• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DOS FTP Problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> DOS FTP Problem Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
DOS FTP Problem - 26.Sep.2003 10:06:00 PM   
kkril

 

Posts: 15
Joined: 26.Sep.2003
Status: offline
Currently I have ISA working with FTP client software as well as the IE browser (PORT mode). The issue I am having is with a script which executes a DOS FTP session to automatically downloads some files. I can successfully establish a DOS FTP session complete with
login. However, as soon as I attempt a transfer of any sort(ls or get), it hangs. Has anyone successfully setup DOS FTP access through
ISA? I would assume it has to do with packet filters but I am not sure what they should be. Is DOS PORT or PASV? What am I missing here?

Thanks!
Kurtis
Post #: 1
RE: DOS FTP Problem - 26.Sep.2003 10:53:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kurtis,

if you can FTP from an FTP client software as well as the IE browser, then ISA is correctly configured! [Smile]

Now, what do you exactly mean with DOS FTP? Is this the standard Microsoft FTP command line client you want to use with the -s option?

BTW --- for more info about how ISA handles the FTP protocol, check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan

(in reply to kkril)
Post #: 2
RE: DOS FTP Problem - 26.Sep.2003 11:28:00 PM   
kkril

 

Posts: 15
Joined: 26.Sep.2003
Status: offline
Hi Stefaan,

Thanks for the quick reply. As for your article I have read it more than once and it was very useful in undertanding how actually FTP works.

What I mean by DOS FTP is exactly that. Command line util included with Win2k. The FTP command is actually embedded in a VBScript, but this is beside the point - it is the scenario where command line FTP is used. If I try a "manual session" I get the behaviour described above; that is, I can login, but it hangs on any kind of transfer. As you say, I should have everything configured correctly, since I can get both FTP client software to work and the browser. That's why I can't understand this issue. I have the browser set to use PORT more and the FTP client successfully uses the firewall client in PASV mode. I did read in another post that there may be a bug with multiple IP's on the external interface. Our config is kind of complicated in that we are running ISA as an Enterprise Array with Stonebeat for failover.

Let me know if you need more info.

Regards

(in reply to kkril)
Post #: 3
RE: DOS FTP Problem - 26.Sep.2003 11:42:00 PM   
kkril

 

Posts: 15
Joined: 26.Sep.2003
Status: offline
PS - I have not enabled IP routing. When I do, I can't even get a list command to work through an FTP client.

This configuration is behind a PIX firewall.

Again - anything you could add would be appreciated as I have read all the articles on FTP on your site and Microsoft's.

Thanks
Cheers
Kurtis

(in reply to kkril)
Post #: 4
RE: DOS FTP Problem - 27.Sep.2003 11:10:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kurtis,

the only problem I know of with FTP and multiple IP addresses assigned to the ISA external interface is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;817829 . The solution is to implement the hotfix or disable IP routing (Kernel Data Pump).

If that doesn't solve your problem, you'll have to take a Network Monitor trace on the ISA external interface are even on the external subnet to see what is really happening on the wire.

HTH,
Stefaan

(in reply to kkril)
Post #: 5
RE: DOS FTP Problem - 28.Sep.2003 8:14:00 AM   
kkril

 

Posts: 15
Joined: 26.Sep.2003
Status: offline
Hi Stefaan,

Hmm interesting. I didn't anticipate this being such an issue, since I have the other two ways working. I thought maybe it was a quirk with command line FTP. I tried two packet filters, one for outbound port 21 and inbound port 20 but the filters only let you define either the external interface on the ISA boxes or a perimeter box. So I wasn't really sure how that was supposed to work with internal clients. I tried defining the external interfaces thinking that the packet filtering only really took place there. These didn't work either. I checked the ISA logs and at first FTP responses were being blocked on the external interfaces, but once I created the filters the logs showed they were allowed. However, this still didn't fix the problem.

Nothing that packet filters could do here?

Thanks again for your help.
Regards
Kurtis

(in reply to kkril)
Post #: 6
RE: DOS FTP Problem - 28.Sep.2003 8:25:00 AM   
kkril

 

Posts: 15
Joined: 26.Sep.2003
Status: offline
PS ... this work around didn't work for me and the problem described in the Q article isn't the exact behaviour I observed. It's not like I can't establish the FTP session. I can successfully login consistently. The session hangs as soon as some kind of transfer is initiated - for eg. ls or get.

Bizarre. I know.

The packet trace option might work. The logs from the PIX and the ISA logs might be sufficient to determine what is happening. Otherwise I will have to call MSTech support ...

Thanks
Regards
Kurtis

(in reply to kkril)
Post #: 7
RE: DOS FTP Problem - 28.Sep.2003 4:07:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kurtis,

for outbound access creating IP packet filters will *not* help you. You need a protocol and site&content rules and they will create dynamically the necessary IP packet filters.

Can't you place an FTP server in the DMZ between the PIX and the ISA and first the outbound FTP to this FTP server?

HTH,
Stefaan

(in reply to kkril)
Post #: 8
RE: DOS FTP Problem - 29.Sep.2003 8:25:00 AM   
kkril

 

Posts: 15
Joined: 26.Sep.2003
Status: offline
Hi Stafaan,

OK on the packet filters - didn't think so from what I have read but thought you might know something else. I am pretty sure my Protocol and Site & Content Rules are OK since the the forms of FTP are working.

As for an FTP server in the DMZ - I could try that perhaps - can your redirect an ftp query from a client to a server like that?

Thanks again.
Kurtis

(in reply to kkril)
Post #: 9
RE: DOS FTP Problem - 29.Sep.2003 8:22:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kurtis,

I have no experience at all wil Stonebeat, but can you make another test with the Microsoft FTP client? Just make sure that:
- you have a protocol rule allowing access to all IP traffic for any request.
- you have a site&content rule allowing access to all destinations, any request, any content.
- the client is a SecureNAT and/or Firewall client.
- you have enabled the logging of all fields in the ISA log settings and the log format is set to ISA.
- you take a Network Monitor trace on the ISA external interface.

Post then the relevant entries from the Firewall and IP packet filter logs unmodified. We can first take a look on the log files. If needed, we will compare them with the Network Monitor trace file.

HTH,
Stefaan

(in reply to kkril)
Post #: 10
RE: DOS FTP Problem - 30.Sep.2003 4:37:00 PM   
kkril

 

Posts: 15
Joined: 26.Sep.2003
Status: offline
Hi Stefaan,

Ok on all points except two. The network monitor trace might be difficult, since these servers are on switches; are you suggesting running netmon on one of the ISA servers? Not sure how the netmon will the traffic otherwise. As for posting it, it has too much information in there regarding the privacy of the company. When you say "unmodified", does that mean not changing anything to "protect the innocent"?

Thanks for the clarifications.
Regards
Kurtis

(in reply to kkril)
Post #: 11
RE: DOS FTP Problem - 30.Sep.2003 9:58:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kurtis,

yes, run the Network Monitor on the ISA's itself. It's a buildin W2K feature and select the external interface.

As for posting the excerpt of the logs, yes I mean not changing anything. Do you consider IP addresses secret information? I don't! [Big Grin]

The problem is that if you modify the info, it will be very hard to analyze and compare the different logs.

HTH,
Stefaan

(in reply to kkril)
Post #: 12
RE: DOS FTP Problem - 1.Oct.2003 4:48:00 PM   
kkril

 

Posts: 15
Joined: 26.Sep.2003
Status: offline
Hi again,

Thanks for sticking with me on this issue. I do appreciate it. Since there are two ISA servers involved, I would guess you mean run netmon on both capturing traffic on both external interfaces. Correct?

As for the info, I thought you meant the ISA logs, since there is more info in there (DMZ addresses, network Id's etc etc) that I do not really want to publish.

I will post the follwing from the ISA logs - it logs two sessions - first the failed DOS session and then the successful FTP client session.

It may not post very well, but here it is none the less - can you tell anything from this?

ftp.exe:3:5.1 Y 10/1/2003 14:50:01 fwsrv DCISAP02 - www.weatherbank.com 66.210.81.61 - 125 - - - -
ftp.exe:3:5.1 Y 10/1/2003 14:50:01 fwsrv DCISAP02 - - 66.210.81.61 21 94 - - 21 TCP
ftp.exe:3:5.1 Y 10/1/2003 14:50:08 fwsrv DCISAP02 - - - - - - - 0 TCP
ftp.exe:3:5.1 Y 10/1/2003 14:50:08 fwsrv DCISAP02 - - - 11079 - - - 0 TCP
javaw.exe:3:5.1 Y 10/1/2003 14:50:11 fwsrv DCISAP02 - - - - - - - - -
ftp.exe:3:5.1 Y 10/1/2003 14:50:18 fwsrv DCISAP02 - - - - 8859 - - 0 TCP
ftp.exe:3:5.1 Y 10/1/2003 14:50:24 fwsrv DCISAP02 - - 66.210.81.61 21 22563 62 198 21 TCP
wsftppro.exe:3:5.1 Y 10/1/2003 14:50:37 fwsrv DCISAP02 - ftp.weatherbank.com 66.210.81.61 - 47 - - - -
wsftppro.exe:3:5.1 Y 10/1/2003 14:50:38 fwsrv DCISAP02 - - 66.210.81.61 21 78 - - 21 TCP
wsftppro.exe:3:5.1 Y 10/1/2003 14:50:39 fwsrv DCISAP02 - - 66.210.81.61 4014 78 - - 4014 TCP
wsftppro.exe:3:5.1 Y 10/1/2003 14:50:41 fwsrv DCISAP02 - - 66.210.81.61 4014 2468 - 115232 4014 TCP
wsftppro.exe:3:5.1 Y 10/1/2003 14:50:47 fwsrv DCISAP02 - - 66.210.81.61 21 78 - - 21 TCP
wsftppro.exe:3:5.1 Y 10/1/2003 14:50:48 fwsrv DCISAP02 - - 66.210.81.61 4015 157 - - 4015 TCP
wsftppro.exe:3:5.1 Y 10/1/2003 14:50:48 fwsrv DCISAP02 - - 66.210.81.61 4015 704 - 2786 4015 TCP
wsftppro.exe:3:5.1 Y 10/1/2003 14:50:49 fwsrv DCISAP02 - - 66.210.81.61 21 2250 104 393 21 TCP
wsftppro.exe:3:5.1 Y 10/1/2003 14:50:51 fwsrv DCISAP02 - - 66.210.81.61 21 13187 96 520 21 TCP

Thanks
Kurtis

(in reply to kkril)
Post #: 13
RE: DOS FTP Problem - 1.Oct.2003 9:08:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kurtis,

yes, I mean run netmon on both capturing traffic on both external interfaces.

I'm missing some important fields in the posted Firewall log. As said before, you must enable the logging of *all* fields in the ISA log settings. Can you do that and redo the tests?

Also, I suggest you post 3 excerpts of the Firewall log:
- FTP command line client
- WSFTPPro in active mode FTP
- WSFTPPro in passive mode FTP

HTH,
Stefaan

(in reply to kkril)
Post #: 14
RE: DOS FTP Problem - 3.Oct.2003 1:00:00 AM   
danielnwa

 

Posts: 28
Joined: 25.Sep.2003
From: Oregon
Status: offline
Hi all,

I am having the same problem. FTP works with WSFTP, and via a web browser after I enabled passive mode FTP. Is this a problem with command line ftp connecting through PORT mode? I have read your documents on FTP Stefaan, it has helped alot. Thanks for taking the time to write that up. If there is a solution to allow ftp from a command prompt, please post it. Thanks.

Daniel

(in reply to kkril)
Post #: 15
RE: DOS FTP Problem - 3.Oct.2003 12:28:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Daniel,

the Microsoft command line FTP client works perfectly through the ISA server if the FTP server supports Active mode FTP! [Big Grin]

In fact, I always test with the Microsoft FTP client and only use another one if I need to test Passive mode FTP. There is really nothing special to tell about the Microsoft FTP client.

What is the Firewall and IP packet filter log telling you?

HTH,
Stefaan

(in reply to kkril)
Post #: 16
RE: DOS FTP Problem - 3.Oct.2003 4:50:00 PM   
kkril

 

Posts: 15
Joined: 26.Sep.2003
Status: offline
Hi All,

I will do some testing this weekend and try to post the logs.

I just tried active mode on the FTP client and it failed, even though I can use PORT mode on the browser. I have a suspicion that the built-in FTP filter does not know how to translate secondary connection on account of our configuration, and that is why it would seem that PORT mode fails in these cases. With two outside interfaces that are "clustered" with stonebeat, I don't think the filter knows on which interface to open the secondary connections. See, we have a virtual IP reprensenting these interfaces, and some fancy work had to be done on our switches and routers, namely enabling multicast mac forwarding on the switch ports and static arp entries on the firewall.

Do you think that this might be causing the issues? That is, the fact that the built-in FTP filter works on perhaps on only one outside interface, but more than one it gets confused?

Have you successfully used the Microsoft FTP client in an array configuration?

Daniel, are you using more than one ISA server in your configuration?

Thanks
Kurtis

(in reply to kkril)
Post #: 17
RE: DOS FTP Problem - 3.Oct.2003 7:45:00 PM   
danielnwa

 

Posts: 28
Joined: 25.Sep.2003
From: Oregon
Status: offline
Hi all,

I am scanning through the log file right now and try to make sense of the information on there [Smile] The thing that I am trying to understand is with passive ftp, does that mean we can't do upload because upload used active mode or am I totally off base on that?? As far as the FTP server not supporting Active Mode FTP from DOS-FTP, is there a way we can be sure of this (I guess this is where the log files help right [Smile] ???

Kurt,

I am using 2 ISA servers for redundancy.

BTW, would there be any reasons why audio streaming is a problem with window NT 4.0 when 98, 2000 pro, xp, 2003 work???

Thanks all for the information

(in reply to kkril)
Post #: 18
RE: DOS FTP Problem - 3.Oct.2003 9:28:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kurtis,

if only passive mode FTP is working then there is a fair chance that the clustering is creating havoc. Keep in mind that for active mode FTP the FTP application filter must rewrite the IP address and port number in the port command due to the NAT. That is not needed in passive mode.

That's excactly the reason why I asked for a full logging *and* network monitor trace to track down the problem. Personally I have no experience with clustering software, but I know quit well the FTP protocol. [Wink]

HTH,
Stefaan

(in reply to kkril)
Post #: 19
RE: DOS FTP Problem - 3.Oct.2003 10:38:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Daniel,

passive or active mode FTP has nothing to do with the ability to perform uploads and/or downloads. It just defines the way the data connection is negotiated. Check out my article again for full details. You will find there also some examples how FTP sessions are logged.

To be RFC compliant, I think that each FTP server must support active mode FTP and might support passive mode FTP. However that says nothing about what is allowed along the path! [Big Grin]

HTH,
Stefaan

(in reply to kkril)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> DOS FTP Problem Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts