Link to home
Start Free TrialLog in
Avatar of vehastings
vehastingsFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Issue with transferring files to filezilla server running ftp over tls - behind watchguard router - works fine if just ftp

Hi,

I have a server running filezilla server and is configured with ftp over tls.

I know this server is fine because I can connect and upload files fine from a number of locations.   However I have an issue in one particular location behind a watchguard firewall.

The connection establishes successfully and sometimes it can upload a file or part of a file before it fails when configured to ftp over tls.
If I change to ftp it works fine.

I have read that this can sometimes be an mtu issue but don't know how or where to change this.   Please can anyone shed light on this.  

Attached is the filezilla server log and errors it sees.
Avatar of masnrock
masnrock
Flag of United States of America image

Have their network people check the rule allowing outbound FTPS traffic and make sure that it is above the FTP proxy rule. That should prevent some of the proxying that could be breaking the connection.
Avatar of vehastings

ASKER

Hi, It is top of the list.    I have tried using sftp now and again it disconnects before finishing an upload.  It is definitely not the ftp server as I can use both ftp over tls and sftp from a number of different locations without issues.   Any more insight would be appreciated - is it possible mtu issue as I have seen mentioned?

Where would I change the mtu - on the client computer or on watchguard firewall?

Valerie.
If you need to adjust the MTU, do it at the firewall. That also assumes the problem is occuring for every computer that needs to do that upload. Is there more than one machine that you've tried and seen the problem on?

Also, is your network person able to see a log of the traffic? That might give you the most clues.
Yes it is occurring on more than one computer on the network.  
Do you think it could be mtu?


Re. logs are you talking about the watchguard logs or network monitor logs from the client machines and server?
Ideally both, but especially the log for the Watchguard. I won't be shocked if it's trying to hit some ports that you don't have open. What ports did you open up?
Hi
The ftp server is passive and I have opened all the ports and in fact allowed all traffic to the particular IP of the ftp server.  I did look at the logs and saw the connection being made and disconnected but no further clues.  

Any suggestions.

Valerie.
Try using Extended Passive Mode on the client.
Hi
Not sure what this is but the same client works in other locations with the same settings.  Any other suggestions?
It's only a setting difference, not a change of software. But if you're able to get your hands on the logs from the client behind the Watchguard, would it be possible for you to post here? Be sure to redact out any sensitive information before posting.
Hi Will try to get the logs today.  I presume you want watchguard and netmon logs?
Watchguard, Netmon, and even Filezilla.
Ok here are the logs.

ftp-tls - shows the netmon log from the client
filezilla-ftpovertls - shows the log from filezilla

interestingly there were no entries in the watchguard for this ftp-tls connection.

However when I did a normal ftp watchguard log showed the connection.   see also attached the netmon (ftp-working) and watchguard (ftp-working-watchguard)  log for the successful ftp upload (not using tls).  

On the watchguard I enabled logging for network diagnostics, https.  Not sure if there are any others I should have included?

Valerie.
filezilla-ftpovertls.txt
ftp-tls.txt
ftp-working.txt
ftp-working-watchguard.txt
A few possible causes. But I think we are getting warmer. Possible to get a lot from the server of that connection?
Do you mean the server hosting filezilla?
You're using Filezilla Server? Then yes, from there. Filezilla should have some sort of log of the connections and transfers.
If it is the filezilla log then I have already attached - filezilla-ftpovertls.txt.
What version is installed on the system behind the watchguard? It could be possibly a case of a bug that's rearing its head, but need more info to get a better idea.
same ftp  client version on both the working and non working networks.  Any other suggestions?

Regards,
Valerie.
Exactly what version is that? I was going to suggest trying to update the client behind the Watchguard
I am using a product called syncbackpro for ftp and it works fine in lots of other  locations apart from behind this watchguard.
Let's review:
The server is Filezilla, the client software is SyncBackPro. FTP works everywhere, FTPS works from everywhere except the network with the Watchguard. Anything I'm leaving out here?

Are there any restrictions on outbound connections on the Watchguard?
Hi Yes this is correct.  There are no restrictions on outbound connections on the Watchguard.
Could you please show a screenshot with an order of the rules from the Watchguard?
Hi

Attached screenshots
watchguard.JPG
watchguard2.JPG
The filezilla server is set to use ports 980-989 for data and 990 for control.
Do you have something that would be using port 983? That's the point where the failure kicks in. Try taking logs of several failed attempts, and let's see if this same line shows right before the failure...
227 Entering Passive Mode (51,140,125,78,3,215)

Open in new window


However, what might make more sense for you in the long run is to use explicit FTPS rather than implicit. While it does use a different set of ports (and requires changes for everyone), you also wont't have to worry so much about the randomness or port numbers.
Ok I will change the rule and come back to you.
Take a look at my edit before you do that. You must've read before I changed my post.
Hi,

Been off for a couple of days will try this today and come back to you.
Hi,

I ran the ftp four times attached are the logs.
the first and third time it had 227 Entering Passive Mode (51,140,125,78,3,215) and it does appear to be a problem.

However I tried four times and there were no successful ftp

What do you suggest ?
I know this is going to be an annoyance because it would be a change that affects all clients, but have you looked at implementing explicit FTPS rather than implicit? That's the route I'd probably look at next (and ideally, you would have a way to have a separate test server to at least try things first)

Slight Filezilla discussion: https://wiki.filezilla-project.org/FTPS_using_Explicit_TLS_howto_(Server)
Hi,

already using explicit ftp over tls - see attached screenshot.  Any other ideas?
No attachment showed
Sorry here's the screenshot.
ftptls.JPG
Your configuration seems to imply you're allowing both implicit and explicit FTPS, as well as regular FTP. Explicit uses port 21 just like unsecured FTP. Let's see the passive mode settings also. Could you please try connecting to port 21 from the machine behind the watchguard?

But before doing that could you please also show the client configuration? There might be a small change needed there too.
Hi,

Please find attached the passive settings on the ftp server (ftptls1)  
I have also attached the client settings - both for ftp which works (clientftp1, clientftp2, clientftp3 and clientftp4) and for the ftps (clienttls1, clienttls2, clienttls3, clienttls4) which doesn't.  Not sure the reasoning behind this as the settings are exactly the same as on other clients not behind this watchguard router. which work fine.
clientftp1.JPG
clientftp2.JPG
clientftp3.JPG
clientftp4.JPG
clienttls1.JPG
clienttls2.JPG
clienttls3.JPG
clienttls4.JPG
ftptls1.JPG
I'm still working on dissecting that, but could you please show a log of a working session? The silver lining appears to be that your files are getting transferred securely anyway, but I'd rather look at the log to be sure.
Question: Is the firmware on the Watchguard completely up to date?
Hi,

What type of log do your require - just the filezilla log or also the client network monitor trace?
Firmware up to date
I am thinking the client monitor trace (that was the method you used to show when things failed, right?)

BTW - What model is the Watchguard?
hi,

Here is the working ftp client log (working2.txt) and the working filezilla log (filezilla-working.txt).
working2.txt
filezilla-working.txt
Hi,

Did you get the files?  Haven't had any response?
I've been getting a ton of errors on EE today trying to access anything. I'll review the logs and get back to you.
Thanks for the update
Hi Any update?
1st I assume you will change the password after this, two you are having success uploading the files, trying doing it when there is less congestion on the line and see what happens. Three if you are doing any kind of filter try bypassing the this ftp server address from the filter, and four try using port forwarding mode to your ftp server.
My apologies, as I've been pretty tied up with the cybersecurity things ongoing. I'm starting to analyze these again.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.