425 Can't open data connection

[boco]

That explains it very well. In future I simply will refer to this article instead of repeating myself over and over...

[BrandonJoyce356]

Opening up a custom port range for passive mode on Filezilla server worked great for me! I was getting the same error. Thanks! Brandon Joyce

[Simon]

I found it!

I had FTPS configured on port 990 on my server.

My firewall (server side) would only allow connection through port 990.

So I could login but not transfer data.

My passive port range was default. So basicly I had no ports open for data transfer.

I allowed firewall trafic on port 40000, 40001 and set my range to that.

And BINGO! it works.

Of couse I had all the rest of the configuration like suggested by the wiki.

Hope this helps.

Regards,

Simon

[ianyates]

OK, I've read all the wiki pages and all the tricks in these postings and my problem seems to be with the Filezilla CLIENT, not the Filezilla SERVER.
The Server is running on a WS2K8 platform and with everything set to default, no custom at all, with the router port forwarding only port 20-21, I can access the server with Fetch on a Macintosh or with command-line FTP on a Windows Vista PC both of which are behind the same router/firewall but external to the Filezilla Server. The server is external, I control it via RDC.
But the Filezilla CLIENT reports the 425 error no matter what I do or where I try it from -- even from another PC on the SAME internal network as the server. Can somebody tell me why this is so?
(command-line FTP works from that same PC on the internal network. It is only Filezilla client that gets this error while trying to contact the Filezilla FTP server. I can connect to other FTP servers!)

P.S. Should have said, I'm looking to find out WHY Filezilla client was having access problems when other programs were not having a problem. I added the Filezilla Server program to the WS2K8 firewall exceptions and Filezilla cleint can now access OK. Still wondering why other clients were able to access without the firewall exception being required. Are they smarter? Or do they cheat in some way that Filezilla doesn't?

[boco]

my problem seems to be with the Filezilla CLIENT, not the Filezilla SERVER

Wrong. Server problem. Read on.

The Server is running on a WS2K8 platform and with everything set to default, no custom at all, with the router port forwarding only port 20-21

Incomplete configuration. Network Configuration

I can access the server with Fetch on a Macintosh or with command-line FTP on a Windows Vista PC both of which are behind the same router/firewall but external to the Filezilla Server

Don't know Fetch, but Windows FTP uses Active mode and only one connection. In this case your setup will work.

But the Filezilla CLIENT reports the 425 error no matter what I do or where I try it from -- even from another PC on the SAME internal network as the server. Can somebody tell me why this is so?

Filezilla uses Passive mode by default. Any further actions open seperate connections. Only the control connection is established on port 21, all further are made on other ports (the whole port range 1025-65535 by default, but can be restricted).

I added the Filezilla Server program to the WS2K8 firewall exceptions and Filezilla cleint can now access OK.

You just opened the whole port range for Filezilla Server.

Still wondering why other clients were able to access without the firewall exception being required. Are they smarter? Or do they cheat in some way that Filezilla doesn't?

Neither - they are definitely not smarter and they aren't cheating. They simply connect in a way that requires no ports opened besides 21/20.

[ianyates]

I added the Filezilla Server program to the WS2K8 firewall exceptions and Filezilla cleint can now access OK.

You just opened the whole port range for Filezilla Server.

Yet, I did not open any ports other than 20/21 on the router/firewall/NAT box. So how is that Filezilla client can now get thru whereas it couldn't before? Fetch on Mac uses passive.

[boco]

Adding an application to the exclusion list of the firewall allows this application to communicate freely. In reality it doesn't work always, but in your case it seems to.

Examine the server reply to PASV. It directs the client where to connect to.

Example (text may vary): 2009-03-12 06:12:28 - anonymous-2 (127.0.0.1) < 227 Entering Passive Mode (127,0,0,1,8,1)

The first four numbers (green) are the IP of the server. Interesting for us are the last two. Multiply the first number by 256 and add the second.

8*256+1=2049

So in my case the client will connect to 127.0.0.1, port 2049.


Now I would love to see one of Fetch...

[ianyates]

Adding an application to the exclusion list of the firewall allows this application to communicate freely. In reality it doesn't work always, but in your case it seems to.
Now I would love to see one of Fetch...

Thanks for all the assistance from the forum -- I will see if I can find out watch Fetch is up to.

Here's the trace;
PASV
227 Entering Passive Mode (58,173,105,17,195,89)
Making data connection to 58.173.105.17 port 50009
LIST -al
150 Connection accepted

Note: Fetch still works whether I have the Windows Server firewall open or not.
Filezilla (and Firefox browser) don't work until I open the firewall for the Filezilla Server.
I'll do a trace on Fetch when the firewall is closed as the above was with it open.
Fetch took a while to get the directory this time but still managed. Then I gave the PASV command;

227 Entering Passive Mode (58,173,105,17,195,92)
PWD
257 "/" is current directory.
TYPE A
200 Type set to A
PORT 192,168,0,3,192,159
200 Port command successful
LIST -al
.......
226 Transfer OK
PWD
257 "/" is current directory.

[boco]

PORT 192,168,0,3,192,159
200 Port command successful
LIST -al
.......
226 Transfer OK
PWD
257 "/" is current directory.

It didn't use Passive mode at all. PORT is Active mode. Looks like a fallback.

[ianyates]

PORT 192,168,0,3,192,159
200 Port command successful
LIST -al
.......
226 Transfer OK
PWD
257 "/" is current directory.

It didn't use Passive mode at all. PORT is Active mode. Looks like a fallback.

Ahah. Saves the user needing to have a clue. Macintosh. Say no more.

[euro0607]

I used DLink DI-524 as my wireless router. I created cutom port range at router's firewall for FileZilla passvie FTP. However I forget to set the destination local IP address for the port range, where the FileZilla Server is resided (Maybe lazy, I just type*). so FileZilla only work on random basis, which huanted me for quite a while. Open Windows Firewall, turn off VirusScaner did not help either.

Once the custom port range (I used 5000~5100) is set correctly, I don't have "425 Can't open data connection" any more.

[Stebo]

It's all about users not understanding the concept of FTP completely.

You need to have (Passive FTP)
-a well behaving (non-interfering) router/firewall (if at all)
-correctly limited Passive port range and set external IP in server's Passive settings
-correct port-forwarding of the server's listening port AND the Passive port range

If any of the three points fails = No go.

Thank you very much Boco! If you put this on the Wiki, most peeps would have lots less problems. Most of the time, us experienced 15+yr admins can forget these ports (maybe it's old age!). Short and sweet and to the point gets it done. Telling everyone they have a trash router is not a good answer. Tell Tim to get with it!

All joking aside, WRT-54G with DD-WRT software works great with a Win7 server I'm using. I LOVE Fileziller client AND server!

[mrod305]

I have this problem. First here is my log:

000035) 7/8/2009 0:46:01 AM - (not logged in) (71.178.13.9)> Connected, sending welcome message...
(000035) 7/8/2009 0:46:01 AM - (not logged in) (71.178.13.9)> 220-FileZilla Server version 0.9.32 beta
(000035) 7/8/2009 0:46:01 AM - (not logged in) (71.178.13.9)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000035) 7/8/2009 0:46:01 AM - (not logged in) (71.178.13.9)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000035) 7/8/2009 0:46:06 AM - (not logged in) (71.178.13.9)> USER anonymous
(000035) 7/8/2009 0:46:06 AM - (not logged in) (71.178.13.9)> 331 Password required for anonymous
(000035) 7/8/2009 0:46:12 AM - (not logged in) (71.178.13.9)> PASS *******************
(000035) 7/8/2009 0:46:12 AM - (not logged in) (71.178.13.9)> 530 Login or password incorrect!
(000035) 7/8/2009 0:46:30 AM - (not logged in) (71.178.13.9)> USER michael
(000035) 7/8/2009 0:46:30 AM - (not logged in) (71.178.13.9)> 331 Password required for michael
(000035) 7/8/2009 0:46:40 AM - (not logged in) (71.178.13.9)> PASS ******
(000035) 7/8/2009 0:46:40 AM - michael (71.178.13.9)> 230 Logged on
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> SYST
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 215 UNIX emulated by FileZilla
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> PWD
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 257 "/" is current directory.
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> TYPE I
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 200 Type set to I
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> PASV
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 227 Entering Passive Mode (192,168,1,150,195,82)
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> SIZE /
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 550 File not found
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> MDTM /
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 550 File not found
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> RETR /
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 550 File not found
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> PASV
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 227 Entering Passive Mode (192,168,1,150,195,83)
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> CWD /
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 250 CWD successful. "/" is current directory.
(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> LIST
(000035) 7/8/2009 0:47:04 AM - michael (71.178.13.9)> 425 Can't open data connection.
(000035) 7/8/2009 0:47:07 AM - michael (71.178.13.9)> disconnected.

My windows firewall on the server is off right now, in order to not have to deal with it.

On my router, I have it forwarding Port any ->21 and 50000-51000.
Here is the rule as it looks in my router settings:

FTP - TCP Any -> 21
Application - TCP 50000-51000 -> 50000-51000

When I FTP in using the local LAN ip address, it works fine.

So what gives. Why can't I connect via FTP? I tried this on both a windows and mac. I used Firefox to logon to the FTP.

Help me out here please.

[botg]

Read the Network Configuration guide. Multiple times if needed, the information you seek is in there.

[boco]

(000035) 7/8/2009 0:46:53 AM - michael (71.178.13.9)> 227 Entering Passive Mode (192,168,1,150,195,83)

The used port (50003) is correct within the Passive range. But the server is sending the wrong IP (192.168.1.150 is in Private IP range Class C 192.168.1.0/24). You must tell Filezilla Server the external IP (WAN IP of the router) in Passive settings. Best would be to use the 'Retrieve' setting.