I connected in to my client's workstation and checked a few more things. I found that the client is using a domain-controlled installation of Webroot SecureAnywhere® Business Endpoint Protection software. They are still unable to connect, so this time I copied the logging information from the main FileZilla Client window:
Code: Select all
Status: Resolving address of ftp.company.com
Status: Connecting to XX.XX.XX.86:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Response: 150 Transferring directory
Error: Primary connection and data connection certificates don't match.
Error: Transfer connection interrupted: ECONNABORTED - Connection aborted
Response: 226 Transfer completed
Error: Failed to retrieve directory listing
Also, I compared the certificate details between his machine and mine.
The Fingerprint (SHA-256) and
Fingerprint (SHA-1) differ, and, more noticeably, so does the
Certificate Issuer. On mine, it shows the correct issuer of
PositiveSSL CA 2 (COMODO CA Limited), but on his it shows the issuer as
FortiGate CA (Fortinet)
I had the user temporarily disable their Webroot protection (someone from his IT Department was luckily there to help us), and tried again. Unfortunately, the same problem occurred, and when I checked the certificate again, it still showed the same discrepancies when compared against the one listed on my computer.
Their IT guy also tried the connection from a fresh install of the FileZilla Client software on another PC on the same network. That connection resulted in the same error. I suggested the possibility of configuring the FileZilla Client software on a laptop connected to another network (like a cell phone's WiFi hotspot) to see if the problem persists, but they haven't had the chance to do that yet.
As an additional testing measure, I set up a new connection in my FileZilla Client where I explicitly specified the IP address from the user's connection log I posted above, just to be sure there wasn't anything different about the way I was connecting. I didn't get any errors, and my Certificate details dialog shows the same thing as it did before (other than the host being listed as the IP address instead of the DNS name). Here is the log from my most recent session:
Code: Select all
13:35:44 Status: Connecting to XX.XX.XX.86:21...
13:35:44 Status: Connection established, waiting for welcome message...
13:35:44 Status: Initializing TLS...
13:35:44 Status: Verifying certificate...
13:35:44 Status: TLS connection established.
13:35:45 Status: Logged in
13:35:45 Status: Retrieving directory listing...