Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

FTP SSL Nightmare

Posted on 2014-03-31
7
Medium Priority
?
1,252 Views
Last Modified: 2014-04-02
I cannot get ftp to work over FTP.

settings for SSL have been Allow, Require and Custom (Require for Auth / Require for Data Channel.

Firewall opens 21,20, and 65400-65535 - same ports are open in IIS

ftp-ssl I can connect but cannot list anything in the folder. Says 150 Opening ASCII mode data connection.

Tried via FileZilla Again I can connect using passive mode - but get Error:
Connection timed out
Failed to retrieve directory listing

Please help
0
Comment
Question by:sparkis
  • 3
  • 2
  • 2
7 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39969036
In passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side, however, only outgoing connections need to be allowed (which will already be the case most of the time).

Most normal FTP servers use port 21, SFTP servers use port 22 and FTP over SSL/TLS (implicit mode) use port 990 by default. These ports are not mandatory, however, so it's best to allow outgoing connections to arbitrary remote ports.

Taking reference to the Filezilla configure, below are point to note in setting.

In passive mode, the client has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you'll have to allow outgoing connections to all ports in your firewall.

Important to note the server end to support Passive mode

Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases.

Some notes include

- If you are trying to setup a server and it works fine within your LAN but is not reachable from the outside, try changing the listening port. Some ISPs don't like their customers to host servers and they may block ports with numbers under 1024.

- If you encounter "cannot open data connection" on a random basis (i.e., the ftp client can connect to the ftp server without problem for many connections until it encounters this problem), one possible reason may be that your client PC anti-virus software is configured to block outgoing connections on certain ranges of ports. When your ftp connections are running in pasv mode, the client-side outgoing ports are selected randomly and some of those randomly selected ports may be blocked by the anti-virus software. To identify this problem, read your anti-virus log on the client. In general, any software that can block certain ranges of outgoing ports (such as PC firewalls) can cause similar FTP grief.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39969040
Another means although not the best way is if you have a similar problem with Filezilla, and the problem persists even when the Windows Firewall is disabled, here is what you can test again:

Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
Press OK.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39969153
You need to make sure the firewall policies are coded correctly.

Is the firewall on the "server" side or the "client" side.

If the firewall is on the server side, the firewall has to allow inbound TCP connection from any high port to the port range 65400-65535.  I would also make the rule specific to the IP address used by the FTP server .

If the firewall is on the client side, then you need to allow a rule allows outbound TCP connections from any high port to  the port range 65400-65535.  I will still make the rule specific to the IP address used by the FTP server.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Closing Comment

by:sparkis
ID: 39970578
That is exactly what I did - I left the FTP server configured on port 21, forced implicit tls over ssl and then made filezilla connect using active mode. That worked!

Thanks,
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39971007
That means that a firewall some place was not properly configure to allow the port range  65400-65535 through.
0
 

Author Comment

by:sparkis
ID: 39972648
No it specifically is. I have the Nat rules setup w/ 21,20 and 6500-65535 allowed
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39972856
Do you have the 65400-65535 set up correctly?

For active FTP the server initiates the connection outbound to the client.
For passive FTP the client initiates initiates the connection inbound to the server.

Active:
Client:>1023 < --------- Server:20

Passive:
Client:>1023 -----------> Server:65400-65535
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Screencast - Getting to Know the Pipeline

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question