passive FTP issue < 425 Can't open data connection. (Full Version)

All Forums >> [ISA Server 2000 General] >> General



Message


dwisewon -> passive FTP issue < 425 Can't open data connection. (1.Dec.2005 9:29:48 PM)

ftp log

Connecting to www.schoolconnectsweb.com , 01 Dec 2005 14:43:20
< 220-FileZilla Server version 0.9.8 beta
< 220 Support FTP Site for Synrevoice Hosted Service
> USER hoosick
< 331 Password required for xxxxx
> PASS (hidden)
< 230 Logged on
> SYST
< 215 UNIX emulated by FileZilla
> PWD
< 257 "/" is current directory.
> TYPE A
< 200 Type set to A
> PASV
< 227 Entering Passive Mode (209,29,12,241,254,84)
> LIST
< 425 Can't open data connection.

ISA setup I have inbound and outbound protocol rules for primary port of 1841 and secondary connections  port range of 1-65000 inbound and outbound.  If I relax it so I allow all IP traffic it will work fine, so I know ISA is my issue. 
I'm running server 2003 which I believe is ISA 2000 correct me if I'm wrong.
Any insight would be appreciated.




spouseele -> RE: passive FTP issue < 425 Can't open data connection. (1.Dec.2005 9:39:58 PM)

Hi dwisewon,

we need some *exact* info to help you further!
Where is the FTP server?
Where is the FTP client?
What protocol and site&content rules have you in place to support this setup?
...

In the mean time, it could be helpful to check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan




dwisewon -> RE: passive FTP issue < 425 Can't open data connection. (2.Dec.2005 1:55:31 PM)

 The Ftp server is on the internet and the client is an ISA client on my network.  The strange thing is this was working, I've changed nothing and according to the company running the server they've changed nothing.  And it works if I throw in an "allow all" for these clients, so I know it's ISA stopping me.
We're trying to connect to a passive FTP server on port 1841.  I'm an ISA rookie so forgive me if I've left out any other pertinent details.

I have an "allow" protocol rule for "any request" with the following protocols
an inbound port 1841 with secondary ports of 1-65000 in and 1-65000 out
an outbound port 1841 with secondary ports of 1-65000 in and 1-65000 out


As you can see by the ftp client log in my original post, we're making it out and logging on to the server it fails when it tries to establish a data channel.  Any insight would be great.  Thanks




spouseele -> RE: passive FTP issue < 425 Can't open data connection. (2.Dec.2005 4:25:05 PM)

Hi dwisewon,

according to the info given:

1. you should have a protocol definition in place with the following parameters:
  • primary connection: TCP port 1841 Outbound
  • secondary connections: TCP port 1025 - 65534 Outbound


2. the clients should be configured as Firewall clients. SecureNAT clients won't work because no application filter is available to support those secondary connections.

You said "And it works if I throw in an "allow all" for these clients, so I know it's ISA stopping me". In that case, you can easely verify in the ISA Firewall log that the protocol used is indeed what you think it is. Also, because you know what the logging should look like, you should be able to determine why it is not working any longer.

BTW --- If you enable the logging of all fields and set the log format to ISA format, you might post an excerpt of the Firewall log. We can then take a look at it.

HTH,
Stefaan




dwisewon -> RE: passive FTP issue < 425 Can't open data connection. (2.Dec.2005 5:54:56 PM)

my port ceiling of 65000 was the problem once I made it 65534 it worked.  Thank you very much for your time.




spouseele -> RE: passive FTP issue < 425 Can't open data connection. (3.Dec.2005 7:30:13 PM)

Hi dwisewon,

good to hear you have it working and thanks for the follow up! [:)]

Stefaan




Page: [1]