Plain FTP + active mode bug

[tedych]

Just posting for the sake of community, otherwise I solved the issue for my scenario, also with another ftp server for the server I was experiencing the issue.

There is some bug in FZ Server when using plain FTP + Active mode. Confirmed after numerous experiments, local, over the internet, with different ftp clients and different ftp server software. This took me 2 days to come to this conclusion.

Using Windows server 2016 with FZ client (last versions of everything, tried different ftp clients), windows server 2016 with FZ server and other ftp servers. FZ Server on Win2008 R2.
I'm not new to networking and FTP, have configured countless FTP and other servers for 20+ years. Well, still something might have slipped through, noone is faultless.
I tried with 100, 150, even 200 ports port range for active mode, also Passive mode ports are open on the servers sides.

When I connect with active mode to the FZ server using plain ftp (why and where do I use plain FTP is out of the question here, for one, I use it in my private LAN), after I upload few small files (be it 20 or 100 in few successive batches of 20) I begin to receive the dialog message Target file already exists, and in the ftp log there are red lines with Can't open data connection for transfer of....
The log on the FZ server show the same commands/IP/PORT ports/replies etc.
If after these errors (and dismiss all dialogs with Cancel), there are files not uploaded and I keep hitting F5 in FZ, on random occasions I get the same 425 Can't open data connection alerts. Keeping hitting F5, some random results are successes, others are failuers (425), seemingly completely random.
All this was happening with remote server over the internet. I thought it might be ISP, firewalls, router config, FZs configs..... countless times checking everything. Passive mode was/is working flawlessly.
I tested with another server on a hosting (pureftpd), passive or active, absolutely no problem (with FZ client) with active mode and plain ftp.
Ok, next I installed FZ Server locally on another Server 2016 in my LAN, configured everything for it. Guess what, the same problem, over the LAN, some files upload initially, then at random I start to get the mentioned error dialog. On another local Server 2016 (even virtual) I have another FTP server software. Testing with it - no problems even after I continuously upload thousands of small files with lightning speed.

In all cases the other variables (firewalls, network etc) are the same. Always if I use the other ftp server software, everything works, always. With FZ client. Tried another ftp client, again there are problems when communicating with FZ Server, although it reacts a bit differently to FZ server's failures.
FZ Server replies with can't open data connection, FZ client tells "Target file exists", and comparing with FZ Server's logs at the same time, there seem to be a major discrepancy between what FZ client receives from the server (can't open data connection) and what it throws to the user (target file exists - no file exists because FZ can't get the file list at all).
So...
Well, it's not that bad because when using FTPS the problem vanishes. Also passive mode not affected. I thought it might be some FW/router interferring with some SPI but in the LAN all Server 2016's FW FTP SPI is disabled (netsh advfirewall show global StatefulFTP) and as I said, with the other ftp server there is zero problem, with the same configs.

[botg]

Please check the PORT command, are its arguments identical in both the client log and the server log?

[tedych]

Yes, as I wrote before, I checked that - IPs/ports/PORT/commands are the same in both sides (FZ server and FZ client).
The problem is there even when FZ Server is in the same private LAN on another machine, only Windows Firewalls running everywhere. Connecting to another FTP server software in the same LAN, running on a same Win2016 OS, results in no problems even uploading thousands of files continuously, so I don't think a firewall is interfering with something like SPI on FTP connections. And Windows Firewalls' StatefulFTP is disabled by default (at least on Win2016 Server).
All this is easily reproducible. First batches of 15-20 files are successfully uploaded, then at some point after 2-3 batches it starts to randomly spit those error messages 425 Can't open.... and FZ client reacts with Target file already exists (?!).
Changing only to FPTS mode (still Active mode) causes the problem to disappear. Also Passive mode works correctly, in the very same environments I've been testing.

[botg]

Changing only to FPTS mode (still Active mode) causes the problem to disappear.

There's no difference between plain FTP and FTP over TLS when it comes to establishing the TCP connections. I still think there's some firewall or other active networking component inspecting the control connection, somehow breaking the data connection in the process.

[tedych]

Ok, I just shared my observations and findings. For myself I already solved it by either using another server or just using Passive/FTPS. Just I think all this are evidences of possible more profound problems that might need to be addressed. There are other small behaviors and glitches in FZ products that lead me to think more so anyway.

Also, to reiterate - the same FZ client on same machine, contacting another ftp server software on the same LAN with the same Windows 2016 with the same firewall configurations (of course either not simultaneously running or on another identical installation of Windows), there is absolutely no problem, tested on more than one machine and Win firewall configs. Easily reproducible.
It's up to the developer to take time to test and check/fix it, prossibly fixing other more serious issues. Of course if he has the will and motivation.
Thanks.

[kris]

Hello,
It looks like I'm facing same problem on "FileZilla Server 0.9.60 beta".

Seem like server cannot reuse same port in active mode within 2 minutes (at least I experience such "delay").
I am able to limit (on client side) active ports to one, so I get something like this:

Code: Select all

(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> PORT 10,xx,xx,33,199,117
(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> 200 Port command successful
(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> LIST /
(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> 150 Opening data channel for directory listing of "/"
(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> 226 Successfully transferred "/"
(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> PORT 10,xx,xx,33,199,117
(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> 200 Port command successful
(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> LIST /
(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> 150 Opening data channel for directory listing of "/"
(000001)2018-02-23 14:54:26 - root (10.xx.xx.33)> 425 Can't open data connection for transfer of "/"

In more practical scenarios where port is randomly selected from range tests fail when within last 2 minutes same port hit.

[botg]

That's normal the way FTP works. Socket pairs enter the TIME_WAIT state after being used, during that time they cannot be re-used.

As per the specifications, the data connection source port must be control connection port -1, so it's fixed server-side.

[boco]

The TIME_WAIT state persists for up to 4 minutes (240 seconds).

[kris]

Thanks for answers. I'll need to think about it.