Clicky

A client is using NAS WD ShareSpace with a build in FTP server, running on port 21. Everything works fine, but one of their supplier (just the one!) have problem to connect to the FTP server. Exactly - he's able to log on, but the rest looks like that:

ftp> open ftp.estat.cz
Conencted to ftp.estat.cz
220 vsFTP 2.0.4+ (ext.3) ready...
User (ftp.estat.cz:(none): ftpestat
Password:
230 Login succesful.
ftp> ls
500 Illegal PORT command.
425 Use PORT or PASV first.
ftp> PORT
Invalid command.

Does anyone have an idea, where the problem could be?

asked 10/18/2011 07:53

vvarag's gravatar image

vvarag ♦♦


13 Answers:
Yes, their FTP client is not operating correctly.  FTP has to select an 'ephemeral' port from the client or server before it continues and that isn't happening for some reason.  This page shows some of the sequence.  Actually, it looks like they are trying to use telnet to connect.  LIST is the driectory command in FTP, not 'ls'.  Here is a better list of FTP commands: http://en.wikipedia.org/wiki/File_Transfer_Protocol
link

answered

DaveBaldwin's gravatar image

DaveBaldwin

Most likely your FTP client sent a PORT command that included its internal address in the 10.x.x.x range or ghe 192.168.x.x range.  The server is rejecting that address as invalid or unreachable.

If you are using the DOS command-line FTP client you can lhave it show you whats happening on the raw protocol level if you launch it like this: ftp -d  This would allow you to examine the PORT command send by your FTP client.  The syntax of the PORT command is that the first four numbers are the IP address and the last two are the hex encoded port number.

The DOS command-line FTP client has some fairly significant limitations as far as its ability to deviate from standard vanilla FTP so you might need a different FTP client to actually USE this particular server (depending on your firewall and the configuration of the remote server.)
link

answered 2011-10-18 at 01:21:02

AlexPace's gravatar image

AlexPace

link

answered 2011-10-18 at 07:59:19

DaveBaldwin's gravatar image

DaveBaldwin

AlexPace: I tried the command-line ftp -d command and lots of various FTP clients any you're right, it ends on:
[09:00:04] PORT 192,168,1,106,234,24
[09:00:04] 500 Illegal PORT command.
But how can I make the ftp client not to send the internal IP address?
link

answered 2011-10-18 at 10:55:20

vvarag's gravatar image

vvarag

CoreFTP on my computer is 'forcing' the use of PASV which makes the remote server send it's IP address.  I just looked up Microsoft command line FTP and it does not appear to have that command.
link

answered 2011-10-21 at 00:09:04

DaveBaldwin's gravatar image

DaveBaldwin

I don't know if it is possible to force the DOS command line FTP client to send an external address on the PORT command but DaveBaldwin's suspiciion is correct regarding the DOS client's inabiliy to do passive mode data channels: it can only do active mode.

There are a few possible work arounds for your situation:
1. Some firewalls have a feature that allows them to actively monitor the FTP control channel and watch for the PORT command.  These firewalls are able to modify the data stream on the fly to substitue an external IP address in the message that goes to the server.  The coolest thing is that they then automatically do port-forwarding for the server's incoming active mode data connection.  So this allows you to use a program like the DOS command line FTP client in situations where it is not otherwise possible.  Check with your network administrator to see if your organization's firewall has this feature

2. Run the DOS command line FTP client on a computer with an external IP address, like in the network's DMZ area.

3. Use a different FTP client that supports passive mode data channels.  This is the easiest approach because you don't need anyone else's help to do it.  There are lots of good FTP clients available with windows interface instead of command-line interfaces, many of them at low or zero cost.  Internet Explorer browser can even do passive mode FTP if you enable it under Tools -> Options -> Advanced -> Browsing.  If you feel like you a command-line interface for scripting purposes you could use Robo-FTP, which is better for automation purposes anyway.
link

answered 2011-10-21 at 00:29:04

AlexPace's gravatar image

AlexPace

You know it could be as simple as telling the supplier to use PASV mode when they connect.  They may be using an FTP client that doesn't do it automatically.
link

answered 2011-10-21 at 07:57:17

DaveBaldwin's gravatar image

DaveBaldwin

I tried to bypass the firewall on a supplier side, so I connected a notebook directly to the ISP''s cable, configured it with a static IP given from ISP, but the result was the same :(

Unfortunately the PASV mode doesn't work aswell. I tried few FTP clients and when I turnet the PASV mode on, it looked like:
PASV
Get directory
...
Connection lost
link

answered 2011-10-21 at 09:45:51

vvarag's gravatar image

vvarag

link

answered 2011-10-24 at 00:38:48

DaveBaldwin's gravatar image

DaveBaldwin

This page http://www.wdc.com/en/products/products.aspx?id=270 makes it look like your device is only made for LAN use, not really internet use.
link

answered 2011-10-24 at 00:54:33

DaveBaldwin's gravatar image

DaveBaldwin

DaveBaldwin: I've browsed the WD pages and forums but haven't found any helpful information for me. And the WD ShareSpace is designed for internet use and it works fine over the internet for all the clients. The described problem occures just to the one supplier.
When i try to connect from my place everything works fine (PORT 10,123,46,29,10,222), but the mentioned supplier gets PORT 10,0,1,5,194,189 and he's unable to do anything (except the succesful logon).
link

answered 2011-10-24 at 00:57:19

vvarag's gravatar image

vvarag

The PORT command is sent  by the FTP client.  If the supplier sends a PORT command with a 10.x.x.x address all the way to the server that will never work because the 10.x.x.x is a private range.  There are only two ways that a client can send 10.x.x.x in a port command and expect it to work:
1. The client is on the same private 10.x.x.x network as the server.
2. The firewall on the client's network is protocol-aware of FTP and inspects the control channel in real time and actually replaces the 10.x.x.x internal address with an external IP address so that the server will actually see the external address rather than the client's internal 10.x.x.x address.
link

answered 2011-10-24 at 03:16:15

AlexPace's gravatar image

AlexPace

MS ftp client does not support passive (a.k.a firewall friendly) data connections.

It appears that the FTP server is configured only to allow passive data connections, even though it is issuing a message that says to use PORT or PASV.

Whomever is having the problem needs to use a ftp client that supports passive ftp data connections.  CuteFTP and Filezilla are two that do and have a GUI interface.  
link

answered 2011-10-24 at 09:53:39

giltjr's gravatar image

giltjr

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1
×1
×33
×1
×1

Asked: 10/18/2011 07:53

Seen: 681 times

Last updated: 11/03/2011 01:45