On a Windows Server 2008 R2 Standard machine, I'm having trouble connecting to and downloading a file from a Windows FTP server.
Filesize is ~3KB to 6KB. Very rarely ~100KB to ~500KB, but the server has plenty of space on disk.
I've tried a passive connection:
Response: 220-Microsoft FTP Service
Response: 220 Regal Logistics
Command: USER ********
Response: 331 Password required for ********.
Command: PASS ********
Response: 230 User ******** logged in.
Status: Connected
Status: Starting download of /********/PO/201405130227.xml
Command: CWD /********/PO
Response: 250 CWD command successful.
Command: TYPE A
Response: 200 Type set to A.
Command: PASV
Response: 227 Entering Passive Mode (***,***,***,**,19,64)
Command: RETR 201405130227.xml
Response: 125 Data connection already open; Transfer starting.
Response: 426 Data connection closed. Error scanning content
Error: File transfer failed after transferring 3,465 bytes in 1 second
The strange thing is that the file is 3,465 bytes, so the entire file is getting through, it just isn't finishing up properly.
And I've tried an active connection:
Response: 220-Microsoft FTP Service
Response: 220 Regal Logistics
Command: USER ********
Response: 331 Password required for ********.
Command: PASS ********
Response: 230 User ******** logged in.
Command: PORT 10,0,0,114,214,65
Response: 200 PORT command successful.
Command: RETR 201405130227.xml
Response: 150 Opening ASCII mode data connection for 201405130227.xml(3465 bytes).
Response: 426 Data connection closed. Error scanning content
I've tried from two different FTP clients on the same server (Filezilla and the CLI FTP client) and I get the same response:
125 Data connection already open; Transfer starting.
426 Data connection closed. Error scanning content
I've attempted downloading files successfully from a separate network, so it's unique to the server's location.
I've contacted both the system/network administrators of where the server is located and I've been assured that the ports necessary for FTP to function are open. (My guess is that they've opened 21, I'm not sure about any others.) There is a physical firewall that is on their network, but again, I don't have access to it unfortunately. Windows Firewall is disabled on the server.
What else could I take a look at to see if it's truly failing?
Here's a packet log of the request just before failing:
No. Time Source Destination Protocol Length Info
39 6.878855000 LOCAL-IP EXTERNAL-FTP-SERVER-IP FTP 77 Request: RETR 201405130227.xml
Frame 39: 77 bytes on wire (616 bits), 77 bytes captured (616 bits) on interface 0
Ethernet II, Src: Hewlett-_ab:cd:ef (00:1e:a1:ab:cd:ef), Dst: Watchgua_12:34:56 (ab:cd:7f:12:34:56)
Internet Protocol Version 4, Src: LOCAL-IP (LOCAL-IP), Dst: EXTERNAL-FTP-SERVER-IP (EXTERNAL-FTP-SERVER-IP)
Transmission Control Protocol, Src Port: 56623 (56623), Dst Port: ftp (21), Seq: 55, Ack: 207, Len: 23
File Transfer Protocol (FTP)
No. Time Source Destination Protocol Length Info
40 6.893662000 EXTERNAL-FTP-SERVER-IP LOCAL-IP TCP 60 ftp > 56623 [ACK] Seq=207 Ack=78 Win=93362 Len=0
Frame 40: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Watchgua_12:34:56 (ab:cd:7f:12:34:56), Dst: Hewlett-_ab:cd:ef (00:1e:a1:ab:cd:ef)
Internet Protocol Version 4, Src: EXTERNAL-FTP-SERVER-IP (EXTERNAL-FTP-SERVER-IP), Dst: LOCAL-IP (LOCAL-IP)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 56623 (56623), Seq: 207, Ack: 78, Len: 0
No. Time Source Destination Protocol Length Info
41 6.957666000 EXTERNAL-FTP-SERVER-IP LOCAL-IP FTP 108 Response: 125 Data connection already open; Transfer starting.
Frame 41: 108 bytes on wire (864 bits), 108 bytes captured (864 bits) on interface 0
Ethernet II, Src: Watchgua_12:34:56 (ab:cd:7f:12:34:56), Dst: Hewlett-_ab:cd:ef (00:1e:a1:ab:cd:ef)
Internet Protocol Version 4, Src: EXTERNAL-FTP-SERVER-IP (EXTERNAL-FTP-SERVER-IP), Dst: LOCAL-IP (LOCAL-IP)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 56623 (56623), Seq: 207, Ack: 78, Len: 54
File Transfer Protocol (FTP)
No. Time Source Destination Protocol Length Info
42 6.986757000 EXTERNAL-FTP-SERVER-IP LOCAL-IP FTP 106 Response: 426 Data connection closed. Error scanning content
Frame 42: 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface 0
Ethernet II, Src: Watchgua_12:34:56 (ab:cd:7f:12:34:56), Dst: Hewlett-_ab:cd:ef (00:1e:a1:ab:cd:ef)
Internet Protocol Version 4, Src: EXTERNAL-FTP-SERVER-IP (EXTERNAL-FTP-SERVER-IP), Dst: LOCAL-IP (LOCAL-IP)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 56623 (56623), Seq: 261, Ack: 78, Len: 52
File Transfer Protocol (FTP)
No. Time Source Destination Protocol Length Info
43 6.986768000 LOCAL-IP EXTERNAL-FTP-SERVER-IP TCP 54 56623 > ftp [ACK] Seq=78 Ack=313 Win=65280 Len=0
Frame 43: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Hewlett-_ab:cd:ef (00:1e:a1:ab:cd:ef), Dst: Watchgua_12:34:56 (ab:cd:7f:12:34:56)
Internet Protocol Version 4, Src: LOCAL-IP (LOCAL-IP), Dst: EXTERNAL-FTP-SERVER-IP (EXTERNAL-FTP-SERVER-IP)
Transmission Control Protocol, Src Port: 56623 (56623), Dst Port: ftp (21), Seq: 78, Ack: 313, Len: 0
I collected a few more logs – this time I watched more than ports 21 and 22 – I watched the IPs of the FTP connection:
No. Time Source Destination Protocol Length Info
2607 11.440148000 __REMOTE__IP__ _LOCAL_IP_ FTP 105 Response: 227 Entering Passive Mode (198,104,198,16,17,233)
Frame 2607: 105 bytes on wire (840 bits), 105 bytes captured (840 bits) on interface 0
Ethernet II, Src: Watchgua_LOCALMAC (AA:BB:CC:LOCALMAC), Dst: Hewlett-_SUB_MAC (11:22:33:SUB_MAC)
Internet Protocol Version 4, Src: __REMOTE__IP__ (__REMOTE__IP__), Dst: _LOCAL_IP_ (_LOCAL_IP_)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 54613 (54613), Seq: 195, Ack: 60, Len: 51
File Transfer Protocol (FTP)
No. Time Source Destination Protocol Length Info
2608 11.440763000 _LOCAL_IP_ __REMOTE__IP__ FTP 74 Request: RETR testthing.txt
Frame 2608: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0
Ethernet II, Src: Hewlett-_SUB_MAC (11:22:33:SUB_MAC), Dst: Watchgua_LOCALMAC (AA:BB:CC:LOCALMAC)
Internet Protocol Version 4, Src: _LOCAL_IP_ (_LOCAL_IP_), Dst: __REMOTE__IP__ (__REMOTE__IP__)
Transmission Control Protocol, Src Port: 54613 (54613), Dst Port: ftp (21), Seq: 60, Ack: 246, Len: 20
File Transfer Protocol (FTP)
No. Time Source Destination Protocol Length Info
2609 11.441029000 _LOCAL_IP_ __REMOTE__IP__ TCP 66 54617 > 4585 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=128 SACK_PERM=1
Frame 2609: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Hewlett-_SUB_MAC (11:22:33:SUB_MAC), Dst: Watchgua_LOCALMAC (AA:BB:CC:LOCALMAC)
Internet Protocol Version 4, Src: _LOCAL_IP_ (_LOCAL_IP_), Dst: __REMOTE__IP__ (__REMOTE__IP__)
Transmission Control Protocol, Src Port: 54617 (54617), Dst Port: 4585 (4585), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
2610 11.442013000 __REMOTE__IP__ _LOCAL_IP_ TCP 60 ftp > 54613 [ACK] Seq=246 Ack=80 Win=93360 Len=0
Frame 2610: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Watchgua_LOCALMAC (AA:BB:CC:LOCALMAC), Dst: Hewlett-_SUB_MAC (11:22:33:SUB_MAC)
Internet Protocol Version 4, Src: __REMOTE__IP__ (__REMOTE__IP__), Dst: _LOCAL_IP_ (_LOCAL_IP_)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 54613 (54613), Seq: 246, Ack: 80, Len: 0
No. Time Source Destination Protocol Length Info
2622 11.459434000 __REMOTE__IP__ _LOCAL_IP_ TCP 66 4585 > 54617 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 WS=2 MSS=1400 SACK_PERM=1
Frame 2622: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Watchgua_LOCALMAC (AA:BB:CC:LOCALMAC), Dst: Hewlett-_SUB_MAC (11:22:33:SUB_MAC)
Internet Protocol Version 4, Src: __REMOTE__IP__ (__REMOTE__IP__), Dst: _LOCAL_IP_ (_LOCAL_IP_)
Transmission Control Protocol, Src Port: 4585 (4585), Dst Port: 54617 (54617), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
2623 11.459475000 _LOCAL_IP_ __REMOTE__IP__ TCP 54 54617 > 4585 [ACK] Seq=1 Ack=1 Win=4194304 Len=0
Frame 2623: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Hewlett-_SUB_MAC (11:22:33:SUB_MAC), Dst: Watchgua_LOCALMAC (AA:BB:CC:LOCALMAC)
Internet Protocol Version 4, Src: _LOCAL_IP_ (_LOCAL_IP_), Dst: __REMOTE__IP__ (__REMOTE__IP__)
Transmission Control Protocol, Src Port: 54617 (54617), Dst Port: 4585 (4585), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
2634 11.482207000 __REMOTE__IP__ _LOCAL_IP_ FTP 108 Response: 125 Data connection already open; Transfer starting.
Frame 2634: 108 bytes on wire (864 bits), 108 bytes captured (864 bits) on interface 0
Ethernet II, Src: Watchgua_LOCALMAC (AA:BB:CC:LOCALMAC), Dst: Hewlett-_SUB_MAC (11:22:33:SUB_MAC)
Internet Protocol Version 4, Src: __REMOTE__IP__ (__REMOTE__IP__), Dst: _LOCAL_IP_ (_LOCAL_IP_)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 54613 (54613), Seq: 246, Ack: 80, Len: 54
File Transfer Protocol (FTP)
No. Time Source Destination Protocol Length Info
2635 11.483996000 __REMOTE__IP__ _LOCAL_IP_ FTP-DATA 60 FTP Data: 4 bytes
Frame 2635: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Watchgua_LOCALMAC (AA:BB:CC:LOCALMAC), Dst: Hewlett-_SUB_MAC (11:22:33:SUB_MAC)
Internet Protocol Version 4, Src: __REMOTE__IP__ (__REMOTE__IP__), Dst: _LOCAL_IP_ (_LOCAL_IP_)
Transmission Control Protocol, Src Port: 4585 (4585), Dst Port: 54617 (54617), Seq: 1, Ack: 1, Len: 4
FTP Data (test)
No. Time Source Destination Protocol Length Info
2636 11.484173000 __REMOTE__IP__ _LOCAL_IP_ FTP 106 Response: 426 Data connection closed. Error scanning content
Frame 2636: 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface 0
Ethernet II, Src: Watchgua_LOCALMAC (AA:BB:CC:LOCALMAC), Dst: Hewlett-_SUB_MAC (11:22:33:SUB_MAC)
Internet Protocol Version 4, Src: __REMOTE__IP__ (__REMOTE__IP__), Dst: _LOCAL_IP_ (_LOCAL_IP_)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 54613 (54613), Seq: 300, Ack: 80, Len: 52
File Transfer Protocol (FTP)
Ah – so we tested connecting to an FTP server that used a nonstandard control port and the file transfer worked correctly.
Only when we connect to an FTP server that uses the standard control port of 21 does the transfer have problems.
We cleared the firewall's settings, rebuilt, and reset the settings on the firewall. The issue was then fixed.
The settings that were applied were identical to the settings that existed before. The settings on the firewall somehow became corrupt. That's all she wrote, really.
Best Answer
Response: 426 Data connection closed. Error scanning content
There is definitely a Firewall in between which intercepts the FTP Traffic. Microsoft FTP to my knowledge does NOT support scanning content.
To be clear: This is more of a central firewall thing than a windows firewall thing.
Also, the theory of the non-standard-port-working supports this. (Central FW only seems to inspect traffice to port 21)
Take this up with your network admins.