Help please! ~ Response: 425 Can't open data connection.

[Linux]

Hi,
I'm using FileZilla Server 0.9.4d on a Windows Server 2003 Web Edition over a Cisco PIX Firewall and I got this error when connecting:

Command: USER support
Response: 331 Password required for support
Command: PASS *******
Response: 230 Logged on
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: REST STREAM
Response: SIZE
Response: MODE Z
Response: MLST type*;size*;modify*;
Response: 211 End
Command: SYST
Response: 215 UNIX emulated by FileZilla
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: MODE Z
Response: 504 MODE Z not enabled
Command: PORT 192,168,1,159,9,108
Response: 200 Port command successful
Command: TYPE A
Response: 200 Type set to A
Command: LIST
Response: 150 Opening data channel for directory list.
Response: 425 Can't open data connection.
Error: Could not retrieve directory listing


I just want to know if this newer version of FileZilla use other ports or need special configuration than the 0.8.3a? (I use 0.8.3a on another server connected by the same PIX and it work as well... i'm using this rule for my old 0.8.3a FileZilla and vsFTPd on my others linux machines:

access-list interne_acl permit tcp any host <IP_ADRESS> range ftp-data ftp

Any idea anyone?

Thanks for you're help!

[botg]

Looks like your router/firewall configuration is not working properly. Please read the FAQ in this subforum for instructions.

[roberthoff82]

I have the same error and a log that is analogous to this. The server is behind a router and client is behind a distant firewall.

However, usually it works, in port mode (I'm not using passive mode if I can avoid it).

It seems like the times when it doesn't work is when there's already another remote "active mode" connection. When there's no other user logged in, I can get in fine, but multiple active mode connections outside the router don't seem to work. I have ports 20 and 21 open.

Something is amiss... any thoughts without resorting to passive mode?

[botg]

You might need more open ports.

[Tava]

I have the same problem.

From some computers, I can´t access my ftp with IE.
I have two WinNT4 workstations at my job with IE6 but can only access my ftp from one of them.
It works with FlashFXP on both.
I also know that it doesn´t work for some of my friends.

Here is my log:
(000023) 2005-01-13 13:00:04 - promo (xx.xxx.xx.xx)> RETR /File.exe
(000023) 2005-01-13 13:00:04 - promo (xx.xxx.xx.xx)> 150 Opening data channel for file transfer.
(000023) 2005-01-13 13:00:14 - promo (xx.xxx.xx.xx)> 425 Can't open data connection.

[roberthoff82]

All right, I guess I'll open more ports.

:sulking:

Technically (and perhaps I should have made this clear), I'm behind a router and it was ports 20 and 21 that were being forwarded to the server IP. I don't know if that makes a difference.

At risk of revealing how poor my understanding of networking is, how's come I can't just run as many active mode connections as I want with only port 21 being forwarded? Is it something like you can only use one port for one thing at a time?

Maybe this would be a good time for someone to furnish an explanation (or to link a page) that can explain to me what the heck ports even are; the reason being I don't have a good sense for what kind of security issues might be associated with exposing a port range and forwarding it to the server.

[botg]

For active mode transfers you should allow all outgoing ports from your machine. FileZilla Server asks the operating system for a port iirc, and that can be anywhere.

Hard to explain what ports are in general. Imagine your machine as a huge blackbox with a lot of connectors (over 65k) and each connector represents port. If you want to plug in a wire, you have to choose a connector, as every network connection needs a port.
Inside your computer, applications can listen for connections on a specific port, like in that imaginary blackbox where some connector is wired to a specific component inside the box.

[roberthoff82]

Thanks, that helps. But one port can have more than one connection at once, right? I think I understand the concept of the control connection and the data connection. But why can't they all be on ports 20 and 21. A program like Azureus doesn't seem to have any trouble holding a zillion connections simultaneously on one port.

[Tava]

I´ve got norton firewall on a XP computer.
It doesn´t work even if I turn the firewall off.
The XP firewall is not active.

I´m not behind a router.

[Bertje]

Tava: Read the FAQ!!

[Tava]

Well. I´ve read the FAQ.
But the FTPserver is working for alot of users but not for everyone.
As I said. I have two computers at mu job.
One of them can access the server.
Those computer is, as I know, similar to eachother.

[botg]

It's not possible to put everything onto one port. In passive mode, FileZilla waits for incoming connections. Here each port has to be different, otherwise FileZilla would not now to which control connection an incoming connection belongs.
Comparing the remote IP addresses would be possible, but in that case we would get problems with multihomed proxies, prevent legitimate server-to-server transfers.

[roberthoff82]

Bumping this thread from so long ago to point out this issue is solved for me after upgrading from 0.9.4 to 0.9.6a. From reading the release notes, my best guess is that the fix was in 0.9.5:

Code: Select all

- Use same network interface for transfer connection as for the control connection to solve some firewall issues, patch by dartonw

If this indeed fixed my problem, I'd like to better understand what the problem was and how I could have gone about troubleshooting it better.