Problem with establishing FTP connection

[wanderer]

I have now tested this connection in the debugger, and I think that I know now what is happening and why it isn't working:

1. Total Commander sends the PASV command
2. The server sends back the passive port
3. Total Commander tries to connect to that port, but it FAILS!
4. Total Commander switches to PORT mode

In my case PORT mode works, but in your case, PORT mode fails because you are probably behind a NAT router without FTP support. And PASV mode fails on the server side because the server is behind a NAT router too! So in the end, no FTP connection is possible between the two systems, because both are protected.

The solution would be to ask the owner of the FTP server to define a port range for passive FTP (e.g. 1024-2048), and then forward these ports from the router to his server.

Hi Christian. I'm facing the same problem for quite some time now and after a quick search, i found this thread.

I was wandering, is there anything the user can do at his end in order to solve this problem? I wish to connect to my provider's FTP server for website updating and i don't think asking them to open ports at their end will help me very much .

[IGL]

If you cannot use passive mode than the service provider must do something.

They do not have to open ports.
Well, it depends what firewall they have installed. The one I deal with has a so-called "plug-in" for FTP which monitors the connection and allows to make another connection on negotiated port for data transfer.
The same problems occure with connecting to Oracle Database or Cytrix terminals.

The other solution may be a VPN connection, Personal VPN connection may allow you to connect to single port on remote machine, then (through VPN connection) you may get a new "internal" ip and access to other services including FTP and others. Additionally all transferred data may be encrypted.

[Clo]

2IGL
Hello Chris !

• The Anita's problem was simply that the private IP-numbers were not supported by her FTP server ( a kind of small swindle from her provider, who sold such numbers, while he knew that couldn't work).
* Changing to a public number ( for 2€ more...) did the trick, that worked then.
wanderer doesn't tell anything about this number …? Is it the same problem or not ?
{ Off-topic : glad to see you again here ! }

Kind European regards,
Claude
Clo

[IGL]

Clo is right, we need more details.
Wanderer - what is your IP (private or public?).
Do you have any Personal Firewall installed, or your own small router?
What is the target FTP server's IP?
Could you provide the FTP log (like Anita did on firs page of this tread)?
Could we connect to it to as anonymous to check how it works, what errors occure, etc.

Hello Clo!, I'm back. Although soon I will go on vacation for some time

[wanderer]

2 Clo, IGL

Ok, here's the setup i have:

My PC --->
"Internet Connection" PC (ICPC) (proxy with Symantec NIS 2003 installed) --->
USB ADSL modem/router --->
provider's ftp server

I can connect and login to the server from the ICPC (without using the proxy) but i cannot connect correctly neither from my PC nor from ICPC if i use the proxy (any proxy settings, PASV or not). Please note that the following log is created when using SOCKS5 proxy in TCMD (the only setting that almost works). Disabling the firewall changed nothing.

Here's the log:

----------
Connect to: (04/06/2004 14:41:04)
hostname=webftp.otenet.gr
username=<SNIP USERNAME>
startdir=
Firewall=proxy
proxy=<SNIP proxy's IP>
SOCKS5 connect...
SOCKS5 connect...OK
220 webhosting02 Microsoft FTP Service (Version 5.0).
USER <SNIP USERNAME>
331 Password required for <SNIP USERNAME>
PASS ***********
230 User <SNIP USERNAME> logged in.
SYST
215 Windows_NT version 5.0
FEAT
500 'FEAT': command not understood
Connect ok!
PWD
257 "<SNIP USERHOMEDIR>" is current directory.
Get directory
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (195,167,100,150,7,162).
Socks5 error: Host unreachable (4)
PORT 0,0,0,0,14,130
500 Invalid PORT Command.
LIST -la
425 Can't open data connection.




Here's the last part of the log file when connecting from ICPC without proxy but with PASV on.
----
200 Type set to A.
PASV
227 Entering Passive Mode (195,167,100,150,16,251).
PORT <SNIP ROUTER INTERNAL IP>
200 PORT command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
Download
Waiting for server...
226 Transfer complete.




Of course with PASV off, it works without problems (from ICPC) and faster than with PASV.

[Clo]

2wanderer
Hello !
• Please, try to uncheck "FTP: Show hidden files" in menu Net. That sends the command LIST -la, instead LIST
 KR
Clo

[IGL]

PORT 0,0,0,0,14,130
This is definitevly wrong PORT command, you cannot use IP 0.0.0.0 (14&130 define port number)

The question is Why port command gives incorrect IP.
Could it be Symantec Internet Security? Does it have any Personal firewall installed? Proxy options?

[wanderer]

2wanderer
Hello !
• Please, try to uncheck "FTP: Show hidden files" in menu Net. That sends the command LIST -la, instead LIST
 KR
Clo

Nothing changed...

PORT 0,0,0,0,14,130
This is definitevly wrong PORT command, you cannot use IP 0.0.0.0 (14&130 define port number)

The question is Why port command gives incorrect IP.
Could it be Symantec Internet Security? Does it have any Personal firewall installed? Proxy options?

I know. It stays in the "Entering Passive Mode" for a while and then i get the "Host Unreachable"... After that, i get that 0,0,0,0 PORT command...
I tried it with NIS disabled. Nothing changed...

I replaced the server name with its IP and something changed: i used SOCKS4 and here's what i got:

----------
PASV
227 Entering Passive Mode (195,167,100,150,13,195).
Socks4 error: Request rejected or failed (91)
PORT 0,0,0,0,4,124
500 Invalid PORT Command.
LIST
425 Can't open data connection.


With socks 5, i got:

------------
PASV
227 Entering Passive Mode (195,167,100,150,14,175).
Socks5 error: Host unreachable (4)
PORT 0,0,0,0,5,125
500 Invalid PORT Command.
LIST
425 Can't open data connection.



I assume it's either something wrong with the proxy or what Christian described in an earlier post:

In my case PORT mode works, but in your case, PORT mode fails because you are probably behind a NAT router without FTP support. And PASV mode fails on the server side because the server is behind a NAT router too! So in the end, no FTP connection is possible between the two systems, because both are protected.

Any ideas are welcome, otherwise never mind, i'll just keep connecting from the Internet PC. Stupid way but at least this works!

[Clo]

2IGL
2wanderer
Hello !
• Could we attempt an anonymous connexion which works to that (odd) server from our own PCs ? It should be interesting to get logs and compare them one another ?
* Currently, it's impossible, I get :

Code: Select all

hostname=webftp.otenet.gr
username=anonymous
startdir=/
webftp.otenet.gr=195.167.100.150
220 webhosting02 Microsoft FTP Service (Version 5.0).
USER anonymous
331 Password required for anonymous.
PASS ***********
530 User anonymous cannot log in.
QUIT

To be continued…

  Kind regards,
Claude
Clo

[wanderer]

2IGL
2wanderer
Hello !
• Could we attempt an anonymous connexion which works to that (odd) server from our own PCs ? It should be interesting to get logs and compare them one another ?

Hi Clo.

I don't believe so. As i said in an earlier post, this is a provider's ftp server for their users, i don't expect they allow anonymous access to it.

Anyway, i believe that the whole problem is caused by all the security in both sites so probably there is not much i can do about it. Thanx you and IGL for your answers anyway...

[IGL]

Have you tried to change configuration of proxy in any way? I do not know what to do, but maybe proxy will not support some kind of communication.

[ghisler(Author)]

227 Entering Passive Mode (195,167,100,150,7,162).
Socks5 error: Host unreachable (4)

This looks like the provider's FTP server is only allowing the data connection on port 21 in, but blocks all other ports, including the data port needed for passive mode. TC then tries active (PORT) mode, which does not work with all SOCKS proxies (apparently it doesn't with yours).

[wanderer]

Yeyyy!!!

I finally got it to work! My proxy has a feature called "ftp gateway". I had tried it in the past and i expected it to work but it didn't. Now i have the following setup:

"Use firewall" checked but not "Use PASV". In firewall settings, i have "Send command USER user@hostname". In hostname, i entered the IP of the proxy with the port of the "ftp gateway", i OK'd everything and it worked. It probably didn't work in the past because i had PASV checked in TC.

Great. One less guy with ftp problems!

Thanks all for your support.