Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

PASV mode FTP

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users PASV mode FTP
# 1  
Old 09-27-2005
PASV mode FTP
Hello,

We have a situation wherein the FTP connections from a Client over a secure connection like ANX, when using PASV mode file transfers, the server on our end is sending out an ip address as (0,0,0,0,0,0) for PASV mode. The first four numbers denote the ip address and the last two denote the Transmit and receive block size. The result of such a response from the server is preventing the client from receiving the data via the ip that the server sends back. The control port of the client seems to be working fine, so the client can login to the FTP server and issue commands that do not involve sending data back from the server like cd to a certain directory.
However whenever there is a command which involves getting data back from the server like ls the contents of the directory or get filename (since the session is a PASV mode file transfer, which we would like to be versus using active PORTS), the command hangs and eventually times out.

I would like to know what is the required setting on the server that determines the ip address that is sent back to the client inidcating the data port/channel the server is responding with when the client uses a PASV mode file transfer session. Any suggesstion/ideas/comments is much appreciated.

Thanks
Jerardfjay
# 2  
Old 09-28-2005
I have had similar problems and we traced those back to a Cisco PIX that somehow did not like the fact that the internal- and external IP-address were NAT-ted.

The data-channel originated from a private IP-range of the FTP-server.

The FTP-server advertised its original (private) address and the PIX could not route the connection to the internet. I connected to this servers internet-IP and the PIX dropped the resulting data-channel-connection. This problem was solved by making the FTP-server advertise the external IP-address.

It was possible to recreate the problem with all kinds of FTP-clients, all had the same problems.

Another option could be that port 20 is closed. To login, you connect over port 21 (control-channel), but port 20 is the data-channel. If port 20 is closed, you can login, but you can't see directories or anything.
# 3  
Old 09-28-2005
Hi Indo1144,

Thanks for your reply. Exactly where all do we have to make changes in our environment. Could you let me know.
You have mentioned our FTP server for one could not be advertising our internal ip-address. Is this a software setting/hardware setting or both.
Could you please elaborate on the where all the changes need to happen.
Thanks for your help

Jerardfjay
# 4  
Old 09-28-2005
Quote:
Originally Posted by jerardfjay
Thanks for your reply. Exactly where all do we have to make changes in our environment. Could you let me know. You have mentioned our FTP server for one could not be advertising our internal ip-address. Is this a software setting/hardware setting or both.Could you please elaborate on the where all the changes need to happen.
What happens when you connect locally on the ftp-server itself? If you do a "ftp localhost" and use the "passive" command and then ask a directory-listing, does that work?

I don't know if I can help you, since I'm not very familiar with FTP-servers, but I can always try. However, you provide very little information about the server itself, so at this point I can only speculate...

Quote:
We have a situation wherein the FTP connections from a Client over a secure connection like ANX, when using PASV mode file transfers
So, the client is NOT on the ANX-network, but he's connecting to it, right? Or are both the server and client on the ANX-network? I'm asking because I found this piece of text on the internet:
Quote:
ANX is a secure private network that uses standard, open Internet protocols but carries all traffic over private lines leased from various carriers. Through IPSEC and end-to-end encryption, ANX provides secure service to its customers like that of a typical VPN. Where it's different from a typical VPN is that the routers that make up the network check every packet to make sure it comes from an IP address on the private network. Thus, nobody but customers can get into the network.
So routing could be an issue... This article came from here
# 5  
Old 09-28-2005
We do not have issues connecting or loggin into FTP server. If we think of ANX connection as secure private connection between two parties (like the post mentioned the security is provided by hardware/software instead of SSL/SSH where it is provided by software only) and the FTP client resides on the other end. There are IPSEC routers available on either end and connectivity has been established.
We know this because we can login to the FTP server using our accounts from the client. However when using PASV mode file transfers the data channel that is coming back from the server is sending (0,0,0,0,0,0). Instead of the actual ip address of the FTP server. This is what is creating the problem. The actual data flows either way, however it stops at the point where the client is trying to get to the data channel which is (0,0,0,0,0,0) and times out on this step. Communication from the FTP client to server and from server to Client is working upto this point when the Client tries to use the data channel advertised by the server. Does this make sense? Please advise. Thanks.

Jerardfjay
# 6  
Old 10-13-2005
figured out the issue
To all who have been wondering if this was fixed or not. Here is the skinny.

Code:
Why PASV Poses Problems for FTP Servers on Internal Networks.

The other server-side problem that can occur is when a client is trying to access an FTP server on an internal network protected by a routing device.  Because a server response from PASV includes an IP address and port number, if this IP address corresponds to a private network then the client will not be able to connect to that private address.  From our PASV example above, we have:
Server:  227 Entering Passive Mode (172,16,3,4,204,173)
If left unaltered, the client would try to connect to port 52397 on the IP address 172.16.3.4.  If the client is not on the private internal network, the client would time-out trying to connect to that address, when in reality it should be connecting to the external IP address of the routing device.
Solution 1:  The network administrator of the server network can consult the routing device vendor's documentation to see if FTP connections can be dynamically monitored and dynamically replace the IP address specification for packets containing the PASV response.
Using our PASV example above, when the FTP server replies to the PASV request:
Server:  227 Entering Passive Mode (172,16,3,4,204,173)
The routing device should rewrite the packet like this, assuming the external address is 17.254.0.91:
Server:  227 Entering Passive Mode (17,254,0,91,204,173)
The remote client would then attempt to connect to the routing device at 17.254.0.91:52397. The routing device in this example would then forward all traffic for this connection between the remote client and the internal FTP server at IP address 172.16.3.4.

We have decided to pursue this alternative. This information is from the following URL

NC FTP Web site
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Linux

UNIX - FTP changing the mode while transfering the files

Hi, I have to transfer my files using FTP. Few files are in Zipped format (.Z) and few are in .PX format . For zipped files, we need to change the mode to binary while transferring the files whereas for the px files the mode should be ascii. Eg: sample1.z sample2.z sample3.z sample.px ... (2 Replies)
Discussion started by: vidlaks
2 Replies

2. Shell Programming and Scripting

FTP to send files using Binary mode

I am using below code to send files into ascii mode.what changes will I have to do to send files into Binary mode ? ftp -in <<FIN open $SAP_UP_SERVER user $SAP_UP_USER $SAP_UP_PASSWORD asc put $PM00_OUTPUTS_DIRECTORY/$SAP_UP_FILE_CSV /SAP_UP_FILE_CSV quit FIN (1 Reply)
Discussion started by: Nitin Varshneya
1 Replies

3. Shell Programming and Scripting

FTP in batch mode

HI, Need to ftp a bunch of files in a directory in batch mode. TRying to ftp a single file first with below code. #!/bin/ksh function ftp_files { ftp -n ${D2_SRVR} <<-EOF quote user ${D2_UID} quote pass ${D2_PWD} cd ${D2_DIR}/${D2_NAME} lcd ${D1_DIR}/${D1_NAME}/dml/ put file1 ... (6 Replies)
Discussion started by: cvsanthosh
6 Replies

4. Linux

active mode ftp connection from linux

Hi, We have one java client which connects to a windows server through ftp in active mode and gets files. When we run this client on hp-ux, it is able to transfer 100k files. But when we run the same client on Linux server it is able to transfer only 200 files at max and it is hanging there... (1 Reply)
Discussion started by: urspradeep330
1 Replies

5. AIX

ftp connect in passive mode , ftp settings

how to connect to ftp server in passive mode? ftp server.abc and how can i see ftp settings, doesn't exist some ftpd.conf there is some other file where i check the options and configurations of ftp server? Thanks (3 Replies)
Discussion started by: prpkrk
3 Replies

6. Shell Programming and Scripting

change the mode of the file after FTP

Hi I am FTPing a file to a remote server from my local server. But after I FTP it the permissions are not in executable option, I need to change the permissions of the FTPed file how can i do that. Below is my script LOCALDIR=/batch/ediprocess LOCAL_BACKUP_DIR/batch/ediprocessBackUp... (4 Replies)
Discussion started by: shanth_chandra
4 Replies

7. Solaris

FTP is in maintenance mode always

Hello All, On solaris 10 server i could see the FTP service is in maintenance mode always :mad: Could some assist? svcs -xv svc:/network/nfs/nlockmgr:default (NFS lock manager) State: maintenance since Tue 28 Jul 2009 11:47:55 AM BST Reason: Restarting too quickly. See: Sun... (5 Replies)
Discussion started by: bullz26
5 Replies

8. Shell Programming and Scripting

How to check a file whether it is in binay mode or not while doing ftp??

Hi, One bank statement file should be loaded into some tables by using a concurrent program. But if the file is transfered in binary mode i am getting some special characters in the file which is unexpected. so, for that while moving that file data into tables i want to write a script that... (2 Replies)
Discussion started by: sateesh.d
2 Replies

9. Shell Programming and Scripting

Script to ftp in non-ineractive mode

Hi, I am relatively new to Unix. What I am trying to create now is a script to ftp some file(s) from Unix server to Windows ( not mine) machine. It should be able to run not in interactive mode, eventually I will schedule it to run at certain time intervals. So far I have created the... (6 Replies)
Discussion started by: mshv123
6 Replies

10. IP Networking

Transfering file through FTP through Binary Mode

Hi, I'm uploading files using internet explorer. 1.Open internet explorer 6.0 2.Open site like ftp://172.45.15.1 3.Copy files The files which I'm copying are basically zip files. What is the default transfer mode, I mean ASCII/BINARY ???. The problem I'm facing, while extracting these... (4 Replies)
Discussion started by: ronald_brayan
4 Replies
Login or Register to Ask a Question