EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Active FTP Problems

Posted: 02/19/2014 03:42:03
by Mario Gzuk (Basic support level)
Joined: 02/19/2014
Posts: 6

Hi we currently try to use active FTP with your product. Passive works fine, but if we try to use active (directly on the server, nor routers or firewalls between client and server) we got:

Status: Connecting to xxxxxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 FTP Server EXAMPLE
Command: USER xxxxx
Response: 331 User name okay, need password.
Command: PASS ***
Response: 230 User logged in, proceed.
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 Command okay.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory
Status: Directory listing successful
Status: Retrieving directory listing...
Command: CWD /TEST
Response: 250 Directory change successful.
Command: PWD
Response: 257 "/TEST" is current directory
Command: TYPE I
Response: 200 Command okay.
Command: PORT xxx,xxx,xxx,xxx,197,67
Response: 200 Command okay.
Command: MLSD
Response: 125 Data connection already open; transfer starting.
Response: 226 MLSD completed
Error: Connection timed out
Error: Failed to retrieve directory listing

We didnt see that the server try to open port 20 for the data connections. What are we doing wrong? Is there a setting for that?
Or how to figure out what mode the server try to use? It seems so that the server uses passive mode, because of "125 Data connection already open; transfer starting." But there is no data connection open (checked with netstat and wireshark)....

Thank you for your help!
Posted: 02/19/2014 03:46:02
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

What SecureBlackbox edition do you use? Do you use our sample to test the server?
Posted: 02/19/2014 04:12:06
by Eugene Mayevski (Team)

Active mode is when the client opens the listening socket on the port it specifies in PORT command (not port 20 as you think) and the server connects to the opened port. It is not possible to say what exactly happened on your side without investigating lots of details. I must say that nowadays Active mode is almost never used due to problems with firewalls, NATs etc.

Sincerely yours
Eugene Mayevski
Posted: 02/19/2014 04:33:47
by Mario Gzuk (Basic support level)
Joined: 02/19/2014
Posts: 6

Hi Eugene,
thank you for your answer. There is no Firewall/NAT etc between, the test is executed directly on the server.
The client we use is filezilla and the windows ftp.exe, both work in passive mode but not in active mode. The connection can be established, but after that commands (LS or GET) faild in:
Error: Connection timed out

I know abaout the communication process in active mode, and as described in the protocol the Port 20 is used for data trasfer. Maybe I am wrong, but for me it seems to be that the problem is located there...

Are there any possibilities to figure out what mode the server uses for the current connection? Are there any options to control the active mode in the server part?

I will try to find out wich version we use, I am only the "administrator" and have to point our developer to the right place why this stuff is not working...

We also have buyed an licence, I also have to check this...

Thank you.
Posted: 02/19/2014 04:43:31
by Eugene Mayevski (Team)

1) If you have a license, please link the license ticket to your user account before we continue. The ticket itself and the procedure of its use are specified in the registration e-mail that was sent to you upon license purchase. If you don't have the license ticket, please contact the person from which you have obtained the license key (the one in your source code) for a license ticket.

NOTE: please don't post license keys and license tickets to the forum. If you need to clarify something about your license, please use HelpDesk ( http://www.eldos.com/helpdesk/ ).

2) it was not clear that you are asking about the server. In any case please provide as much details as possible - what version and edition of SecureBlackbox and what component (TElFTPSServer or TElSimpleFTPSServer) you are using, whether its your code or a sample project.

3) it's a good idea for the developer to contact us directly rather than forward information back-and-forth.

Sincerely yours
Eugene Mayevski
Posted: 02/19/2014 04:50:23
by Mario Gzuk (Basic support level)
Joined: 02/19/2014
Posts: 6

... So thank you for your time. Our developer has figured out that it seems to be on the framework. We can not change into a directory when its empty, so they will take a look into their code to figure out why this is a problem.

Cheers and have a nice time!
Posted: 02/20/2014 06:15:11
by ITSG (Standard support level)
Joined: 06/27/2013
Posts: 34

Hi Eugene,

you requested the developer to contact you directly.
So here i am ;-)
I think you can find the license information in my profile.

Even if the problems that mario reported are gone now, we ran into some more trouble with the active FTP mode.

Firstoff : We all know that active mode is almost never used, because of certain problems with NLB and Firewall

But, due to backward compatibility reasons it is import for us to get the active mode to work.

Right now we connect thru the firewall and an NLB via a ip address X (NLB).
This ip X is set as the TElSimpleFTPSServer.Host
Port is 21.
Communiaction on that control channel is fine.
As the data channel gets set, the server answers under der ip Y wich is the ip address of the actual machine.
This is where we get blocked in the Firewall.

One way would be to set the port for the data channel in the TElSimpleFTPSServer settings and open that port in the Firewall

Is it possible to set that port ? Or use the port range defined for passive mode?

Regards Martin
Posted: 02/20/2014 06:32:35
by Vsevolod Ievgiienko (Team)

Is it possible to set that port ? Or use the port range defined for passive mode?

This port is supplied by the client and server just connects to the supplied port.
Posted: 02/20/2014 07:02:58
by Eugene Mayevski (Team)

You seem to have mixed everything together and this causes confusion.

In Passive mode the server accepts connections, and to help the client you can configure PassiveModeAddress (set it to NAT's IP or hostname) and set DataRangeFrom and DataRangeTo.

In Active mode you don't choose what ports to use. The client does. So you can't set anything besides disabling active mode.

Sincerely yours
Eugene Mayevski
Posted: 02/20/2014 07:36:06
by Mario Gzuk (Basic support level)
Joined: 02/19/2014
Posts: 6

Hi Eugene,
you are right. But as described here: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82018-pix-asa-enable-ftp.html (for example) the answer should be come from server port 20. The client port is choocen by the client itself in active mode.




Topic viewed 3788 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!