FTP connection between 2 VMs on the same VPN

[DavidM92]

I have a VM1 (On Azure) which is also a VPN server (by OpenVPN).
I have another Virtual Machine (VM2) which has a FileZilla Server configured.

From my Local PC (which is also on the VPN), I can connect via FTP to VM2 with the VM2 VPN IP.
But not since VM1, it tells me:

Code: Select all

Status: Connecting to XX.XX.XX.182:21…
Status: Connection established, waiting for welcome message…
Status: Initializing TLS…
Status: TLS connection established.
Status: Connected
Status: Recovering folder contents…
Command: PWD
Answer: 257 "/" is current directory.
Order: TYPE I
Answer: 200 Type set to I
Command: PORT 10,50,8,1,231,163
Response: 200 PORT command successful.
Order: MLSD
Answer: 150 Starting data transfer.
[b]Error: Connection interrupted after 20 seconds of inactivity
Error: Unable to retrieve folder contents[/b]

• All the parameters are the same on both client.

• The filezilla client and server are the last version.

• I tried all possible configurations on client (active/UTF-8/Simple FTP)

• I opened port 21 on both sides.

• I tried to desactivate FireWall on VM2

In the FileZilla logs on the VM2 side, I have:
Code: Select all - View in a separate window

Code: Select all

[FTP Session 36 XX.XX.XX.1 FTPserver] GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
[FTP Session XX.XX.XX.1 FTPserver] Client did not properly shut down TLS connection
[FTP Session XX.XX.XX.1 FTPserver] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.

[botg]

The log has been tampered with, it has become useless. Please post a complete and most of all unmodified log. Also post an equally complete and unmodified log from the other side.

[DavidM92]

Bonjour,
J'ai juste masqué mon IP (j'ai voulu mettre en gras le message d'erreur, ce qui a rajouté des balises B, mais le texte n'a pas été modifié).
Que puis je fournir de plus ?

Good morning,
I just hid my IP (I wanted to bold the error message, which added B tags, but the text was not modified).
What more can I provide?

[boco]

IPs and ports are among the most valuable information you can use in log diagnostic. Public IPs are, as their name indicates, public, no need to hide them (security by obscurity does not really work). Private IPs don't nned to be hidden, either, as they are not unique identifiers.

Bold tags do not work inside "code" blocks, as code blocks are supposed to preserve any raw text as-is, unformatted.

[DavidM92]

Ok, the Filezilla Client Log (The 10.50.8.122 IP is the server):

Status: Connecting to 10.50.8.122:21…
Status: Connection established, waiting for welcome message…
Status: Initializing TLS…
Status: TLS connection established.
Status: Connected
Status: Recovering folder contents…
Command: PWD
Answer: 257 "/" is current directory.
Order: TYPE I
Answer: 200 Type set to I
Command: PORT 10,50,8,1,231,163
Response: 200 PORT command successful.
Order: MLSD
Answer: 150 Starting data transfer.
Error: Connection interrupted after 20 seconds of inactivity
Error: Unable to retrieve folder contents

The FileZilla Server Log (The 10.50.8.1 IP is the client):

[FTP Session 10.50.8.1 FTPserver] GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
[FTP Session 10.50.8.1 FTPserver] Client did not properly shut down TLS connection
[FTP Session 10.50.8.1 FTPserver] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.

[boco]

Your IPs are private LAN IPs, as expected in a VPN. They can not be used to identify you, not even theoretically.

As you are using Active (PORT) Mode, is the client-side firewall and FTP client properly configured to allow incoming connections on all configured data ports?

[DavidM92]

Hello:

• Yes, on client, "active is checked. How can i sure that the server is active too ?

• Yes the both have a firewall but the 21 port is open on both

• I think. Because i can send file from my Local on VM2. How can i check it ?

[boco]

Yes, on client, "active is checked. How can i sure that the server is active too ?

An FTP server cannot be "active" or "passive". It must be prepared for both types of connections, as these are entirely client-dictated.

Yes the both have a firewall but the 21 port is open on both

Port 21 is not enough. FTP uses many more ports for data connections. You need to configure your FTP client with an adequate range of data ports and open this range of ports in the client firewall, too.

think. Because i can send file from my Local on VM2. How can i check it ?

VM2 is configured for Active FTP, it seems.

A word about VM: There are multiple network types for VMs. The default "NAT" puts yet another virtual router device between host and guest. Make sure it uses Bridged.

[DavidM92]

Hello,

I have open passive ports range in firewall on VM2 and i can connect Vm1 to VM2 by FTP in passive mode.

I will use it, by i can't explain why the active mode fail at the last step (list file).
Can you tell me the other ports must be opened like 20 and 21 ?

Regards

[boco]

Passive data ports are used by Passive Mode, data ports on the server side. Active data ports are on the client side.

You must configure the Active port range in the FTP client, this will limit what ports it proposes to the server in the PORT command. Open that configured range in the client firewall. You can use ports from any region above 1024, although it is recommended to only use ports from 49152 and above. Amount of ports is maximum number of listings and transfers you can possibly do in four minutes at peak times.

If you cannot configure the FTP client, you need to open the whole 1025-65535 range.