Hangs on LIST command with TLS
Moderator: Project members
Hangs on LIST command with TLS
I'm having a weird issue connecting to our VSFTPd using TLS. When I try to connect with explicit TLS, Filezilla shows me the certificate and I accept it but then it gets hung up on the LIST command. I've tried Active and Passive connection. The weird part is if I don't use TLS then the LIST command completes and I can download a file. Any idea why Filezilla won't work when I try to use TLS? Thanks
Re: Hangs on LIST command with TLS
See the section about malicious routers and firewalls in our Network Configuration guide.
Re: Hangs on LIST command with TLS
Ok thanks... but didn't really see any solution there. We're in a University network with Cisco firewalls. Why would it work fine without TLS but gets hung up when TLS is used?
The same PORT or PASV commands are happening... For example, PORT with TLS enabled:
PASV with TLS enabled:
Now with TLS disabled,
Still don't understand what is actually happening or not working. Are there extra rules I should tell the firewall admins to allow for our server?
The same PORT or PASV commands are happening... For example, PORT with TLS enabled:
Code: Select all
Command: PORT x,y,z,109,138,53 <- this is my external address
Response: 200 PORT command successful. Consider using PASV.
Command: LIST
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Code: Select all
Command: PASV
Response: 227 Entering Passive Mode (x,y,z,3,188,146). <- this is the server's address
Command: LIST
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Code: Select all
Command: PASV
Response: 227 Entering Passive Mode (x,y,z,3,189,232).
Command: LIST
Response: 150 Here comes the directory listing.
Response: 226 Directory send OK.
Re: Hangs on LIST command with TLS
azgi wrote:Ok thanks... but didn't really see any solution there. We're in a University network with Cisco firewalls. Why would it work fine without TLS but gets hung up when TLS is used?
botg wrote:See the section about malicious routers and firewalls in our Network Configuration guide.
Yes, the entire passive mode port range needs to be always and unconditionally opened and forwarded.azgi wrote:Are there extra rules I should tell the firewall admins to allow for our server?
Re: Hangs on LIST command with TLS
That did it! thanks
Still strange that it worked fine without TLS. I'm guessing the firewall can detect the traffic without TLS and do its magic to make PASV work, but with TLS it just breaks.
Basically this i'm guessing,
Still strange that it worked fine without TLS. I'm guessing the firewall can detect the traffic without TLS and do its magic to make PASV work, but with TLS it just breaks.
Basically this i'm guessing,
Essentially, it can cause a number of problems if it is enabled by default, without explicit user consent. The FTP connections in their most basic form appear to work, but as soon as there's some deviation from the basic case, everything will fail, leaving the user stumped
Re: Hangs on LIST command with TLS
Not strange at all. TLS traffic is encrypted, firewalls and routers cannot make heads and tails out of it. Looks just like digital noise to them. Thus, they actually don't know it's FTP.
Please note that this condition (firewall NOT interfering) is the desired and normal behavior.
Please note that this condition (firewall NOT interfering) is the desired and normal behavior.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
- 500 Command not understood
- Posts: 3
- Joined: 2022-10-10 18:22
- First name: Thomas
- Last name: Brooks
Re: Hangs on LIST command with TLS
Ask the Cisco Firewall administrators to disable FTP inspection. That's what did it for me.
-
- 500 Command not understood
- Posts: 3
- Joined: 2022-10-10 18:22
- First name: Thomas
- Last name: Brooks
Re: Hangs on LIST command with TLS
Disable the FTP inspection in Service Policy Rules. Look under the Global: group_policy -> rule actions un-check the ftp inspection.
See if that addresses the issue.
See if that addresses the issue.