PASV failure

This forum is for anyone experiencing problems related to their firewall settings. More specifically, anyone experiecing connection issues should take a look at this forum.
Post Reply
ottovonkopp
Posts: 2
Joined: Tue Sep 15, 2015 9:29 am

PASV failure

Post by ottovonkopp » Tue Sep 15, 2015 9:53 am

Hi!

Some clients get PASV failure. This one is from Filezilla.

Status: Disconnected from server
Status: Resolving address of ftp.company.com
Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type Binary
Command: PASV
Response: 227 Entering Passive Mode (xxx.xxx.xxx.xxx,49,248)
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

And sometimes from the same client and address

Status: Resolving address of files.electra.se
Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type Binary
Command: PASV
Response: 227 Entering Passive Mode (xxx.xxx.xxx.xxx,50,12)
Command: MLSD
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server

Another failure from another client and address using sftp (Rebex?). They connect successfully to other servers on sftp.

Message: The remote server returned an error: (521) 521 Not logged in - Secure authentication required

The problem is that it works when I test both external (behind a Cisco ASA) and internal so I have no clue that's wrong.

The server is behind a Cisco ASA. Alla ports and a port range is forwarded.

PASV Port range is the same on the server and the FW. Secure Control and Data is enabled.

We also have a public cert installed and verified.

Kind regards
Bernt

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: PASV failure

Post by Serin » Wed Sep 16, 2015 1:08 am

Message: The remote server returned an error: (521) 521 Not logged in - Secure authentication required

Explained here:

http://www.cerberusftp.com/support/faq/ ... tup.htm#Q5



You have to specifically define the passive port range in the Cisco device.

http://www.cerberusftp.com/support/faq/ ... tup.htm#Q2


You should also try using the internal IP for passive mode if the above doesn't work, as explained here:

http://www.cerberusftp.com/support/faq/ ... ng.html#Q3

ottovonkopp
Posts: 2
Joined: Tue Sep 15, 2015 9:29 am

Re: PASV failure

Post by ottovonkopp » Wed Sep 16, 2015 1:58 am

But the client is using sftp and if they used ftp I still want secure control and data.
You have to specifically define the passive port range in the Cisco device.

http://www.cerberusftp.com/support/faq/ ... tup.htm#Q2
Done that and it works then I test external.
You should also try using the internal IP for passive mode if the above doesn't work, as explained here:

http://www.cerberusftp.com/support/faq/ ... ng.html#Q3
Tried that but Filezilla don't like it. Can't remember exactly but is was something with local adddress.

Post Reply