425 Can't Open Data Connection

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
User avatar
boco
Contributor
Posts: 24152
Joined: 2006-05-01 03:28
Location: Germany

Re: 425 Can't Open Data Connection

#16 Post by boco » 2014-09-08 19:42

NAT is a technology that hides any network behind one IP. For that reason, connections from the Internet end on your router, they can't see anything beyond. Hence, the IP service can only show the router IP.

Running services behind NAT routers requires port forwarding. That's true for every router on the server side (if there's more than one in line). Port forwards must be done for ALL ports that are involved. FTP requires many ports (hundreds to thousands). There are two modes of operation:

1. Active (PORT) mode, as shown by your logs. Mostly used by lazy server admins or in case of providers blocking ports. As you see, the PORT command is sent by the client, not the server. The server will connect back to the client for data connections. Thus, in Active mode, the client has to forward the data ports in the client router, and the client must tell the FTP client software the client network's public IP plus the ports to use. Your logs show incorrect configuration (non-public IP in PORT command).

2. Passive mode, the recommended one. The client sends PASV and the server will propose an IP and data port (=socket) on the server side. Passive mode will work for clients out-of-the-box as every configuration is done by the server. The actual actions are the same: Forward plenty of ports for Passive data connections and tell the FTP server to use them. Let the server software know the server networks public IP.


Note that the 'matching ports' issue is true for both modes. Alteration of the PORT command's or PASV reply's payload just asks for trouble.


Guide for getting both Active and Passive mode to run: Network Configuration. It is for FileZilla's software but many parts can be applied to other FTP software as well.


Note 1: Some routers are so badly programmed that all proper Active mode configuration is in vain.
Note 2: Everything said here does NOT apply to IPv6.


PS: You might ask why the client did even reach the server with that wrong configuration? Well, that's the most prominent case where routers manipulate FTP traffic. As you see, it fails regularly.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Sancho
500 Command not understood
Posts: 5
Joined: 2009-12-24 15:03

Re: 425 Can't Open Data Connection

#17 Post by Sancho » 2014-10-16 00:14

I'm getting the 425 Can't open data connection for transfer of "/" error when connecting from outside my network. I've read through the Network Config page, and am forwarding port 990 and 50000-51000 to the server PC. I can connect over the LAN (using LAN IP), and I can break the successful connection over the LAN by removing the port range from the Windows 7 Firewall rule I created. Add them back in, and I get the directory listing. I've done both the Add a Program method and run the netsh command, and manually added the ports (990, 50000-51000) to an Inbound rule. I don't recall instructions for any Outbound rule.

My outside test PC is using a Comcast modem+router (only used for VoIP) that is separate from my real LAN, which uses a Motorola SB6121 and a brand new ASUS RT-N66U router running the latest stable Merlin firmware. When I test using https://ftptest.net/ from a laptop within the LAN, and from one connected to the Comcast modem+router, the test completes successfully, listing the one sub-dir within the user's home dir.

Would that test indicate that the router and Comcast are not altering anything? On an unrelated(?) note, with this ASUS and an older amped wireless router, I'm unable to port-forward SSH using non-standard ports. I was able to ssh from my main LAN to a laptop connected to the Comcast modem+router, so something strange is definitely going on. Could the modem be at fault?

With both the ftptest site and my FileZilla client configs, I'm using the DDNS name, port 990, "Require explicit FTP over TLS" and Normal logon type.

I really need to get this Secure FTP accessible from the outside. Anything I missed? Shouldn't need any firewall rules on the client side in Passive mode, correct?

TIA!

~~~~~~~~~~~~~~~~~~~~~~~

I pulled log entries for a successful online test and a failed FileZilla Client logon attempt, and noticed some missing line items from the failed attempt. I've zipped up three text files, if anyone wants to take a look.
Attachments
FileZilla Server log data.zip
Server log data from successful test, failed dir listing, and noted diffs.
(2.08 KiB) Downloaded 203 times

User avatar
botg
Site Admin
Posts: 31574
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: 425 Can't Open Data Connection

#18 Post by botg » 2014-10-16 07:55

Would that test indicate that the router and Comcast are not altering anything?
No, the test cannot do that. Try manually comparing the output by the test as well as the server log. The commands and replies MUST be identical.
On an unrelated(?) note, with this ASUS and an older amped wireless router, I'm unable to port-forward SSH using non-standard ports. I was able to ssh from my main LAN to a laptop connected to the Comcast modem+router, so something strange is definitely going on. Could the modem be at fault?
If it's a pure modem it cannot be at fault. If it is one of those broken hybrid devices that have router functionality, then yes, it can be at fault and based on your description it seems very likely even.

Sancho
500 Command not understood
Posts: 5
Joined: 2009-12-24 15:03

Re: 425 Can't Open Data Connection

#19 Post by Sancho » 2014-10-16 16:40

botg wrote:
Would that test indicate that the router and Comcast are not altering anything?
No, the test cannot do that. Try manually comparing the output by the test as well as the server log. The commands and replies MUST be identical.
On an unrelated(?) note, with this ASUS and an older amped wireless router, I'm unable to port-forward SSH using non-standard ports. I was able to ssh from my main LAN to a laptop connected to the Comcast modem+router, so something strange is definitely going on. Could the modem be at fault?
If it's a pure modem it cannot be at fault. If it is one of those broken hybrid devices that have router functionality, then yes, it can be at fault and based on your description it seems very likely even.
My "real" LAN runs behind a Motorola SB6121 modem (no router element) and an attached router, and that's where the FileZilla Server lives. I had been using an Amped Wireless R10000G, and just replaced it with the ASUS RT-N66U. I know the modem gets its settings from Comcast (ISP) and facilitates the connection been ISP and, in this case, router. So I can see how the Motorola modem would be innocent. What's interesting is the Comcast-provided modem+router combo unit. When I did an SSH test to a laptop temporarily hooked up to it (coming from my "real" LAN), it worked. It's coming into my "real" LAN with SSH that fails. I'll work with them. Sorry for going off-topic.

The good news is, my user was able to access the FileZilla Server securely. I think I'd not configured the ports correctly. I was trying to deny unencrypted traffic, which I'd done in the server settings by enabling "Disallow plain unencrypted FTP" and by forcing the user to use SSL. I also have checked "Allow explicit FTP over TLS" as well as "Force PROT P to encrypt file transfers in SSL/TSL mode." The port for "Listen for implicit SSL/TSL connections..." was left at the default of 990, BUT that was also what I'd entered in the General Settings "Listen on these ports" field. I think that was causing a port conflict, yes? My goal was to have him connect on 990 using "Require explicit FTP over TLS" in the Encryption setting in the client. That, it seems, is not good.

I changed the general listen port to 991, left the other at 990, and he was able to connect using "Require implicit FTP over TLS" and the port field blank (i.e., default). So I guess my questions are:

is there a value in using Explicit vs. Implicit, and if so, how do I configure the server to accept Explicit connections? I tried with port 991 and Explicit, but it doesn't get through. Both ports, as well as the Passive range are being forwarded correctly.

Another interesting problem: from a PC in another location to which I have remote access via SSH, the FTP server is unreachable. The DDNS name resolves correctly, but the traffic never hits the server (no logon attempt). That location also uses the same Comcast modem+router as I have but don't use in a LAN setting. I tested from my Comcast device using Implicit (same as my successful user), and while I could connect, I still don't get the dir listing. Maybe it's a firewall setting on those Comcast combo units.

Thanks very much for your time :)

Sancho
500 Command not understood
Posts: 5
Joined: 2009-12-24 15:03

Re: 425 Can't Open Data Connection

#20 Post by Sancho » 2014-10-16 21:39

re: Implicit vs. Explicit connections, I found this:

Implicit FTPS takes SSL one step further than simply requiring that SSL-related commands must be sent first like you can with Explicit SSL; with Implicit FTPS, an SSL handshake must be negotiated before any FTP commands can be sent by the client. In addition, even though Explicit FTPS allows the client to arbitrarily decide whether to use SSL, Implicit FTPS requires that the entire FTP session must be encrypted. Basically the way that Implicit FTPS works is that an FTP client connects to the command/control channel, in this case using port 990, and immediately performs an SSL handshake; after SSL has been negotiated, additional FTP commands for the session can be sent by the FTP client.

http://blogs.msdn.com/b/robert_mcmurray ... -ftps.aspx

That makes me think I had it backwards, and that Implicit is preferable. Can you confirm? Also, if I'm forcing the user to use SSL, and he set his client to Explicit, would that cause a problem? That is my server-side setup, and as noted, Implicit allows him to connect. Or is port 991 not a good general listening port, since it's close to 990?

My user is still able to connect and transfer using Implicit. My only methods for testing my server are, ftptest.net, a remote PC that cannot connect to any FTP servers (not the three I tried, which are reachable for me), and using my Comcast modem+router. With the latter, I can connect to my server using Implicit, but I still get the 425 error.

User avatar
botg
Site Admin
Posts: 31574
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: 425 Can't Open Data Connection

#21 Post by botg » 2014-10-17 09:04

Implicit FTP over TLS is deprecated. It has never been formally standardized.

Explicit FTP over TLS is the way forward.
Also, if I'm forcing the user to use SSL, and he set his client to Explicit, would that cause a problem?
No problem there.
is port 991 not a good general listening port, since it's close to 990?
991 is not a good port for this. Most ports, especially those below 1024, the so-called privileged ports, have an assigned meaning and shouldn't be used for other protocols. If you cannot use port 21, the dedicated port for FTP and explicit FTP over TLS, try a port >= 1024, preferably from the 49152 to 65535 range.

Sancho
500 Command not understood
Posts: 5
Joined: 2009-12-24 15:03

Re: 425 Can't Open Data Connection

#22 Post by Sancho » 2014-10-17 15:18

re: Explicit vs. Implicit, that's what I read in the FileZilla Wiki. I realize Implicit is deprecated, but if it works, it's still providing a secure connection from end-to-end, for auth and data, yes?

Thanks for confirming about 991. I changed the general listen port to 2112.

Last question, I promise. Since Implicit is deprecated, I'd prefer to use FTP-ES. I can't test it, because my outside-my-LAN access always gives the 425 error, regardless of how I connect. I've gone through all the relevant Wiki pages in an attempt to fix it, but no dice. Since my user can access the server successfully, I guess it's my ISP or their modem+router messing with the connection.

So, if I want to force the user to use FTP-ES, in FileZilla Client he should enter the DDNS name, port 2112 and choose "Require explicit FTP over TLS", correct? Anything else? Should he force passive under Transfer Settings, if Default doesn't work? At this point I'm forwarding 990, 2112 and 50000-51000 in the router. As I read the Wiki, that should be enough, as Explicit should use 2112, and then the server, running in Passive mode, will offer up the ports from the range. I've set his account to "Force SSL for user login" and the server is set to "Disallow plain unencrypted FTP". I'll have to rely on him to report the results of an FTP-ES login attempt.

Thanks again :)

User avatar
botg
Site Admin
Posts: 31574
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: 425 Can't Open Data Connection

#23 Post by botg » 2014-10-17 17:11

I realize Implicit is deprecated, but if it works, it's still providing a secure connection from end-to-end, for auth and data, yes?
Yes.
Last question, I promise. Since Implicit is deprecated, I'd prefer to use FTP-ES. I can't test it, because my outside-my-LAN access always gives the 425 error, regardless of how I connect. I've gone through all the relevant Wiki pages in an attempt to fix it, but no dice. Since my user can access the server successfully, I guess it's my ISP or their modem+router messing with the connection.
You can test using https://ftptest.net/
So, if I want to force the user to use FTP-ES, in FileZilla Client he should enter the DDNS name, port 2112 and choose "Require explicit FTP over TLS", correct?
Yes.
Should he force passive under Transfer Settings, if Default doesn't work?
Passive mode is the default.

Sancho
500 Command not understood
Posts: 5
Joined: 2009-12-24 15:03

Re: 425 Can't Open Data Connection

#24 Post by Sancho » 2014-10-17 17:15

Excellent! I'm done. Thanks for all your replies. The ftptest.net test succeeded, as did the user's Explicit connection, so that's all good. Time to bug my ISP about their crap modem+routers and, most likely, whacked out network problems.

Have a great weekend :D

terryb
500 Command not understood
Posts: 1
Joined: 2016-03-16 14:49
First name: Terry
Last name: Bogayong

Re: 425 Can't Open Data Connection

#25 Post by terryb » 2016-03-16 14:56

boco wrote:
So far I've configured DynDNS properly and set the settings in the firewall to allow connections inbound and outbound on port 21. But still I get this error.....

Code: Select all

425 Can't open data connection.
Failed to retrieve directory listing.
Yes, of course, because the listings and transfers do NOT use port 21. In the screenshot, the port offered was 49389 (192*256+237). So, in addition to the listening port, you need to define, open and forward a range of ports for Passive data connections (minimum recommended 100 ports). Please refer to the Network Configuration guide for details. Besides, in case you are behind a router and test from your own LAN, use the private LAN IP to connect.

Thank you Boco! I have been searching for a solution to this problem and have never found it. This is the first clear explanation I have found. Never knew what those numbers after the IP address were and how they translated to a port number. I set up port forwarding for a range that included that port and now I'm happily transferring files.

Thank you!

jas.naz
500 Command not understood
Posts: 1
Joined: 2016-07-26 04:25
First name: Jason
Last name: Nazario

Re: 425 Can't Open Data Connection

#26 Post by jas.naz » 2016-07-26 04:28

After many months of trying to fix this, I gave up for a long time. Then I found a post today by Michael D on another site.
"Michael D says:
May 26, 2015 at 12:03 pm
Another option that worked for me (because I’m lazy and didn’t want to reinstall) was to edit the site in Site Manager and then change the Encryption to “Use only plain FTP”.

This finally worked for me....

User avatar
botg
Site Admin
Posts: 31574
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: 425 Can't Open Data Connection

#27 Post by botg » 2016-07-26 06:02

That's a most dangerous advice. Plaintext FTP is insecure, all your passwords are transmitted in clear over the hostile Internet, ripe for the taking by every three-letter criminal organization.

malmhd2
500 Command not understood
Posts: 1
Joined: 2016-09-01 13:14
First name: Martin
Last name: Malm

Re: 425 Can't Open Data Connection

#28 Post by malmhd2 » 2016-09-01 13:20

Set firewall like this


FTPS server ip ex: 10.10.10.2 (EX: on PFsense)

TCP 21 to 21 redirect 21 interface Wan 10.10.10.2 add assoiated rule FTP

TCP 22 to 22 redirect 22 interface Wan 10.10.10.2 add assoiated rule SSH

TCP 990 to 990 redirect 990 interface Wan 10.10.10.2 add assoiated rule TLS

TCP 50000 to 51000 redirect 50000 interface Wan 10.10.10.2 add assoiated rule PASSIVE RANGE "remember to set range in filezilla under passive settings on server"

mayiaskdidyoureboot
500 Command not understood
Posts: 1
Joined: 2016-11-02 09:21
First name: Postman
Last name: Pat

Re: 425 Can't Open Data Connection

#29 Post by mayiaskdidyoureboot » 2016-11-02 09:33

Also a quick note - I came across an error 425 Can't open data connection and the reason it wasn't working for me was that I was using the windows built in FTP.exe program as the client to connect (via command line) to the FTP server and I had to allow this ftp.exe as an app through the local windows firewall. Once I allowed it through the 425 error went away and transfer of files worked.

You can use the following command to add a rule to your local firewall or you can use the firewall.cpl GUI and select link "allow an app through the firewall" and then tick the private and domain boxes for "File transfer program")

netsh advfirewall firewall add rule name="FTPAllow" profile=private,domain protocol=any enable=yes DIR=In program="C:\Windows\system32\ftp.exe" Action=Allow

User avatar
boco
Contributor
Posts: 24152
Joined: 2006-05-01 03:28
Location: Germany

Re: 425 Can't Open Data Connection

#30 Post by boco » 2016-11-02 12:49

FTP.exe is limited to Active mode and Plain FTP. So the message about insecurity of all transmitted data applies to it as well.

One would have thought they updated FTP.exe for the 21st century, at one point. But, nada.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Post Reply