect but cannot list anything in the folder. Says 150 Opening ASCII mode data connection.

Tried via FileZilla Again I can connect using passive mode - but get Error:
Connection timed out
Failed to retrieve directory listing

Please help
0
Comment
Question by:sparkis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39969036
In passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side, however, only outgoing connections need to be allowed (which will already be the case most of the time).

Most normal FTP servers use port 21, SFTP servers use port 22 and FTP over SSL/TLS (implicit mode) use port 990 by default. These ports are not mandatory, however, so it's best to allow outgoing connections to arbitrary remote ports.

Taking reference to the Filezilla configure, below are point to note in setting.

In passive mode, the client has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you'll have to allow outgoing connections to all ports in your firewall.

Important to note the server end to support Passive mode

Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases.

Some notes include

- If you are trying to setup a server and it works fine within your LAN but is not reachable from the outside, try changing the listening port. Some ISPs don't like their customers to host servers and they may block ports with numbers under 1024.

- If you encounter "cannot open data connection" on a random basis (i.e., the ftp client can connect to the ftp server without problem for many connections until it encounters this problem), one possible reason may be that your client PC anti-virus software is configured to block outgoing connections on certain ranges of ports. When your ftp connections are running in pasv mode, the client-side outgoing ports are selected randomly and some of those randomly selected ports may be blocked by the anti-virus software. To identify this problem, read your anti-virus log on the client. In general, any software that can block certain ranges of outgoing ports (such as PC firewalls) can cause similar FTP grief.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 39969040
Another means although not the best way is if you have a similar problem with Filezilla, and the problem persists even when the Windows Firewall is disabled, here is what you can test again:

Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
Press OK.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39969153
You need to make sure the firewall policies are coded correctly.

Is the firewall on the "server" side or the "client" side.

If the firewall is on the server side, the firewall has to allow inbound TCP connection from any high port to the port range 65400-65535.  I would also make the rule specific to the IP address used by the FTP server .

If the firewall is on the client side, then you need to allow a rule allows outbound TCP connections from any high port to  the port range 65400-65535.  I will still make the rule specific to the IP address used by the FTP server.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Closing Comment

by:sparkis
ID: 39970578
That is exactly what I did - I left the FTP server configured on port 21, forced implicit tls over ssl and then made filezilla connect using active mode. That worked!

Thanks,
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39971007
That means that a firewall some place was not properly configure to allow the port range  65400-65535 through.
0
 

Author Comment

by:sparkis
ID: 39972648
No it specifically is. I have the Nat rules setup w/ 21,20 and 6500-65535 allowed
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39972856
Do you have the 65400-65535 set up correctly?

For active FTP the server initiates the connection outbound to the client.
For passive FTP the client initiates initiates the connection inbound to the server.

Active:
Client:>1023 < --------- Server:20

Passive:
Client:>1023 -----------> Server:65400-65535
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question