SFTP problem:421 Rejected command, requested IP address does not match control connection IP

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
BitaNet
500 Command not understood
Posts: 2
Joined: 2016-01-20 07:33
First name: Benny
Last name: Bitan

SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#1 Post by BitaNet » 2016-01-20 07:47

(000377)20/01/2016 09:20:37 - (not logged in) (62.XX.XX.XX)> USER user
(000377)20/01/2016 09:20:37 - (not logged in) (62.XX.XX.XX)> 331 Password required for user
(000377)20/01/2016 09:20:37 - (not logged in) (62.XX.XX.XX)> PASS *******
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> 230 Logged on
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> SYST
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> 215 UNIX emulated by FileZilla
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> FEAT
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> 211-Features:
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> MDTM
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> REST STREAM
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> SIZE
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> MLST type*;size*;modify*;
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> MLSD
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> AUTH SSL
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> AUTH TLS
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> PROT
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> PBSZ
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> UTF8
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> CLNT
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> MFMT
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> EPSV
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> EPRT
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> 211 End
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> PBSZ 0
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> 200 PBSZ=0
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> PROT P
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> 200 Protection level set to P
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> CLNT Total Commander (UTF-8)
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> 200 Don't care
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> OPTS UTF8 ON
(000377)20/01/2016 09:20:37 - user (62.XX.XX.XX)> 202 UTF8 mode is always enabled. No need to send this command.
(000377)20/01/2016 09:20:38 - user (62.XX.XX.XX)> PWD
(000377)20/01/2016 09:20:38 - user (62.XX.XX.XX)> 257 "/" is current directory.
(000377)20/01/2016 09:20:38 - user (62.XX.XX.XX)> TYPE A
(000377)20/01/2016 09:20:38 - user (62.XX.XX.XX)> 200 Type set to A
(000377)20/01/2016 09:20:38 - user (62.XX.XX.XX)> PORT 192,XX,XX,XX,240,140
(000377)20/01/2016 09:20:38 - user (62.XX.XX.XX)> 421 Rejected command, requested IP address does not match control connection IP.

FileZilla Server 0.9.54 beta

Why the server is trying to connect my internal IP address?

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#2 Post by botg » 2016-01-20 08:21

Note that you are using FTP over TLS (FTPS), not SFTP (SSH File Transfer Protocol). These are two completely different protocols that have absolutely nothing in common if you look past tehs imilar name and purpose.
Why the server is trying to connect my internal IP address?
It isn't. Your client is telling your server to connect to the client's internal IP address, which the server rejects due to it being impossible.
Last edited by boco on 2016-01-20 09:18, edited 1 time in total.
Reason: Corrected typo.

BitaNet
500 Command not understood
Posts: 2
Joined: 2016-01-20 07:33
First name: Benny
Last name: Bitan

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#3 Post by BitaNet » 2016-01-20 08:23

how do i prevent my client to tell my server to connect to the client's internal IP address?

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#4 Post by botg » 2016-01-20 08:54

Probably by configuring it correctly. I'm not familiar with your particular client.

Please carefully study the Network Configuration guide. While it has been written for FileZilla and FileZilla Server, the general concepts it talks about are valid for all FTP products.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#5 Post by boco » 2016-01-20 09:20

Tell your client to use Passive Mode. Provided the FileZilla Server is configured correctly, that's a much better choice.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

STICK_82
500 Command not understood
Posts: 2
Joined: 2018-09-04 19:20
First name: Jamie
Last name: Lealess

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#6 Post by STICK_82 » 2018-09-13 13:43

Morning i am having a similar issue.
i get the following error

user (96.1.X.X) 227 entering passive mode (192.168.X.X,239.65)
user (96.1.X.X) PORT 207.x.x.x, 221,62
user (96.1.X.X) 421 Rejected command, requested IP address does not match control connection IP

This has been running fine for 6 weeks then i get this error all of a sudden

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#7 Post by boco » 2018-09-14 21:02

The server doesn't tell the client its public IP address, only the private-range LAN one (incorrect configuration). Since connecting to that address is impossible, client falls back to Active Mode (PORT). As the client isn't configured correctly, either, the connection fails.

Please read Network Configuration and configure the server properly.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

jfletch
504 Command not implemented
Posts: 9
Joined: 2018-10-29 14:57
First name: Jonathan
Last name: Fletcher

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#8 Post by jfletch » 2018-10-29 15:06

Me, too.

I read the Network Configuration document and I still can't tell what I am doing wrong. CyberDuck connects and works perfectly on passive mode. Attempting to connect with cURL, though, connects, authenticates, switches directory successfully and then fails with this:

bind(port=0) on non-local address failed: Can't assign requested address
EPRT |1|0.0.8.174|52354|
421 Rejected command, requested IP address does not match control connection IP.
We got a 421 - timeout!

Suggestions?

TIA!

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#9 Post by botg » 2018-10-29 15:50

jfletch wrote:
2018-10-29 15:06
EPRT |1|0.0.8.174|52354|
That simply cannot work, 0.0.8.174 a special purpose address only valid as source address, but the server needs to act upon the EPRT command, using the obtained IP as destination address.

jfletch
504 Command not implemented
Posts: 9
Joined: 2018-10-29 14:57
First name: Jonathan
Last name: Fletcher

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#10 Post by jfletch » 2018-10-29 16:14

So, where did that address come from?

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#11 Post by botg » 2018-10-29 16:44

jfletch wrote:
2018-10-29 16:14
So, where did that address come from?
Attempting to connect with cURL, though, connects, authenticates, switches directory successfully and then fails with this:

jfletch
504 Command not implemented
Posts: 9
Joined: 2018-10-29 14:57
First name: Jonathan
Last name: Fletcher

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#12 Post by jfletch » 2018-10-29 17:03

So are you saying that the IP address can be specified through a cURL option? Should I send an address for it to work? I am not currently specifying anything. I don't recognize that address and I have no idea where it came from.

I don't have access to the FileZilla server, but should I tell the client's IT person who set it up to change a setting in FileZilla? What would that be?

jfletch
504 Command not implemented
Posts: 9
Joined: 2018-10-29 14:57
First name: Jonathan
Last name: Fletcher

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#13 Post by jfletch » 2018-10-29 19:21

I don't understand what you mean by your last reply, Tim. Can you elaborate?

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#14 Post by botg » 2018-10-29 23:29

Two things here:

I hope it can be specified in curl, otherwise using active mode FTP with curlwould be completely impossible if the client is behind a NAT router.

The other thing is, why does it pick up this exotic special purpose address? I've never seen this address family been used before. Two possible reasons for this: A bug in curl, or a malicious firewall tampering with network traffic.

jfletch
504 Command not implemented
Posts: 9
Joined: 2018-10-29 14:57
First name: Jonathan
Last name: Fletcher

Re: SFTP problem:421 Rejected command, requested IP address does not match control connection IP

#15 Post by jfletch » 2018-10-30 00:30

The other thing is, why does it pick up this exotic special purpose address? I've never seen this address family been used before. Two possible reasons for this: A bug in cURL, or a malicious firewall tampering with network traffic.
Your guesses look better than mine. I'm going to go with the firewall issue.

So, is that supposed to be MY IP address in that spot?

Also, you said "active mode." I am able to connect with another FTP client in passive mode, so I was assuming it was passive. Does that sound right to you?

If I used the FileZilla client are there features that can help me troubleshoot this situation?

Post Reply