Solved

FTP time-outs reported on Windows 2008 R2 Server

Posted on 2015-02-23
10
91 Views
Last Modified: 2015-07-01
Hi Folks

One of my customers is reporting timeouts when he is trying to upload files to his website on one of our 2008 R2 servers.
I asked him to make sure he's only set for one connection at a time and he says yes.

This is the annotated log he send me:

<I left it alone and went to have lunch - came back to the following tail:>
Status:    Sending keep-alive command
Command:    TYPE A
Response:    200 Type set to A.
Status:    Sending keep-alive command
Command:    PWD
Response:    257 "/coquettest/scripts" is current directory.
Status:    Sending keep-alive command
Command:    NOOP
Response:    200 NOOP command successful.
Error:    Disconnected from server: ECONNABORTED - Connection aborted
<no further output>

<I hit "refresh">
Status:    Resolving address of servername.co.uk
Status:    Connecting to 211.146.58.1:21...
Status:    Connection established, waiting for welcome message...
Response:    220 Microsoft FTP Service
Command:    USER coquettest
Response:    331 Password required for coquettest.
Command:    PASS ********
Response:    230 User logged in.
Command:    OPTS UTF8 ON
Response:    200 OPTS UTF8 command successful - UTF8 encoding now ON.
Status:    Connected
Status:    Retrieving directory listing...
Command:    CWD /coquettest/scripts
Response:    250 CWD command successful.
Command:    TYPE I
Response:    200 Type set to I.
Command:    PASV
Response:    227 Entering Passive Mode (211,146,58,1,232,58).
Command:    LIST
Response:    150 Opening BINARY mode data connection.
Response:    226 Transfer complete.
Status:    Directory listing successful

<I hit upload of the file i just edited>
Status:    Starting upload of \\nas-2\Public\CA\Website\Web
Root\coquetDev\scripts\strlib_HTML_Input.asp
Command:    TYPE A
Response:    200 Type set to A.
Command:    PASV
Response:    227 Entering Passive Mode (211,146,58,1,232,59).
Command:    STOR strlib_HTML_Input.asp
Response:    150 Opening ASCII mode data connection.
Error:    Connection timed out
Error:    File transfer failed
Status:    Resolving address of servername.co.uk
Status:    Connecting to 211.146.58.1:21...
Status:    Connection established, waiting for welcome message...
Response:    220 Microsoft FTP Service
Command:    USER coquettest
Response:    331 Password required for croquettest.
Command:    PASS ********
Response:    230 User logged in.
Command:    OPTS UTF8 ON
Response:    200 OPTS UTF8 command successful - UTF8 encoding now ON.
Status:    Connected
Status:    Starting upload of \\nas-2\Public\CA\Website\Web
Root\croquetDev\scripts\strlib_HTML_Input.asp
Command:    CWD /coquettest/scripts
Response:    250 CWD command successful.
Status:    Retrieving directory listing...
Command:    TYPE I
Response:    200 Type set to I.
Command:    PASV
Response:    227 Entering Passive Mode (211,146,58,1,232,60).
Command:    LIST
Response:    150 Opening BINARY mode data connection.
Response:    226 Transfer complete.
Status:    Skipping upload of \\nas-2\Public\CA\Website\Web
Root\coquetDev\scripts\strlib_HTML_Input.asp
Status:    File transfer successful, transferred 3,842 bytes in 1 second
Status:    Sending keep-alive command

<server has created zero length file - I delete it...>
Command:    TYPE I
Response:    200 Type set to I.
Command:    DELE strlib_HTML_Input.asp
Response:    250 DELE command successful.

<and upload>
Status:    Starting upload of \\nas-2\Public\CA\Website\Web
Root\croquetDev\scripts\strlib_HTML_Input.asp
Command:    TYPE A
Response:    200 Type set to A.
Command:    PASV
Response:    227 Entering Passive Mode (211,146,58,1,232,61).
Command:    STOR strlib_HTML_Input.asp
Response:    550 Access is denied.
Error:    Critical file transfer error

Makes no sense to me but if there is a way to help stop this from happening, I'd be grateful for any advice.

Cheers
Chris
0
Comment
Question by:kenwardc
  • 4
  • 4
10 Comments
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40653646
Can you get the ftp log files from the destination server, to see what they say?  You would only need the entries that correspond to your ftp actions above.  

As for the first timeout.... you opened a ftp session, hit a noop, then walked away.  I guess your session timed out due to no activity.  This I fine normal.  As a server admin, I don't want session sitting open with no activity, typical session timeout is around 600 seconds (5 min).

The second session log most likely  is a permission issue on the ftp server.  You need to verify that the ftp account has the proper ACLs set on the destination directory.  My guess is that the ftp account may have write but not delete permissions.

Either way, this is an issue on the ftp server.  You need to verify that NTFS permissions on the directory object where the user is trying to write/delete a file.

Dan
0
 

Author Comment

by:kenwardc
ID: 40653671
Hey Dan

I think I may have it narrowed down to passive local ports on the firewall. I realised that when I FTP files up to any of our servers in the rack, I have no problems. However, it dawned on me that my IP address is in our "trusted" list so I am able to use any port without an issue. This obviously doesn't apply to people outside our trusted list of IPs.

So after a little digging I came across some articles on the web talking about these ports which, if not used and set in the firewall, could cause timeouts. I have opened ports 30000 - 35000 on the firewall and asked the customer whether he can try again and will find out if I was right as soon as he lets me know.

What do you think? Could this indeed be the reason for the problem?

Cheers
Chris
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40653768
I think that opening 5000 inbound ports to the outside world is an extremely dangerous action.  Before playing with the configuration of the firewall, I would look into the most likely source of the issue... IIS (ftp, http).

I would have liked to have looked into the ftp logs to see what's happening.  I am still of the opinion that there is a permissions issue.  This single statement in the original post, speaks volumes to me:

Response:    550 Access is denied.

This statement is an obvious error.  This could be caused by a couple of things.  I'll list a few as a thought experiment:

1. the file is being held open/locked by another process and cannot be updated/deleted (read:  the ASP app could do this)
2. there exists an NTFS permissions issue for the user doing the ftp
3. there could be a filter on the ftp server preventing the upload of certain file extensions
4. there could be virus scanning software doing a block on the file

What happens is the ftp client establishes a connection on ports 20/tcp and 21/tcp to start the ftp process.  depending on how the client is configured, it will either stay on the default defined ports or if set for passive, it will negotiate with the server for alternate high ports to continue the process on (very simplified explanation).  Most firewalls can handle this without having to open all higher ports because a session has been established.  I've never had to open 5000 inbound ports on a firewall to allow ftp to work (active or passive).

Dan
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:kenwardc
ID: 40683156
Dan I'm stumped. I've just put in a brand new firewall without the open ports and we are still getting the same issue. I agree with you - I've never had to open such a broad range of ports either. How can I help you help me - can I send you logs? Let me know?

Apologies for the delay - we've been so hectic that I haven't had time to get back to this issue.

Cheers
Chris
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40684630
Chris, it would be really helpful to see the corresponding ftp logs.  It would also be helpful to know how IIS and the ftp service is configured.

Dan
0
 

Accepted Solution

by:
kenwardc earned 0 total points
ID: 40692410
Dan, it looks as though we've managed to get it to work on one of the Windows 2008 R2 servers. To do that we had to reconfigure the ports on the firewall 30000-35000 and for some reason the FTP package was expecting to see the firewall IP address which of course it was never going to do as the firewall is just routing the packets to the Windows Server.

This is all very odd. I've never had to mess about like this before to get FTP working.

I'm now going to test this on two other 2008 R2 servers and also on a couple of legacy servers (2003 and 2000) to see whether they're all messing about. I'll drop some feedback in here once done.

Where would I be able to copy the IIS FTP configuration to you from in text form?

Cheers
Chris
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40695451
Article on how to export the ftp config:

link: http://forums.iis.net/p/1222090/2095598.aspx?How+to+export+FTP+configuration

Dan
0
 

Author Comment

by:kenwardc
ID: 40703230
Hi Dan

Will get on that over the weekend. Many thanks for persevering with this one.

Cheers
Chris
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40861249
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question