PASV mode on Windows - connection refused issue

[marcocas]

Hi,
I'm having problems with my new installation of Filezilla Ftp Server.
I say new because I've formatted my server and installed everything back again.

I've problem while I'm trying to connect to my ftp server in passive mode from outside.
Before formatting everything worked so I don't understand what I'm doing wrong.

At the end of the ftp transaction I retrieve from the client a "connection refused" + "unable to reatrive directory listing".

My configuration of Filezilla FTP Server is:

##########################
Enviroment: Windows 8.1 Pro without IIS
Passive Range Set: 58000-58976
Listening to port: 21
Windows Firewall rule: allow program to accept connections

Local ip address: 192.168.0.100
Gateway ip address: 192.168.0.1
Remote ip address: may vary, it's rear a dyndns

Port forwading activated: 20,21,1025

FTP test account
username: support
password: support
###################

If I try to connect to localhost everything works, but If I try to connect to my dyn domain:
mcasieri.ddns.net
everything gone wrong.

############
The FTPclient Log is:

[1] Connessione a support
[1] Resolving mcasieri.ddns.net...
[1] mcasieri.ddns.net => 82.48.235.213
[1] Connessione a 82.48.235.213:21
[1] 220-FileZilla Server 0.9.51 beta
[1] 220-written by Tim Kosse (tim.kosse@filezilla-project.org)
[1] 220 Please visit https://filezilla-project.org/
[1] USER support
[1] 331 Password required for support
[1] PASS (hidden)
[1] 230 Logged on
[1] SYST
[1] 215 UNIX emulated by FileZilla
[1] TYPE A
[1] 200 Type set to A
[1] REST 1
[1] 350 Rest supported. Restarting at 1
[1] REST 0
[1] 350 Rest supported. Restarting at 0
[1] FEAT
[1] 211-Features:
[1] MDTM
[1] REST STREAM
[1] SIZE
[1] MLST type*;size*;modify*;
[1] MLSD
[1] AUTH SSL
[1] AUTH TLS
[1] PROT
[1] PBSZ
[1] UTF8
[1] CLNT
[1] MFMT
[1] EPSV
[1] EPRT
[1] 211 End
[1] CLNT FTP Rush 2.1.8U
[1] 200 Don't care
[1] OPTS UTF8 ON
[1] 202 UTF8 mode is always enabled. No need to send this command.
[1] PWD
[1] 257 "/" is current directory.
[1] PASV
[1] 227 Entering Passive Mode (82,48,235,213,229,210)
[1] Opening data connection IP: 82.48.235.213 PORT: 58834
[1] Impossibile collegarsi a 82.48.235.213:58834 (Connection Refused(10061))
[1] Listening at IP: 192.168.0.100 PORT: 6187 for data connecting
[1] PORT 192,168,0,100,24,43
[1] 200 Port command successful
[1] MLSD
[1] 150 Opening data channel for directory listing of "/"

##########

MyFTP server log is:

(000131)23/05/2015 16:47:34 - (not logged in) (82.48.235.213)> Connected on port 21, sending welcome message...
(000131)23/05/2015 16:47:34 - (not logged in) (82.48.235.213)> 220-FileZilla Server 0.9.51 beta
(000131)23/05/2015 16:47:34 - (not logged in) (82.48.235.213)> 220-written by Tim Kosse (tim.kosse@filezilla-project.org)
(000131)23/05/2015 16:47:34 - (not logged in) (82.48.235.213)> 220 Please visit https://filezilla-project.org/
(000131)23/05/2015 16:47:34 - (not logged in) (82.48.235.213)> USER support
(000131)23/05/2015 16:47:34 - (not logged in) (82.48.235.213)> 331 Password required for support
(000131)23/05/2015 16:47:34 - (not logged in) (82.48.235.213)> PASS support
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 230 Logged on
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> SYST
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 215 UNIX emulated by FileZilla
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> TYPE A
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 200 Type set to A
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> REST 1
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 350 Rest supported. Restarting at 1
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> REST 0
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 350 Rest supported. Restarting at 0
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> FEAT
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 211-Features:
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> MDTM
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> REST STREAM
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> SIZE
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> MLST type*;size*;modify*;
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> MLSD
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> AUTH SSL
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> AUTH TLS
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> PROT
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> PBSZ
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> UTF8
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> CLNT
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> MFMT
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> EPSV
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> EPRT
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 211 End
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> CLNT FTP Rush 2.1.8U
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 200 Don't care
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> OPTS UTF8 ON
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 202 UTF8 mode is always enabled. No need to send this command.
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> PWD
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 257 "/" is current directory.
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> PASV
(000131)23/05/2015 16:47:34 - support (82.48.235.213)> 227 Entering Passive Mode (82,48,235,213,229,210)
(000131)23/05/2015 16:47:38 - support (82.48.235.213)> PORT 82,48,235,213,24,43
(000131)23/05/2015 16:47:38 - support (82.48.235.213)> 200 Port command successful
(000131)23/05/2015 16:47:38 - support (82.48.235.213)> MLSD
(000131)23/05/2015 16:47:38 - support (82.48.235.213)> 150 Opening data channel for directory listing of "/"
(000131)23/05/2015 16:47:39 - support (82.48.235.213)> 425 Can't open data connection for transfer of "/"

######
Everything work if I use FTP.exe.
I've tryed to shutdown my windows firewall and it still not work.
What I can't understand is why before the formatting everything worked.
My hardware is the same, as my programs.
What's wrong?

[boco]

Port forwading activated: 20,21,1025

Why did you forward ports 20 and 1025? Not required.

Why didn't you forward your Passive port range (58000-58976)? That range must be forwarded in its entirety.

[marcocas]

You were right, I forwaded a range of ports to use for PASV.
But I don't understand why filezilla server works only on 20.
I've checked the system to see which process is using 21 but nothing, it's free.

The only difference I've noticed is that 21 is trying to use the 1024 port as remote,
20 is trying to use 1025.

Dynamic ports range in Windows are allocated from 1025 to above.
It could be the reason?

Thanks a million

[botg]

Perhaps NAT router or some firewall treats port 21 special and applies some "fixups" (pronounced "sabotage") to the connection?

[marcocas]

Very very strange, before formatting everything worked. Now it seems that I've changed hardware.
I don't totally understand what was the difference.

[mdmaguire]

I am also having this issue. Last Friday to (hopefully) resolve an issue where my Oracle Server's login slows down after an hour (it connects every 15 mins for most of the day) I upgraded to the latest version. Tuesday just before lunch I started getting calls from our clients that they could not connect. By the end of the day I decided to roll back to the old version (0.9.41) and found I had the exact same issues. Note, I had no connection issues previously, so Router and Firewall are not the issue. Windows Firewall is turned off for the Domain profile. I have some customers who are still able to connect without problems, but the majority get to the PASV mode and get disconnected. I've been able to switch some who use the FileZilla client over to SFTP and gotten it to work.

Below are my settings:

<Settings>
<Item type="string" name="Serverports">21</Item>
<Item type="numeric" name="Number of Threads">32</Item>
<Item type="numeric" name="Maximum user count">0</Item>
<Item type="numeric" name="Timeout">120</Item>
<Item type="numeric" name="No Transfer Timeout">5000</Item>
<Item type="numeric" name="Allow Incoming FXP">1</Item>
<Item type="numeric" name="Allow outgoing FXP">1</Item>
<Item type="numeric" name="No Strict In FXP">0</Item>
<Item type="numeric" name="No Strict Out FXP">0</Item>
<Item type="numeric" name="Login Timeout">60</Item>
<Item type="numeric" name="Show Pass in Log">0</Item>
<Item type="numeric" name="Custom PASV IP type">1</Item>
<Item type="string" name="Custom PASV IP">50.203.189.17</Item>
<Item type="numeric" name="Custom PASV min port">50000</Item>
<Item type="numeric" name="Custom PASV max port">51000</Item>
<Item type="string" name="Initial Welcome Message">Welcome to the Fairrington Transportation FTP site!</Item>
<Item type="numeric" name="Admin port">14147</Item>
<Item type="string" name="Admin Password"/>
<Item type="string" name="Admin IP Bindings">*</Item>
<Item type="string" name="Admin IP Addresses"/>
<Item type="numeric" name="Enable logging">1</Item>
<Item type="numeric" name="Logsize limit">0</Item>
<Item type="numeric" name="Logfile type">1</Item>
<Item type="numeric" name="Logfile delete time">14</Item>
<Item type="numeric" name="Use GSS Support">0</Item>
<Item type="numeric" name="GSS Prompt for Password">0</Item>
<Item type="numeric" name="Download Speedlimit Type">0</Item>
<Item type="numeric" name="Upload Speedlimit Type">0</Item>
<Item type="numeric" name="Download Speedlimit">10</Item>
<Item type="numeric" name="Upload Speedlimit">10</Item>
<Item type="numeric" name="Buffer Size">4096</Item>
<Item type="string" name="Custom PASV IP server">http://ip.filezilla-project.org/ip.php</Item>
<Item type="numeric" name="Use custom PASV ports">1</Item>
<Item type="numeric" name="Mode Z Use">0</Item>
<Item type="numeric" name="Mode Z min level">1</Item>
<Item type="numeric" name="Mode Z max level">9</Item>
<Item type="numeric" name="Mode Z allow local">0</Item>
<Item type="string" name="Mode Z disallowed IPs"/>
<Item type="string" name="IP Bindings">*</Item>
<Item type="string" name="IP Filter Allowed"/>
<Item type="string" name="IP Filter Disallowed"/>
<Item type="numeric" name="Hide Welcome Message">0</Item>
<Item type="numeric" name="Enable SSL">1</Item>
<Item type="numeric" name="Allow explicit SSL">1</Item>
<Item type="string" name="SSL Key file">C:\certificate.crt</Item>
<Item type="string" name="SSL Certificate file">C:\certificate.crt</Item>
<Item type="string" name="Implicit SSL ports">990</Item>
<Item type="numeric" name="Force explicit SSL">0</Item>
<Item type="numeric" name="Network Buffer Size">65536</Item>
<Item type="numeric" name="Force PROT P">1</Item>
<Item type="string" name="SSL Key Password">-removed-</Item>
<Item type="numeric" name="Allow shared write">0</Item>
<Item type="numeric" name="No External IP On Local">1</Item>
<Item type="numeric" name="Active ignore local">1</Item>
<Item type="numeric" name="Autoban enable">0</Item>
<Item type="numeric" name="Autoban attempts">10</Item>
<Item type="numeric" name="Autoban type">0</Item>
<Item type="numeric" name="Autoban time">1</Item>
<Item type="string" name="Service name"/>
<Item type="string" name="Service display name"/>
<Item type="numeric" name="Enable HASH">0</Item>
<Item type="numeric" name="Disable IPv6">0</Item>
-<SpeedLimits>
<Download/> <
Upload/>
</SpeedLimits>
</Settings>

Any help is appreciated.

[mdmaguire]

I have SOLVED my issue.

I went back to a configuration file from a year ago and compared settings. I found that the Passive Mode Settings were set to Default. After all I have read on the forums and the network configuration page, I found this contrary to what I had read but I knew it worked.

I have a business grade firewall (Dell Sonicwall) that allows me to set both Firewall policies and NAT policies. Since these were both set correctly, checking the box to publish the Public IP of my server actually broke my FTP Server. As soon as I switched back to Default and clicked OK it started working.

For all the pointing at Firewalls and Routers as problems on this site and even in the big text box in the Passive Mode Settings, when properly configured they work without a work around.

Here are my settings now:

<Settings>
<Item type="string" name="Serverports">21</Item>
<Item type="numeric" name="Number of Threads">32</Item>
<Item type="numeric" name="Maximum user count">0</Item>
<Item type="numeric" name="Timeout">120</Item>
<Item type="numeric" name="No Transfer Timeout">5000</Item>
<Item type="numeric" name="Allow Incoming FXP">1</Item>
<Item type="numeric" name="Allow outgoing FXP">1</Item>
<Item type="numeric" name="No Strict In FXP">0</Item>
<Item type="numeric" name="No Strict Out FXP">0</Item>
<Item type="numeric" name="Login Timeout">60</Item>
<Item type="numeric" name="Show Pass in Log">0</Item>
<Item type="numeric" name="Custom PASV IP type">0</Item>
<Item type="string" name="Custom PASV IP">50.203.189.17</Item>
<Item type="numeric" name="Custom PASV min port">50000</Item>
<Item type="numeric" name="Custom PASV max port">51000</Item>
<Item type="string" name="Initial Welcome Message">Welcome to the Fairrington Transportation FTP site!</Item>
<Item type="numeric" name="Admin port">14147</Item>
<Item type="string" name="Admin Password"/>
<Item type="string" name="Admin IP Bindings"/>
<Item type="string" name="Admin IP Addresses"/>
<Item type="numeric" name="Enable logging">1</Item>
<Item type="numeric" name="Logsize limit">0</Item>
<Item type="numeric" name="Logfile type">1</Item>
<Item type="numeric" name="Logfile delete time">14</Item>
<Item type="numeric" name="Use GSS Support">0</Item>
<Item type="numeric" name="GSS Prompt for Password">0</Item>
<Item type="numeric" name="Download Speedlimit Type">0</Item>
<Item type="numeric" name="Upload Speedlimit Type">0</Item>
<Item type="numeric" name="Download Speedlimit">10</Item>
<Item type="numeric" name="Upload Speedlimit">10</Item>
<Item type="numeric" name="Buffer Size">4096</Item>
<Item type="string" name="Custom PASV IP server">http://ip.filezilla-project.org/ip.php</Item>
<Item type="numeric" name="Use custom PASV ports">1</Item>
<Item type="numeric" name="Mode Z Use">0</Item>
<Item type="numeric" name="Mode Z min level">1</Item>
<Item type="numeric" name="Mode Z max level">9</Item>
<Item type="numeric" name="Mode Z allow local">0</Item>
<Item type="string" name="Mode Z disallowed IPs"/>
<Item type="string" name="IP Bindings">*</Item>
<Item type="string" name="IP Filter Allowed"/>
<Item type="string" name="IP Filter Disallowed"/>
<Item type="numeric" name="Hide Welcome Message">0</Item>
<Item type="numeric" name="Enable SSL">1</Item>
<Item type="numeric" name="Allow explicit SSL">1</Item>
<Item type="string" name="SSL Key file">C:\certificate.crt</Item>
<Item type="string" name="SSL Certificate file">C:\certificate.crt</Item>
<Item type="string" name="Implicit SSL ports">990</Item>
<Item type="numeric" name="Force explicit SSL">0</Item>
<Item type="numeric" name="Network Buffer Size">65536</Item>
<Item type="numeric" name="Force PROT P">0</Item>
<Item type="string" name="SSL Key Password">fairrington553</Item>
<Item type="numeric" name="Allow shared write">0</Item>
<Item type="numeric" name="No External IP On Local">0</Item>
<Item type="numeric" name="Active ignore local">1</Item>
<Item type="numeric" name="Autoban enable">0</Item>
<Item type="numeric" name="Autoban attempts">10</Item>
<Item type="numeric" name="Autoban type">0</Item>
<Item type="numeric" name="Autoban time">1</Item>
<Item type="string" name="Service name"/>
<Item type="string" name="Service display name"/>
<Item type="numeric" name="Enable HASH">0</Item>
<Item type="numeric" name="Disable IPv6">0</Item>
-<SpeedLimits>
<Download/>
<Upload/>
</SpeedLimits>
</Settings>

Thank you,

Matt

[boco]

A properly configured firewall does not tamper with IPs and connections. Try with FTP over TLS.