RSS Feed
Up to Table of Contents |
||
Backward to General Questions |
Forward to Table Of Contents
 |
|
5. Troubleshooting
Q1: Why does issuing the LIST command result in an error message?
There are several possible explanations to this problem. Your network may be running a firewall or your computer may be behind a router. See the section on I am connected to the internet through a router. How should I configure my router to allow FTP traffic? for more information.
If you are using a router with Cable or DSL to connect your home computer to the internet, you may need to enable Port Forwarding. Consult your router documentation on how to enable Port forwarding for FTP.
Finally, if you can, instruct your clients to connect using passive FTP mode (initiated by the client using the PASV command). Active FTP (intiated by the client with the PORT command), tends to cause problems with older hardware routers and software firewalls.
Q2: I'm running Cerberus FTP Server as a service and it can't access mapped network drives. Why?
Mapped drives are stored on a per-user basis. The default configuration for a service logs it in as the LocalSystem account, so it cannot access the mapped drives you make when you log in using your own account. You can manually change your service's account by viewing its properties in the Services Control Panel applet (NT 4) or the Services branch in Computer Management (Windows 2000/XP, Start->Programs->Administrative Tools->Computer Management).
A service can map its own drives, or if you are going to use mapped network drives, you can specify the UNC name for the directory.
Q3: I've correctly configured passive FTP but passive data connections still fail. What else could be wrong?
Many of the newer, "smarter" routers attempt to detect passive FTP traffic and automatically modify the FTP commands to work correctly with the router. One way to diagnose this issue is to monitor the log file from Cerberus and the FTP client as a passive connection is attempted. The log file excerpts below are from a connection attempt from a Filezilla FTP client to Cerberus FTP Server. The client is located outside the local network Cerberus FTP Server is installed on.
Cerberus:
May 01 13:12:04 42 257 "/" is the current directory
May 01 13:12:04 42 TYPE A
May 01 13:12:04 42 200 Type ASCII
May 01 13:12:04 42 PASV
May 01 13:12:04 42 227 Entering Passive Mode (X,X,X,X, 7,255)
May 01 13:12:04 42 LIST
Filezilla:
Command: TYPE A
Response: 200 Type ASCII
Command: PASV
Response: 227 Entering Passive Mode (X,X,X,X,130,128)
Command: LIST
The indication that the router is changing the FTP command is the difference in the ports listed between the client log and the server log.
To resolve the issue, you have to change Cerberus' PASV IP to be your internal LAN IP and not the external IP you get from your Internet Service Provider (ISP).
Steps to resolve:
- Go to Configuration -> Server Manager -> Interfaces
- Click on the interface that matches your internal IP
- In the PASV Options section click the "Use different IP for PASV command" radio button and in the textbox that appears put in the same IP as the interface (your local IP address).
- Click the "Ok" button
Q4: I cannot access the GUI when Cerberus FTP Server is running as a service.
There are two possible problems, both relating to running Cerberus as a service. On Windows 2003 and higher operating systems, you cannot access the Cerberus FTP Server GUI while running as a service. You must first stop the service and start Cerberus as a normal application. We are working to remove this limitation in a subsequent version of Cerberus.
On Windows XP and earlier operating systems, this limitation is only present when running Cerberus as a terminal server session. When Cerberus is running as a Windows service, access to the FTP server window through a terminal server session is not possible. The reason for that conflict is, because the Cerberus service always has to be running on the desktop of the console session. When connecting through terminal services, Windows creates a new self-contained desktop for the terminal server session, so the FTP server window cannot be accessed from that desktop.
You can solve this with one of the following solutions:
- Access the FTP server directly on the console screen rather than using a terminal server session to access the FTP server.
- Use a different remote access software (i.e. PCAnywhere or PCDuo) instead of a terminal server session to access the FTP server.
- Stop the FTP server service and start the FTP server in application mode by double-clicking the Cerberus FTP server icon on the desktop. That way you can also access the FTP server through a terminal server session. It is recommended to start the FTP server as a service again before you leave your terminal server session.
- Connect to the console session:
To connect to the console session, administrators can choose one of the following methods:
- Use the Remote Desktop Microsoft Management Console (MMC) snap-in.
- Run the Remote Desktop Connection (mstsc.exe) program with the /console switch.
- Create Remote Desktop Web Connection pages that set the ConnectToServerConsole property.
Q5: TLS/SSL FTP sessions are not working through my firewall.
The short answer is that FTPS and firewalls (and devices performing NAT) do not interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established.
In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know which on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using passive mode), FTPS should function without issue.
To configure for passive FTP (the preferred method), see Q2: My IP address begins with 192.168.xxx.xxx. Is there anything special I have to do for people to see my FTP Server on the Internet?
Q6: I cannot use a remote share as an NT home directory when authenticating a user against a domain.
The following comments apply only for users using domain authentication to login to the FTP server.
The login method used to authenticate a user against the domain does not allow access to network shares. The technical reason is that the token granted through the logon method Cerberus is using is a network logon for the user with no network credentials. You can use the resulting token on the local machine, but can't impersonate a user using this token in order to authenticate with remote servers. When Cerberus tries, it ends up establishing a null session (how Windows represents an anonymous user) with the remote server instead.
Basically, you would have to make the share anonymous for Cerberus to be able to access it.
|
Up to Table of Contents |
||
|
Backward to General Questions |
Forward to Table Of Contents
|
|
