I have an odd issue with connecting to a client's FTP server, which runs FileZilla v.0.9.41. The server is operating behind a NAT router, so it is set to accept passive connections. This seems to work with SOME clients, but not ALL. For example, using Transmit from my Mac, I connect just fine. But using Core FTP from Windows, I have the following error:
PORT command failed
Error loading directory...
And it sits there indefinitely. Using Transmit, this is not an issue.
I am not operating behind a firewall, nor am I using a software firewall service. Each device that connects is on the same subnet, using the same router to get out to the Internet. The credentials are the same, and the basic configuration is the same (Passive, Binary, etc.).
Where I am getting lost is figuring out why one client will connect without issue, while most others connect, but will not allow me to traverse the directory structure.
Has anyone seen this behavior before, and if so, does anyone have thoughts of a solution?
NOTE: I do not have access to the FileZilla Server, but I do have copies of the XML configuration files for troubleshooting.
EDIT: See the log below.
Welcome to Core FTP, release ver 2.2, build 1798 (x86.U) -- � 2003-2014
WinSock 2.0
Mem -- 2,097,151 KB, Virt -- 2,097,024 KB
Started on Wednesday September 03, 2014 at 15:45:PM
Connect socket #796 to <Server IP Address>, port 21...
220-FileZilla Server version 0.9.41 beta
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220-FileZilla Server version 0.9.41 beta
USER <User>
331 Password required for <User>
PASS **********
230 Logged on
SYST
215 UNIX emulated by FileZilla
Keep alive off...
CWD /Inbound/
250 CWD successful. "/Inbound" is current directory.
PASV
PORT command failed
Error loading directory...
And here is the FileZilla server config:
<FileZillaServer>
<Groups />
<Users>
<User Name="USER">
<Option Name="Pass">pass</Option>
<Option Name="Group" />
<Option Name="Bypass server userlimit">0</Option>
<Option Name="User Limit">0</Option>
<Option Name="IP Limit">0</Option>
<Option Name="Enabled">1</Option>
<Option Name="Comments" />
<Option Name="ForceSsl">0</Option>
<IpFilter>
<Disallowed />
<Allowed />
</IpFilter>
<Permissions>
<Permission Dir="C:\inetpub\FTP">
<Option Name="FileRead">1</Option>
<Option Name="FileWrite">1</Option>
<Option Name="FileDelete">1</Option>
<Option Name="FileAppend">1</Option>
<Option Name="DirCreate">0</Option>
<Option Name="DirDelete">0</Option>
<Option Name="DirList">1</Option>
<Option Name="DirSubdirs">1</Option>
<Option Name="IsHome">1</Option>
<Option Name="AutoCreate">0</Option>
</Permission>
</Permissions>
<SpeedLimits DlType="0" DlLimit="10" ServerDlLimitBypass="0" UlType="0" UlLimit="10" ServerUlLimitBypass="0">
<Download />
<Upload />
</SpeedLimits>
</User>
</Users>
<Settings>
<Item name="Serverports" type="string">21</Item>
<Item name="Number of Threads" type="numeric">2</Item>
<Item name="Maximum user count" type="numeric">0</Item>
<Item name="Timeout" type="numeric">120</Item>
<Item name="No Transfer Timeout" type="numeric">600</Item>
<Item name="Allow Incoming FXP" type="numeric">1</Item>
<Item name="Allow outgoing FXP" type="numeric">1</Item>
<Item name="No Strict In FXP" type="numeric">0</Item>
<Item name="No Strict Out FXP" type="numeric">0</Item>
<Item name="Login Timeout" type="numeric">60</Item>
<Item name="Show Pass in Log" type="numeric">0</Item>
<Item name="Custom PASV IP type" type="numeric">1</Item>
<Item name="Custom PASV IP" type="string">SAME AS OUTWARD FACING SERVER IP</Item>
<Item name="Custom PASV min port" type="numeric">0</Item>
<Item name="Custom PASV max port" type="numeric">0</Item>
<Item name="Initial Welcome Message" type="string">%v
written by Tim Kosse (Tim.Kosse@gmx.de)
Please visit http://sourceforge.net/projects/filezilla/</Item>
<Item name="Admin port" type="numeric">14147</Item>
<Item name="Admin Password" type="string"></Item>
<Item name="Admin IP Bindings" type="string"></Item>
<Item name="Admin IP Addresses" type="string"></Item>
<Item name="Enable logging" type="numeric">0</Item>
<Item name="Logsize limit" type="numeric">0</Item>
<Item name="Logfile type" type="numeric">0</Item>
<Item name="Logfile delete time" type="numeric">0</Item>
<Item name="Use GSS Support" type="numeric">0</Item>
<Item name="GSS Prompt for Password" type="numeric">0</Item>
<Item name="Download Speedlimit Type" type="numeric">0</Item>
<Item name="Upload Speedlimit Type" type="numeric">0</Item>
<Item name="Download Speedlimit" type="numeric">10</Item>
<Item name="Upload Speedlimit" type="numeric">10</Item>
<Item name="Buffer Size" type="numeric">32768</Item>
<Item name="Custom PASV IP server" type="string">http://ip.filezilla-project.org/ip.php</Item>
<Item name="Use custom PASV ports" type="numeric">0</Item>
<Item name="Mode Z Use" type="numeric">0</Item>
<Item name="Mode Z min level" type="numeric">1</Item>
<Item name="Mode Z max level" type="numeric">9</Item>
<Item name="Mode Z allow local" type="numeric">0</Item>
<Item name="Mode Z disallowed IPs" type="string"></Item>
<Item name="IP Bindings" type="string">LOCAL IP ADDRESS</Item>
<Item name="IP Filter Allowed" type="string"></Item>
<Item name="IP Filter Disallowed" type="string"></Item>
<Item name="Hide Welcome Message" type="numeric">0</Item>
<Item name="Enable SSL" type="numeric">0</Item>
<Item name="Allow explicit SSL" type="numeric">1</Item>
<Item name="SSL Key file" type="string"></Item>
<Item name="SSL Certificate file" type="string"></Item>
<Item name="Implicit SSL ports" type="string">990</Item>
<Item name="Force explicit SSL" type="numeric">0</Item>
<Item name="Network Buffer Size" type="numeric">65536</Item>
<Item name="Force PROT P" type="numeric">0</Item>
<Item name="SSL Key Password" type="string"></Item>
<Item name="Allow shared write" type="numeric">0</Item>
<Item name="No External IP On Local" type="numeric">1</Item>
<Item name="Active ignore local" type="numeric">1</Item>
<Item name="Autoban enable" type="numeric">0</Item>
<Item name="Autoban attempts" type="numeric">10</Item>
<Item name="Autoban type" type="numeric">0</Item>
<Item name="Autoban time" type="numeric">1</Item>
<Item name="Service name" type="string"></Item>
<Item name="Service display name" type="string"></Item>
<Item name="Enable HASH" type="numeric">0</Item>
<Item name="Disable IPv6" type="numeric">0</Item>
<SpeedLimits>
<Download />
<Upload />
</SpeedLimits>
</Settings>
</FileZillaServer>
EDIT: After using ftptest.net to troubleshoot, I find the following:
Command: PWD Reply: 257 "/" is current directory.
Status: Current path is /
Command: TYPE I
Reply: 200 Type set to I
Command: PASV
Reply: 227
Entering Passive Mode (172,23,23,130,234,97)
Error: Server returned unroutable private IP address in PASV reply
Make sure the server is configured to allow passive mode connections.
If the server is behind a NAT router, make sure the server knows its external IP address.
The range of ports used for passive mode must be opened in all involved firewalls.
The range of ports used for passive mode must be forwarded by all involved NAT routers.
Try uninstalling all firewalls and plug your computer directly into your modem, thus bypassing the router.
I can infer from this that there is an issue on the server side, but my question now becomes, why can I connect with some clients (specifically Transmit on the Mac) without issue, while others are actively disconnected (like Core FTP on Windows)?
Best Answer
Solution:
The client needs to change the setting
to the IP of the router doing the NATing.
Explanation:
According to section 4.1.2 in RFC 959, after PASV has been sent:
After that, the client may respond with another listing of the IP address and the port it desires to use.
Some clients, such as FileZilla, will verify that the IP address and port given in response are actually reachable. Others will simply assume that they can continue on the same socket where they started. The former is probably more correct, since the protocol does allow for a change of port and address, but it will fail in this case.
Edit
If the FTP server is already using the correct settings, the problem may be in the setup of the NATing router/firewall/etc. It may be altering the data sent through it. The way to identify this would be to do a tcpdump on both sides of the connection to verify that the content of the traffic is the same.