RE: ENETUNREACH - Network unreachable in 3.11.0

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
User avatar
botg
Site Admin
Posts: 32336
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#16 Post by botg » 2015-07-28 10:26

Downgrading is not a supported use-case and is known to corrupt settings and sites.

You need to contact your firewall vendor for assistance so that the broken firewall can be fixed.

DailyLama
500 Syntax error
Posts: 13
Joined: 2015-07-28 07:17

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#17 Post by DailyLama » 2015-07-29 07:52

botg wrote:Downgrading is not a supported use-case and is known to corrupt settings and sites.
You need to contact your firewall vendor for assistance so that the broken firewall can be fixed.
I can reach ~50% of FTP servers. Not randomly, but the same state every time: veeam ftp does never work, a personal test ftp (outside the company) does always work. So how can the Firewall (open for all outgoing traffic) or Kaspersky be a problem?

What I did see: if TLS is established it breaks, every time, starting with 3.11.

User avatar
botg
Site Admin
Posts: 32336
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#18 Post by botg » 2015-07-29 08:13

DailyLama wrote:So how can the Firewall (open for all outgoing traffic) or Kaspersky be a problem?
Firewalls are designed to disrupt connections, that is their very purpose. Sometimes they disrupt too much. In that case the firewall needs to be reconfigured or fixed.

DailyLama
500 Syntax error
Posts: 13
Joined: 2015-07-28 07:17

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#19 Post by DailyLama » 2015-07-29 08:41

botg wrote:
DailyLama wrote:So how can the Firewall (open for all outgoing traffic) or Kaspersky be a problem?
Firewalls are designed to disrupt connections, that is their very purpose. Sometimes they disrupt too much. In that case the firewall needs to be reconfigured or fixed.
"FTP clients are designed to connect to FTP servers, that is their very purpose. Sometimes they cannot connect while other clients can connect without a problem. In that case the clients needs to be reconfigured or fixed."

Now let anyone guess which task is easier. A checkbox that allows users to use FileZilla with "broken" whatever or to change all firewalls, AVs and FTP servers so they can talk to one client while all other work fine, including all older versions of the same client.
But I get the feeling this is not about developing a FTP client for users anymore but to build a perfect product. Which has to fail in an non-perfect world.

Still a big THANK YOU for FileZilla, since I used it for a looong time. It was a nice ride but even the nicest one has to end sometimes. I will replace the client in our images end of the week. I simply have to support my users, not other companies.

User avatar
botg
Site Admin
Posts: 32336
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#20 Post by botg » 2015-07-29 09:39

"FTP clients are designed to connect to FTP servers, that is their very purpose. Sometimes they cannot connect while other clients can connect without a problem. In that case the clients needs to be reconfigured or fixed."
Note how my original statement contains a cause. Your paraphrase omits the cause yet still assigns blame. That's an inadmissible generalization.
A checkbox that allows users to use FileZilla with "broken" whatever or to change all firewalls, AVs and FTP servers so they can talk to one client while all other work fine, including all older versions of the same client.
That would quickly result in dozens of checkboxes. Do you really want bug workaround dialogs as e.g. in PuTTY? See the screenshots below how such dialogs look like and how utterly incomprehensible they are for most users. Do you know what a "SSH-2 'winadj' request" is and what happens if a server does not support it and what the potential security implications are when enabling a workaround?


Can you tell me in your own words in which situations (there are multiple) ENETUNREACH can happen and what the root cause is in each? In which of these situations can there be a workaround? What are the potential implications of the workaround? Why was a change made in FZ that now triggers a bug in faulty firewalls leading to ENETUNREACH? And last but not least, explain how a workaround for ENETUNREACH could actually result in more ENETUNREACH.
Attachments
bugs2.png
bugs2.png (39.79 KiB) Viewed 3233 times
bugs1.png
bugs1.png (44.27 KiB) Viewed 3233 times

DailyLama
500 Syntax error
Posts: 13
Joined: 2015-07-28 07:17

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#21 Post by DailyLama » 2015-07-29 10:07

botg wrote: Can you tell me in your own words in which situations (there are multiple) ENETUNREACH can happen and what the root cause is in each? In which of these situations can there be a workaround?
No, and my user can't too. All we know is it worked with 3.10 and it does not work since the update. Since nothing else changed and other ftp clients work too we have to change to something that simply works. You cannot ask users to suddenly be experts or the IT world to change because of an upgrade of yours. Sad, but that's like it is.

User avatar
botg
Site Admin
Posts: 32336
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#22 Post by botg » 2015-07-29 10:13

Have you considered asking your users to install a different firewall?
You cannot ask users to suddenly be experts or the IT world to change because of an upgrade of yours. Sad, but that's like it is.
I agree. Since the users are not IT experts, they should listen to the IT experts instead. In this case a leading expert on FTP technology has proven that the firewall is the root cause of the problem and that the firewall needs to be fixed. So the users should fix their firewall, contacting their firewall vendor for assistance if they cannot do it themselves.

DailyLama
500 Syntax error
Posts: 13
Joined: 2015-07-28 07:17

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#23 Post by DailyLama » 2015-07-29 10:58

botg wrote:Have you considered asking your users to install a different firewall?
We do not use any software firewall product. There is only a hardware firewall that is completely open for outgoing traffic.
So there is nothing to update except the FTP servers from veeam, DELL and whoever who will not do anything when I write to them as you know for sure yourself.

User avatar
botg
Site Admin
Posts: 32336
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#24 Post by botg » 2015-07-29 12:43

We do not use any software firewall product.
There must be a software firewall installed on the machine running FileZilla. Otherwise you would not get ENETUNREACH.

DailyLama
500 Syntax error
Posts: 13
Joined: 2015-07-28 07:17

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#25 Post by DailyLama » 2015-07-29 13:00

botg wrote:
We do not use any software firewall product.
There must be a software firewall installed on the machine running FileZilla. Otherwise you would not get ENETUNREACH.
Nope. I am the domain admin here and I have the same problem on my workstation. No software firewall, no AV firewall. no Windows firewall. Even bittorrent runs flawless, which is one of the hardest things when there are firewalls messing with the connection.

User avatar
botg
Site Admin
Posts: 32336
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#26 Post by botg » 2015-07-29 13:33

Interesting, so this might be a different problem.

Please use this test build: https://filezilla-project.org/nightlies ... _setup.exe and set the debug level to "3 - Verbose" on the debug page in the settings dialog of FileZilla.
Please start Windows' command prompt (cmd.exe) with administrative rights. Then get FileZilla to display the error and immediately after ENETUNREACH happens, execute the following two commands:

Code: Select all

netsh interface ip show addresses
netstat -nb
Please post the output of the two commands as well as the corresponding log from FileZilla here.

DailyLama
500 Syntax error
Posts: 13
Joined: 2015-07-28 07:17

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#27 Post by DailyLama » 2015-07-29 13:37

botg wrote:Interesting, so this might be a different problem.
Please use this test build: https://filezilla-project.org/nightlies ... _setup.exe and set the debug level to "3 - Verbose" on the debug page in the settings dialog of FileZilla.
Sorry "The requested URL /nightlies/2015-07-29/x86_64-w64-mingw32/FileZilla_3_setup.exe was not found on this server."

User avatar
botg
Site Admin
Posts: 32336
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#28 Post by botg » 2015-07-29 13:38

DailyLama wrote:Sorry "The requested URL /nightlies/2015-07-29/x86_64-w64-mingw32/FileZilla_3_setup.exe was not found on this server."
Try again please, the file hadn't yet distributed to the mirror.

DailyLama
500 Syntax error
Posts: 13
Joined: 2015-07-28 07:17

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#29 Post by DailyLama » 2015-07-29 13:44

botg wrote:
DailyLama wrote:Sorry "The requested URL /nightlies/2015-07-29/x86_64-w64-mingw32/FileZilla_3_setup.exe was not found on this server."
Try again please, the file hadn't yet distributed to the mirror.

All sent with PM. Please note that we do not use the Firewall component of Kaspersky. It's deactivated via Kaspersky Security Center.

User avatar
botg
Site Admin
Posts: 32336
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: RE: ENETUNREACH - Network unreachable in 3.11.0

#30 Post by botg » 2015-07-29 13:57

Please note that we do not use the Firewall component of Kaspersky. It's deactivated via Kaspersky Security Center.
Sadly no, that's not the case.


Excerpt from the log:
Status: Resolving address of supportftp.veeam.com
Status: Connecting to 80.249.186.4:21...
[...]
Trace: Binding data connection source IP to control connection source IP 127.0.0.1
Command: LIST
Error: The data connection could not be established: ENETUNREACH - Network unreachable
That's the problem. The control connection source IP cannot possibly originate from 127.0.0.1 when you are connected to a public IP address, 127.0.0.1 is the unroutable localhost loopback address. The only time this can happen is if a firewall (or traffic redirection malware) redirects traffic in a forbidden way.


Sadly the netstat output does not include FileZilla. If you check the netstat output while FileZilla is running and connected to the server, I can guarantee you that all FileZilla traffic is being redirected through avp.exe, which is part of the Kaspersky firewall.

Post Reply