Link to home
Start Free TrialLog in
Avatar of tmaususer
tmaususerFlag for United States of America

asked on

Can't connect to FTPS site except one weird way

I am replacing an IIS FTP server.  Unlike the old server, the new IIS7 FTP server has an SSL certificate.  
In the company firewall, I mimicked the objects, access rules, and NAT of the old FTP server substituting the appropriate addresses.  Things work internally.

HERE IS THE WEIRD THING.  IF I AM ON AN EXTERNAL NETWORK AND USE FTP VOYAGER AND SIMPLY TYPE THE HOST, USERNAME, PASSWORD INTO THE QUICK CONNECT BAR, EVERYTHING WORKS FINE.  Attached is a picture of the Quick Connect.
User generated image
However, if I save that information as a Site Profile and “FTP over SLL Explicit" I get the message below:

STATUS>      Resolving host "ftps.tm-america.com"...
STATUS>      Connecting to "xxx.xxx.xxx.xxx" on port 21.
STATUS>      Connected to xxx.xxx.xxx.xxx:21 from IPSAddress:2608.
      220 Microsoft FTP Service
COMMAND>      AUTH SSL
      234 AUTH command ok. Expecting TLS Negotiation.
STATUS>      SSL connection established. All transactions are now secure.
STATUS>      Encryption cipher: 256 bit AES; Version: TLSv1/SSLv3.
COMMAND>      HOST ftps.tm-america.com
      504 Server cannot accept argument.
STATUS>      Connected. Logging in to the server.
COMMAND>      USER General
      331 Password required
COMMAND>      PASS ***
      230 User logged in.
STATUS>      Login successful.
COMMAND>      SYST
      215 Windows_NT
COMMAND>      FEAT
      211-Extended features supported:
       LANG EN*
       UTF8
       AUTH TLS;TLS-C;SSL;TLS-P;
       PBSZ
       PROT C;P;
       CCC
       HOST
       SIZE
       MDTM
       REST STREAM
      211 END
STATUS>      Server supports resume.
COMMAND>      OPTS UTF8 ON
      200 OPTS UTF8 command successful - UTF8 encoding now ON.
COMMAND>      PBSZ 0
      200 PBSZ command successful.
COMMAND>      PROT P
      200 PROT command successful.
COMMAND>      PWD
      257 "/" is current directory.
COMMAND>      PASV
      227 Entering Passive Mode (yyy,yy,y,y,198,24).
STATUS>      Private IP address returned by the server in response to PASV command.
STATUS>      Converting private IP address yyy.yy.y.y to public IP address xxx.xxx.xxx.xxx.
STATUS>      Opening passive mode data connection to xxx.xxx.xxx.xxx, port 50712.
STATUS>      Data connection failed using Passive Mode (PASV), automatically retrying using Active Mode (PORT).
COMMAND>      PORT ISPAddress,10,65
      501 Server cannot accept argument.
ERROR>      Unable to establish a data connection to the remote server.  Please contact the server administrator for assistance.
ERROR>      The home directory specified for this account on the remote server is not accessible.  Please contact your system administrator for further assistance.
ERROR>      The server has unexpectedly closed the connection.


If I use Filezilla, I get the error below no matter which why I try to connect:

Status:      Resolving address of ftps.tm-america.com
Status:      Connecting to xxx.xxx.xxx.xxx:21...
Status:      Connection established, waiting for welcome message...
Status:      Initializing TLS...
Status:      Verifying certificate...
Status:      TLS connection established.
Status:      Logged in
Status:      Retrieving directory listing...
Status:      Server sent passive reply with unroutable address. Using server address instead.
Command:      LIST
Response:      150 Opening BINARY mode data connection.
Error:      Connection timed out after 20 seconds of inactivity
Error:      Failed to retrieve directory listing
Status:      Disconnected from server
Avatar of Kimputer
Kimputer

You need the same log for the successful connection.
However, I think even that is actually a failure. Seems your firewall didn't allow the passive ports.
I think Kimputer has found the problem.

Simple test.

Disable your entire firewall + retest. If connections work, then you'll add in required firewall rules. If connections still fail, then something else is amiss.
you are using the WAN address instead of the LAN
your firewall implements reflexion so the initial connection is properly sent to the ftp server

but the firewall code ( so-called ftp proxy ) that dynamically open ports based on the ftp commands does not manage to do it's job. passive could work if you configure it adequately  on the correct interface ; active can work if the outgoing nat rule kicks rather than the incoming port redirection. using the lan address may or may not be simpler.
another issue

Server sent passive reply with unroutable address. Using server address instead

is inconsistent with

Converting private IP address yyy.yy.y.y to public IP address xxx.xxx.xxx.xxx.

you may have neglected to configure the public address properly, or something else went in the way. maybe some firewall's smartness.
Avatar of tmaususer

ASKER

So I added a port range and the external IP address of the firewall into the FTP Firewall Support option and then added a rule for the port 20 (ftpdata). I think that is what this message means. User generated image I already had port 21. I made sure the NAT For the FTP included port 20.Now I can connect by creating a profile in FTPVoyager.  However, Filezilla refuses to complete a TLS handshake.

On top of that I am no longer able to transfer files, which was working locally.
No, the other firewall in service (I don't know your situation, could be the Windows Firewall, or another machine/device, could even be BOTH), needs to add the port range and data port to the firewall allowed list AND your NAT config.
active FTP will not work in most remote location because of the REMOTE firewall.

active FTP should work locally out of the box as long as you allow the correct connection issued with SOURCE port 20

passive FTP remotely requires your server knows your public address and sends it rather than his private one. ( filezilla can circumvent but most clients do not ). it also requires your firewall either has builtin FTP proxying or you open the range of ports you declared on the ftp server from the outside.

passive FTP locally may be messed up if the servers sends the wan address. it requires the same lan to server:[port_range] as from the WAN

if you do not get how both FTP modes work, you probably had better start with that.
start by configuring your WAN address in the FTP server.
then configure your firewall so it works from the OUTSIDE. both modes preferably.

then bother with hairpinning or make sure the ftp server is smart enough to issue his lan address when the queries come from a lan client. or setup a separate ftp instance.
Kimputer and David Favor, i disabled the firewall on the ftp server, and I still had problems.  I'm finding it had to figure out how to setup the ASA for passive FTP.

I have permitted port 21 and 20 and my port range of 50000-50500 in both dirictions in my ACL's and my NAT.  I'm not sure what I'm missing

ASKER CERTIFIED SOLUTION
Avatar of skullnobrains
skullnobrains

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When you say WAN your referring to the Public IP (external world)?  I've been reading about them.  bout 5 articles.  I'll read some more

regarding basic firewall rules, active mode requires outgoing source port 20. you probably used destination. passive requires the same port range the ftp server was configured with incoming.
I have another FTP server that is working passively (no SSL)  If I mimic it should I be okay or is this SSL I'm adding complicating the Passive  mode?

After Reading till I understand that is
i do not think ssl makes much of a difference, but you can try and remove it to make sure.

what is sure is your firewall rules seem to be all over the place and your server should know it s own wan address
We are getting help from Cisco.
feel free to post the results and accept it as the solution. hope you get it working.

basics are the following

# command connection required for both modes. RDR rule ( incoming )
client:random_high_port -> server:21

# data connection for passive mode. RDR rule( incoming )
cli:random -> server:port_in_selected_range

# data connection for active mode. MAP rule( outgoing )
srv:20 -> client:port_in_selected_range

range can be anything in the high ports range ( > 1024 ) for example 21000-21200
the port is negociated during the protocol exchange

active mode is frequently blocked by clients firewalls or nat routers

hope that helps