Passive Failure

This forum is for anyone experiencing problems related to their firewall settings. More specifically, anyone experiecing connection issues should take a look at this forum.
Post Reply
gene_irm
New User
Posts: 4
Joined: Thu Mar 23, 2017 9:55 am

Passive Failure

Post by gene_irm » Tue Apr 04, 2017 11:53 am

Hi all,

Fairly new to FTP and not really coming from an IT background, so do be gentle =).

I have a user who's having trouble logging into my server. This is what I see from my log:
[2017-04-04 07:53:59]:COMMAND [ 1035] - [<redacted>] PASV
[2017-04-04 07:53:59]: REPLY [ 1035] - [<redacted>] 227 Entering Passive Mode (192,168,168,14,58,166)
[2017-04-04 07:53:59]:COMMAND [ 1035] - [<redacted>] MLSD
[2017-04-04 07:55:31]: WARN [ 1035] - Timeout while waiting for connection
[2017-04-04 07:55:31]:SUGGEST [ 1035] - Passive failure: For help see https://www.cerberusftp.com/support/faq ... lsetup/#Q3
[2017-04-04 07:55:31]: REPLY [ 1035] - [<redacted>] 425 Unable to open the data connection
Here is the log from the client (Filezilla):
Command: PASV
Response: 277 Entering Passive Mode (192,168,168,14,58,166)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: GnuTLS error -53: Error in the push function.
Error: Connection timed out
Error: Failed to retrieve directory listing
I checked out the documentation in the link in my server's log, but I think I have everything configured correctly. I have a passive port range defined under "Configure" -> "Advanced" and am forwarding those same ports from my router. Of course, port 21 is forwarded as well. I even have 990 forwarded in case anybody wants to connect via implicit FTP.

I've also gone to "Configure" -> "Interfaces" and checked "Set up PASV IP" and entered my server's private IP under the correct IP with port 21. That said, it was after I did this that started seeing the status message about the unroutable address in the client's logs.

The GnuTLS error leads me to believe that it's a firewall issue and that perhaps the client side is blocking the ports that we're using for the data connection (though it's my understanding that passive mode is supposed to avoid this problem), but I switched around the passive ports, and the error persists. I'm supposing this means I've misconfigured something on my end. Interestingly enough, though, I get successful logins every day from other users. Could this still be a firewall issue on the user's side, or am I doing something wrong after all?

Thanks in advance,
Gene

pacman
Senior User
Posts: 187
Joined: Thu Apr 28, 2016 1:54 pm

Re: Passive Failure

Post by pacman » Wed Apr 05, 2017 10:34 am

Hi Gene,

Have you tried under "set up PASV IP" using your public IP instead of your private IP?

gene_irm
New User
Posts: 4
Joined: Thu Mar 23, 2017 9:55 am

Re: Passive Failure

Post by gene_irm » Fri Apr 07, 2017 9:21 am

Thanks for the response, Pacman.

Just wanted to check in. I did what you suggested and it got rid of the unroutable address message when I do my own testing. I've asked my user to try again and have yet to get a response, but I'll report back when I do.

Gene

gene_irm
New User
Posts: 4
Joined: Thu Mar 23, 2017 9:55 am

Re: Passive Failure

Post by gene_irm » Tue Apr 11, 2017 4:00 pm

Update:

So it looks like it's still no good. It looks like the errors are the same, though the client's log no longer has the "unroutable address" warning. The 227 message is also showing my public IP now instead of private.

It still seems to me that the GnuTLS error that the client sees is the key. The control channel looks ok, so I think they have rules in place for 21 and 990, but we get stuck at the data channel. Could this error come up if they don't have a firewall rule set up to allow connections to the passive ports that I specify?

Otherwise, I'm not sure what to make of that error (nor my "passive failure" error), and any ideas would be helpful.

Thanks,
Gene

pacman
Senior User
Posts: 187
Joined: Thu Apr 28, 2016 1:54 pm

Re: Passive Failure

Post by pacman » Wed Apr 12, 2017 10:32 am

Hi Gene,

I would like to see some more logging. It might be best to submit a support ticket to Cerberus.
https://support.cerberusftp.com/hc/en-us/requests/new

gene_irm
New User
Posts: 4
Joined: Thu Mar 23, 2017 9:55 am

Re: Passive Failure

Post by gene_irm » Tue May 23, 2017 10:03 am

Hi,

Just an update: we got the problem solved. Turns out, the issue was on the client side in that their firewall had our passive port range blocked, even though they were allowing connections to port 990.

Thanks very much for your help, Pacman.

Gene

Post Reply