Windows XP FTP Server time out errors with FTP clients

  • Thread starter Thread starter Dillboi
  • Start date Start date
D

Dillboi

I am a network administrator & computer consultant and my background
on this topic is good. I was runing serv-u FTP server on windows 2000
behind a linksys router for years without any problems. Just upgraded
to Windows XP Pro. FTP server will not work with certain FTP clients
mainly internet explorer's FTP client. I have made sure it is not
windows xp firewall, i have set it up correctly. I have even disabled
windows xp firewall. The problem is not with my linksys router, this
has worked for years, a simple port forwarding to my computer's IP has
alredy been setup. I changed my ftp server thinking it was
incompatible with windows XP, downloaded cerberus ftp server, same
problem. I think it is something with windows xp and possible SP2,
maybe something with the damn winsock.dll who knows? I have tried
multiple ftp server with no luck, my linksys router is setup
correctly, windows firewall is not the issue. My FTP server shows a
connection from the client but when they run a dir or any ftp command
the connection times out (and yes the timeout on my ftp server is set
to 100 seconds, more than enough time) The only thing i ccan not rule
out is the change from windows 2000 to windows xp pro sp2. One more
thing i noticed also is when i turn off "passive mode support" in
internet explorer advanced options that it seems to work then. I
assume internet explorer would try to directly connect to my ftp
server first then use passive mode. a direct connection will work
because i have port 21 forwarded directly to my ftp server computer
inside my network, this has worked for years before the upgrade to
windows xp. If anyone knows of any information that would help, i'd
really appreciate it. I have read of others having this or very
similar FTP problems as well. thanx
 
Dillboi said:
I am a network administrator & computer consultant and my background
on this topic is good. I was runing serv-u FTP server on windows 2000
behind a linksys router for years without any problems. Just upgraded
to Windows XP Pro. FTP server will not work with certain FTP clients
mainly internet explorer's FTP client. I have made sure it is not
windows xp firewall, i have set it up correctly. I have even disabled
windows xp firewall. The problem is not with my linksys router, this
has worked for years, a simple port forwarding to my computer's IP has
alredy been setup. I changed my ftp server thinking it was
incompatible with windows XP, downloaded cerberus ftp server, same
problem. I think it is something with windows xp and possible SP2,
maybe something with the damn winsock.dll who knows? I have tried
multiple ftp server with no luck, my linksys router is setup
correctly, windows firewall is not the issue. My FTP server shows a
connection from the client but when they run a dir or any ftp command
the connection times out (and yes the timeout on my ftp server is set
to 100 seconds, more than enough time) The only thing i ccan not rule
out is the change from windows 2000 to windows xp pro sp2. One more
thing i noticed also is when i turn off "passive mode support" in
internet explorer advanced options that it seems to work then. I
assume internet explorer would try to directly connect to my ftp
server first then use passive mode. a direct connection will work
because i have port 21 forwarded directly to my ftp server computer
inside my network, this has worked for years before the upgrade to
windows xp. If anyone knows of any information that would help, i'd
really appreciate it. I have read of others having this or very
similar FTP problems as well. thanx


Can I attempt to summarise:

1) You have an FTP server behind a NAT router;
2) The router has port 21 forwarded to the FTP server;
3) From external IP addresses, Active mode connections work;
4) From external IP addresses, Passive mode connections fail.
You see the control connection working, but the data connection is not
established.

To be honest, this is exactly what I'd expect.

Try active and passive mode connections to the server from a machine
on your local LAN ( ie not coming in through the router. )

Then make the same tests from an external machine.

I'd expect both modes to work locally, but PASV to fail from an external
machine.
And both may fail from an external machine if it's also behind NAT.
Depends on the cleverness of the NAT to make special provision for FTP.

First, let's get on to the same page about how Active and Passive FTP work:

http://slacksite.com/other/ftp.html
http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html

Quick summary:

FTP uses 2 connections:
Control and Data.
Control always comes from clientIP:ephemeral to serverIP:21.

Data depends on Active /Passive mode.
Client requests either active (PORT) or passive (PASV).

Active:
After initial control connection to server port 21,
Client opens ephemeral port, and tells server to connect to it.
Server connects from serverIP:20 -> clientIP:ephemeral

Passive:
After initial control connection to server port 21,
Server opens ephemeral port, and tells client to connect to it.
Client connects from ClientIP:ephemeral -> ServerIP: ephemeral

Now, here's what's happening in your situation,
With server-side NAT ( which you have ).

Active mode:
Client connects to your external IP:21.
This is explicitly forwarded to the FTP server:21.
The control connection is established OK.
Client requests PORT mode.
Client opens ephemeral port, and tells server to connect to it.
Server connects from serverIP:20 -> clientIP:ephemeral.
This is an outbound connection throuth your NAT, and so it works OK.

Passive Mode:
Client connects to your external IP:21.
This is explicitly forwarded to the FTP server:21.
The control connection is established OK.
Client requests PASV.
Server replies with IP:RandomPort to connect to.
Client will attempt to connect to the IP:Port the server specified.

2 problems here:

1) The server will tell the client the wrong IP address.
The server sees itself as 192.168.0.10 or whatever.
It has no knowledge of the external IP,
and so the client attempts to connect to a non-routable IP.


2) The server has opened a random port and asked the client to connect.
The NAT device knows nothing of this, and will see the incoming connection
from the client as unsolicited, and drop the packet.


You need to overcome these 2 fundamental problems to allow Passive FTP to a
server behind NAT.

To solve (1),
Sometimes, an FTP server will have options to manually specify an external
IP.
Sometimes, the NAT is clever enough to recognise the FTP session,
and actually edit the contents of the packet and insert the correct external
IP address.
If neither of these can be done, then it's not going to work.

To solve (2),
If the NAT is clever enough to handle (1), it may also open up a temporary
port-forwarding on-the-fly to accomodate (2).
If it isn't, then you can restrict the Passive Port Range on the server to a
couple of hundred ports,
then on the NAT router, explicitly forward that port range to the FTP
server.



So what to do?

Well, working on the basis that by rights it shouldn't work, you need to
discover what magic made it work before.

Try bringing a win2k box back and sniff the traffic using ethereal
or similar at both the client and server sides. Look at the reply to
the PASV command as sent by the server, and as recieved by the client.

This will determine what NAT editing the Linksys box is doing to make
special provision for FTP servers. ( which it may be. )

Then make the same test on your XP based FTP server.

Take it from there.
 
Back
Top