SFTP problem:421 Rejected command, requested IP address does not match control connection IP

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
User avatar
boco
Contributor
Posts: 24153
Joined: 2006-05-01 03:28
Location: Germany

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#16 Post by boco » 2018-10-30 04:22

Rule of thumb: If you see PORT or EPRT in the log, it is Active mode. If you see PASV or EPSV, it's Passive. Seeing both means there was a failure and a fallback to the other mode following it.


Getting your IP depends on OS. Without any NAT, easiest way is from a Terminal/cmd shell.

Linux and probably MacOS: ifconfig

Windows: ipconfig


If you are behind a router, you need to look up the IPv4 in the router, or use external services. With many web search facilities, searching for "IP" will tell you the public IPv4 you need.


Note: Active mode requires configuration at the client side: Telling the client your current public IP, forwarding and opening the data ports. Many simply clients cannot do that. Passive mode is always recommended as it doesn't require all that hassle.
Last edited by botg on 2018-10-30 07:56, edited 1 time in total.
Reason: Added EPSV
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

jfletch
504 Command not implemented
Posts: 9
Joined: 2018-10-29 14:57
First name: Jonathan
Last name: Fletcher

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#17 Post by jfletch » 2018-10-30 13:16

I tried to send my IP. Not sure the proper way to do that, but it still insists on using that weird IP.

I have to use port 2222, so I thought that that was what PORT was referring to.

This time I used the cURL command to use EPSV and it STILL shows EPRT in the log.

I tried to send it my IP address. (tried public and private) Used CURL.SetOptionDNSLocalIPv4.
What should I do?

When I attempt to connect to the server with a FTP client, it fails if I set it for Active and only works if on Default or Passive. I tried with CyberDuck and FileZilla and the behavior in that respect is the same.

Here is the whole response, do you see any other clues?
Trying 207.162.190.58...
TCP_NODELAY set
Connected to ***.162.190.58 (***.162.190.58) port 2222 (#0)
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
AUTH SSL
234 Using authentication type TLS
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Server certificate:
subject: CN=SQL01; C=US; ST=Kentucky; L=Paducah; O=Paducah Dermatology; OU=Paducah Dermatology; emailAddress=***********************
start date: Sep 19 20:39:55 2018 GMT
expire date: Sep 19 20:39:55 2019 GMT
issuer: CN=SQL01; C=US; ST=Kentucky; L=Paducah; O=Paducah Dermatology; OU=Paducah Dermatology; emailAddress=*************************
SSL certificate verify result: self signed certificate (18), continuing anyway.
USER DermatoPath
331 Password required for dermatopath
PASS *********************
230 Logged on
PBSZ 0
200 PBSZ=0
PROT P
200 Protection level set to P
PWD
257 "/" is current directory.
Entry path is '/'
CWD Dermato Path
ftp_perform ends with SECONDARY: 0
250 CWD successful. "/Dermato Path" is current directory.
bind(port=0) on non-local address failed: Can't assign requested address
EPRT |1|0.0.8.174|53908|
421 Rejected command, requested IP address does not match control connection IP.
We got a 421 - timeout!
Closing connection 0
TLSv1.2 (OUT), TLS alert, Client hello (1):

User avatar
botg
Site Admin
Posts: 31577
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#18 Post by botg » 2018-10-30 15:25

When I attempt to connect to the server with a FTP client, it fails if I set it for Active and only works if on Default or Passive.
As boco mentioned, active mode FTP requires extensive client-side configuration. It is all explained in our Network Configuration guide.
I tried to send it my IP address. (tried public and private) Used CURL.SetOptionDNSLocalIPv4.
A quick search using an Internet search engine shows that this option isn't even part of curl but just some third-party software that uses curl.

jfletch
504 Command not implemented
Posts: 9
Joined: 2018-10-29 14:57
First name: Jonathan
Last name: Fletcher

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#19 Post by jfletch » 2018-10-30 19:55

I tried to send it my IP address. (tried public and private) Used CURL.SetOptionDNSLocalIPv4.
A quick search using an Internet search engine shows that this option isn't even part of curl but just some third-party software that uses curl.
Well, not exactly:
https://curl.haxx.se/libcurl/c/CURLOPT_ ... L_IP4.html

User avatar
boco
Contributor
Posts: 24153
Joined: 2006-05-01 03:28
Location: Germany

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#20 Post by boco » 2018-10-31 06:36

This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one.
Is your libcurl built with the c-ares backend? If not, this option does not apply.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 31577
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#21 Post by botg » 2018-10-31 08:15

jfletch wrote:
2018-10-30 19:55
I tried to send it my IP address. (tried public and private) Used CURL.SetOptionDNSLocalIPv4.
A quick search using an Internet search engine shows that this option isn't even part of curl but just some third-party software that uses curl.
Well, not exactly:
https://curl.haxx.se/libcurl/c/CURLOPT_ ... L_IP4.html
Two things:
  • Nowhere on that page "CURL.SetOptionDNSLocalIPv4" is mentioned.
  • It has nothing to do with FTP.

jfletch
504 Command not implemented
Posts: 9
Joined: 2018-10-29 14:57
First name: Jonathan
Last name: Fletcher

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#22 Post by jfletch » 2018-10-31 16:26

Right, the command is named differently in the plugin that I am using. Sorry for the confusion. It does reference that cURL command, though.

But, if it has nothing to do with FTP, it is just me grasping at straws. I never had all this trouble with SFTP. Why is FTPS such a pain to get all the ducks in a row?

With SFTP, all you need to do is to forward that chosen port on the server's network and you're done. I read the network configuration document you referenced, and I still don't understand what I need to do. I'll read it again after a good night's sleep and perhaps I'll see my situation in it.

Thanks for your help, though.

User avatar
boco
Contributor
Posts: 24153
Joined: 2006-05-01 03:28
Location: Germany

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#23 Post by boco » 2018-10-31 21:17

For FTP, forwarding/opening one port is not enough. For data connections, you need tens, hundreds or thousands of ports (depending on your level of activity).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

jfletch
504 Command not implemented
Posts: 9
Joined: 2018-10-29 14:57
First name: Jonathan
Last name: Fletcher

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#24 Post by jfletch » 2018-10-31 21:35

The connections for this particular solution are occasional, single user, and single purpose. Forwarding one port on each server network has worked fine for a couple of years so far. The two sending networks (development and production) have had no issues as they are set to pass all outgoing traffic.

User avatar
boco
Contributor
Posts: 24153
Joined: 2006-05-01 03:28
Location: Germany

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#25 Post by boco » 2018-10-31 21:58

Usually it works for unencrypted FTP on the default port, because the router does the rest. But for FTP over TLS and/or non-default port, that won't work as the traffic is encrypted and not readable by the router. That's why you need to configure properly. For your low level of activity, forwarding 50 to 100 ports is enough (you need to tell the client to use them, too).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Post Reply