Can't open data connection with FTP over TLS

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
budzi
504 Command not implemented
Posts: 9
Joined: 2021-06-10 07:38
First name: Denis
Last name: MAILLARD

Can't open data connection with FTP over TLS

#1 Post by budzi » 2021-06-10 11:21

Hi there

I've using uncrypted FTP for years and now I want to switch to explicit FTP over TLS

My server version: 9.60.2 running on Windows 7

I have followed the guidelines
FTP over TLS settings:
Enable FTP over TLS support
enable Dissalow plain unencrypted FTP
I have generated a certifcate
Explicit and implicit FTP over TLS enabled

As I am behind a router: Passive mode settings:
use custom port range: 50000-51000
IP of my server: 217.109.196.XXX

When testing with https://ftptest.net:

===============================================================================================================

Status: Resolving address of 80.11.XXX.XXX

Status: Connecting to 80.11.XXX.XXX

Warning: The entered address does not resolve to an IPv6 address.

Status: Connected, waiting for welcome message...

Reply: 220-FileZilla Server 0.9.60 beta

Reply: 220 Bienvenue sur notre FTP

Command: CLNT https://ftptest.net on behalf of 217.109.196.XXX

Reply: 200 Don't care

Command: AUTH TLS

Reply: 234 Using authentication type TLS

Status: Performing TLS handshake...

Status: TLS handshake successful, verifying certificate...

Status: Received 1 certificates from server.

Status: cert[0]: subject='CN=80.11.206.22,C=FR,ST=Nouvelle Aquitaine,L=CERIZAY,O=XXXIndustrie,EMAIL=XXXXXXXXXXX' issuer='CN=80.11.206.22,C=FR,ST=Nouvelle Aquitaine,L=CERIZAY,O=XXXXXXXXX,EMAIL=XXXXXXXXXX'

Command: USER CARTOL

Reply: 331 Password required for cartol

Command: PASS ********

Reply: 230 Logged on

Command: SYST

Reply: 215 UNIX emulated by FileZilla

Command: FEAT

Reply: 211-Features:

Reply: MDTM

Reply: REST STREAM

Reply: SIZE

Reply: MLST type*;size*;modify*;

Reply: MLSD

Reply: AUTH SSL

Reply: AUTH TLS

Reply: PROT

Reply: PBSZ

Reply: UTF8

Reply: CLNT

Reply: MFMT

Reply: EPSV

Reply: EPRT

Reply: 211 End

Command: PBSZ 0

Reply: 200 PBSZ=0

Command: PROT P

Reply: 200 Protection level set to P

Command: PWD

Reply: 257 "/" is current directory.

Status: Current path is /

Command: TYPE I

Reply: 200 Type set to I

Command: PASV

Reply: 227 Entering Passive Mode (217,109,XXX,XXX,197,121)

Command: MLSD

Reply: 425 Can't open data connection for transfer of "/"

Error: Listing failed

Results

Error: Listing failed

Make sure the account has permissions to list directories.

==========================================================================

When using Filezilla Client:

Statut : Connexion à 80.11.XXX.XXX:21...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 FTP Welcome
Commande : AUTH TLS
Réponse : 234 Using authentication type TLS
Statut : Initialisation de TLS...
Erreur : Erreur GnuTLS -15: An unexpected TLS packet was received.
Erreur : Impossible d'établir une connexion au serveur
==========================================================================
(the XXX come from me)

On my router, I made a rule, TCP protocol on port 21 goes to 192.168.XXX.XXX

thank you

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Can't open data connection with FTP over TLS

#2 Post by boco » 2021-06-10 12:35

On my router, I made a rule, TCP protocol on port 21 goes to 192.168.XXX.XXX
You must make a forwarding rule for the whole custom port range, as well.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

budzi
504 Command not implemented
Posts: 9
Joined: 2021-06-10 07:38
First name: Denis
Last name: MAILLARD

Re: Can't open data connection with FTP over TLS

#3 Post by budzi » 2021-06-10 13:55

Hi
thank you for your quick reply

I've corrected it, but using the custom ports from 5000 to 6000 (TCP) does not work either
Exactly the same messages

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Can't open data connection with FTP over TLS

#4 Post by boco » 2021-06-10 16:31

And you did forward the whole range? External 5000-6000 to internal 5000-6000. Open in the firewall,too.

Common errors made when forwarding:

- Forwarding only the first and last port instead of the whole range - won't work;
- forwarding the whole external port range onto a single internal port - won't work;
- using different external and internal ranges (port remapping) - very troublesome;
- using port triggering instead of static forwarding - won't work for FTP;
- forwarding UDP - FTP uses only TCP
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

budzi
504 Command not implemented
Posts: 9
Joined: 2021-06-10 07:38
First name: Denis
Last name: MAILLARD

Re: Can't open data connection with FTP over TLS

#5 Post by budzi » 2021-06-14 13:44

Hi
========================================================================
- Forwarding only the first and last port instead of the whole range - won't work;
- forwarding the whole external port range onto a single internal port - won't work;
- using different external and internal ranges (port remapping) - very troublesome;
- using port triggering instead of static forwarding - won't work for FTP;
- forwarding UDP - FTP uses only TCP
========================================================================

On FZ, passive mode settings: Use custom port range: 5000-6000

On the router: external port: 5000-6000 to 5000-6000
Protocol: TCP
Also
TCP port 21 to port 21

those 2 on the IP adress of the server

On FZ passive mode settings, Don't use external IP for local connections enabled or not

I've disabled the firewall to check: nothing changed

will continue some testings...
:(

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't open data connection with FTP over TLS

#6 Post by botg » 2021-06-14 15:57

There have been cases of routers not being able to forward ranges of ports. If that is the case with your model, forward each port individually, as tedious as that might be.

budzi
504 Command not implemented
Posts: 9
Joined: 2021-06-10 07:38
First name: Denis
Last name: MAILLARD

Re: Can't open data connection with FTP over TLS

#7 Post by budzi » 2021-06-16 09:47

Hi
Thank you for your help

I found the issue....much obvious that I thought :?
The IP adress I put on the passive mode setting was not the good one

now I have that to correct:

Your server is working and assorted routers/firewalls have been correctly configured for explicit FTP over TLS as performed by this test. However there have been warnings about compatibility issues, not all users will be able to use your server.

For maximum compatibility, consider resolving these warnings.

Warning: The entered address does not resolve to an IPv6 address.

I still have the:
GnuTLS -15: An unexpected TLS packet was received
on Filiezilla client
:(

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't open data connection with FTP over TLS

#8 Post by botg » 2021-06-17 07:34

Status: Resolving address of 80.11.XXX.XXX
Status: Connecting to 80.11.XXX.XXX
Status: Connected, waiting for welcome message...
Reply: 220-FileZilla Server 0.9.60 beta
Reply: 220 Bienvenue sur notre FTP
tatut : Connexion à 80.11.XXX.XXX:21...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 FTP Welcome
Unless you have changed the welcome message between tries, you are connecting to a different server entirely.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't open data connection with FTP over TLS

#9 Post by botg » 2021-06-17 07:35

A failure after the AUTH command is almost always caused by a broken firewall or NAT router. Since the online test works, this means the issue is with the machine the client runs on.

budzi
504 Command not implemented
Posts: 9
Joined: 2021-06-10 07:38
First name: Denis
Last name: MAILLARD

Re: Can't open data connection with FTP over TLS

#10 Post by budzi » 2021-06-17 14:34

Hi

sometimes the testing works, sometimes it does'nt

I will go for an external help

thank for the support, I will keep you informed

budzi
504 Command not implemented
Posts: 9
Joined: 2021-06-10 07:38
First name: Denis
Last name: MAILLARD

Re: Can't open data connection with FTP over TLS

#11 Post by budzi » 2021-06-17 14:52

It's strange but the server gets it

(000415)17/06/2021 16:49:02 - (not logged in) (217.109.XXX.XX)> Connected on port 21, sending welcome message...
(000415)17/06/2021 16:49:02 - (not logged in) (217.109.XXX.XX)> 220-FileZilla Server 0.9.60 beta
(000415)17/06/2021 16:49:02 - (not logged in) (217.109.XXX.XX)> 220 Bienvenue sur notre FTP
(000415)17/06/2021 16:49:02 - (not logged in) (217.109.XXX.XX)> AUTH TLS
(000415)17/06/2021 16:49:02 - (not logged in) (217.109.XXX.XX)> 234 Using authentication type TLS
(000416)17/06/2021 16:49:07 - (not logged in) (217.109.XXX.XX)> Connected on port 21, sending welcome message...
(000416)17/06/2021 16:49:07 - (not logged in) (217.109.XXX.XX)> 220-FileZilla Server 0.9.60 beta
(000416)17/06/2021 16:49:07 - (not logged in) (217.109.XXX.XX)> 220 Bienvenue sur notre FTP
(000416)17/06/2021 16:49:08 - (not logged in) (217.109.XXX.XX)> AUTH TLS
(000416)17/06/2021 16:49:08 - (not logged in) (217.109.XXX.XX)> 234 Using authentication type TLS

and then it freezes and then:
(000415)17/06/2021 16:50:03 - (not logged in) (217.109.XXX.XX> 421 Login time exceeded. Closing control connection.
(000415)17/06/2021 16:50:03 - (not logged in) (217.109.XXX.XX)> disconnected.
(000416)17/06/2021 16:50:08 - (not logged in) (217.109.XXX.XX)> 421 Login time exceeded. Closing control connection.
(000416)17/06/2021 16:50:08 - (not logged in) (217.109.XXX.XX)> disconnected.

on the client:
Statut : Connexion à 80.11.206.XX.XX...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 FTP Welcome
Commande : AUTH TLS
Réponse : 234 Using authentication type TLS
Statut : Initialisation de TLS...
Erreur : Erreur GnuTLS -15: An unexpected TLS packet was received.
Statut : Échec de la tentative de connexion avec "ECONNABORTED - Connexion annulée".
Erreur : Impossible d'établir une connexion au serveur

botg wrote:
2021-06-17 07:34
Status: Resolving address of 80.11.XXX.XXX
Status: Connecting to 80.11.XXX.XXX
Status: Connected, waiting for welcome message...
Reply: 220-FileZilla Server 0.9.60 beta
Reply: 220 Bienvenue sur notre FTP
tatut : Connexion à 80.11.XXX.XXX:21...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 FTP Welcome
Unless you have changed the welcome message between tries, you are connecting to a different server entirely.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't open data connection with FTP over TLS

#12 Post by botg » 2021-06-18 07:16

Very much looks like a rogue firewall or NAT router.

For a test, try uninstalling all firewalls and bypass all NAT routers by plugging the computers directly into their respective modems.

budzi
504 Command not implemented
Posts: 9
Joined: 2021-06-10 07:38
First name: Denis
Last name: MAILLARD

Re: Can't open data connection with FTP over TLS

#13 Post by budzi » 2021-07-09 12:49

Hi
Some news
The FTP server is still OK but, it is still not working with Filezilla or Cyberduck

Another strange thing: a supplier has been able to connect to the Server and to put files on it

I am stil investigating....

budzi
504 Command not implemented
Posts: 9
Joined: 2021-06-10 07:38
First name: Denis
Last name: MAILLARD

Re: Can't open data connection with FTP over TLS

#14 Post by budzi » 2022-04-04 12:02

Hi

After a long period, I made some tests

I have managed to fgure out that it depends on the connection used

With some connections, it works without any problem (I used a colleague's telephone)

With my connection (personnal telephone), I got the error message on the log:

500 Syntax error, command unrecognized

On the log with connection
(047967) 11/03/2022 16:09:44 -XXXXXXXXXXXXXX> TYPE A
(047967) 11/03/2022 16:09:44 - XXXXXXXXXXXXXX> 200 Type set to A
(047967) 11/03/2022 16:09:44 - XXXXXXXXXXXXXX> PASV
(047967) 11/03/2022 16:09:44 - XXXXXXXXXXXXXX> 227 Entering Passive Mode (80,11,206,22,20,142)
(047967) 11/03/2022 16:09:44 - XXXXXXXXXXXXXX> MLSD
(047967) 11/03/2022 16:09:44 - XXXXXXXXXXXXXX> 150 Opening data channel for directory listing of "/"
(047967) 11/03/2022 16:09:44 -XXXXXXXXXXXXXX> TLS connection for data connection established
(047967) 11/03/2022 16:09:44 - XXXXXXXXXXXXXX> 226 Successfully transferred "/"

On the server:
(005373)04/04/2022 13:56:59 - (not logged in) (77.205.53.223)> USER CARTOL
(005373)04/04/2022 13:56:59 - (not logged in) (77.205.53.223)> 530 This server does not allow plain FTP. You have to use FTP over TLS.
(005373)04/04/2022 13:56:59 - (not logged in) (77.205.53.223)> disconnected.
(005374)04/04/2022 13:57:04 - (not logged in) (77.205.53.223)> Connected on port 21, sending welcome message...
(005374)04/04/2022 13:57:04 - (not logged in) (77.205.53.223)> 220-FileZilla Server 0.9.60 beta
(005374)04/04/2022 13:57:04 - (not logged in) (77.205.53.223)> 220 Bienvenue sur notre FTP
(005374)04/04/2022 13:57:04 - (not logged in) (77.205.53.223)> USER CARTOL
(005374)04/04/2022 13:57:04 - (not logged in) (77.205.53.223)> 530 This server does not allow plain FTP. You have to use FTP over TLS.
(005374)04/04/2022 13:57:04 - (not logged in) (77.205.53.223)> disconnected.

On the Client:
Réponse : 220-FileZilla Server 0.9.60 beta
Réponse : 220 Bienvenue sur notre FTP
Commande : AUTH TLS
Réponse : 504 Command not implemented for that parameter
Commande : AUTH SSL
Réponse : 504 Command not implemented for that parameter
Statut : Serveur non sécurisé, celui-ci ne supporte pas FTP sur TLS.
Commande : USER CARTOL
Réponse : 530 This server does not allow plain FTP. You have to use FTP over TLS.
Erreur : Impossible d'établir une connexion au serveur

With another client (WinSCP), I have the same message:
Command not implemented for that parameter

thank you by advance

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't open data connection with FTP over TLS

#15 Post by botg » 2022-04-04 12:44

There is a malicious firewall sitting between you and the server that is intentionally sabotaging the connection. Pretending FTP over TLS is not supported, in order to steal passwords from you if you decide to fall back to plain FTP.

Post Reply