Jump to content

FTP 425 Error


G-Stress
 Share

Recommended Posts

Guys I am stumped... I'm running win2k3 Enterprise using IIS to host my FTP Server and before it was fine. I never had an issue connecting. Now all of a sudden I'm getting 425 error can't open data connection. I clearly have port 21 open on the windows firewall and have ftp server enabled on this adapter. Now if I disable the firewall I can connect, but it doesn't make sense. I have no 3rd. party firewalls installed. I even added port 20 to the exceptions list and still can't connect with the firewall on.

This happened after I tried to change the port to 1000 in IIS as well as the firewall exceptions, but I changed everything back and now I can't connect with the firewall enabled.

Link to comment
Share on other sites

Passive. I'm actually not sure how to enable active. I know I have folder view and passive view checked in internet options. I just don't see how this is occurring when I clearly have the ports open and FTP enabled on all 3 network adapters in this machine.  :-?

Link to comment
Share on other sites

http://support.microsoft.com/kb/q129395/

If an FTP error 425 occurs, this indicates that the server was unable to open the connection back to the client. The most likely cause for this is an FTP client application that is attempting to re-use a socket that is still in the TCP TIME-WAIT state due to an earlier connection that hasn't been timed out yet. Per RFC793, Windows NT 3.5 systems leave old connections in the TIME-WAIT state for 2MSL (240 seconds). During this time they cannot be re-used.

Looks like it isn't the servers problem, but it can't reach you on the client side. It looks like its getting to connect, but the server times out when trying to talk to the client making the connection. Maybe the IIS is using an outbound port that is blocked? Are you connecting from some place new? Or blocking ports on your local box that is trying to connect to the FTP server?

Try a traceroute and also open Wireshark or Ethereal and see if you can see packet exchanges between the two machines. Also run Wireshark or Ethereal on the IIS and try to connect outbound and see if anything times out or what kind of data your getting returned.

Link to comment
Share on other sites

@ digip,

I did read that Microsoft article also. It was the only thing I hadn't already read when I had this issue about a year or 2 ago. It makes sense, but I just don't see how is possible I tried from 2 different machines to connect just via my local lan. I haven't tried connecting from outside again since I've had this issue.

I had just thought about that right after I posted this (running wireshark/ethereal) i'm gonna do that now and see what I can see and running trace route, thought about all that right after I submitted this post and am gonna try now.

Link to comment
Share on other sites

@ digip,

I did read that Microsoft article also. It was the only thing I hadn't already read when I had this issue about a year or 2 ago. It makes sense, but I just don't see how is possible I tried from 2 different machines to connect just via my local lan. I haven't tried connecting from outside again since I've had this issue.

I had just thought about that right after I posted this (running wireshark/ethereal) i'm gonna do that now and see what I can see and running trace route, thought about all that right after I submitted this post and am gonna try now.

Let us know what it was if you get it fixed...

Link to comment
Share on other sites

@ digip,

Will do. One thing I noticed is, it seems as if it try's to choose a random port on my machine when trying to connect according to iptools. It appeared to be port 1272 on a couple different attempts to connect. So I tried opening up that port on my windows firewall with no success. Then I tried opening up that port on the server still with no success.

One question, how exactly would I trace route to just the FTP server part of this machine? I can trace route to just the IP, but I tried

tracert ftp://server 

tracert ftp://server:21

tracert server:21

and it unable to resolve target system name :-?

Link to comment
Share on other sites

type "tracert /?" for the help file. You just specify the ip address or name, not the ftp:// ot http://

ex: tracert xxx.xxx.xxx.xxx

ex: tracert acme.com

Link to comment
Share on other sites

Wow.  I had some firewall issues getting here, myself.  I had to use tor, but the port was being blocked by the corporate firewall.  I switched 8118->8119 and presto.

You mentioned adding port 20 to the exception list.  Port 20 is not used by passive FTP.  With passive FTP, the client should be saying PASV, and the server should choose a high port number that is random, responding with PORT x.  The firewall needs to be FTP-aware so that port x is accessible from the client's IP address.

I'm not sure how this gets accomplished with Windows 2003 as I'm more of a unix person.  I don't use no stinkin' firewall, though I don't need it to do very advanced stuff except run sshd, public ftp, and samba.  Nothing else is enabled.  Some day I'll make the switch to OpenBSD and try to figure out pf, but until then, my Gentoo is running exposed.

Link to comment
Share on other sites

@ digip,

yea I was able to tracert to the machine via just the ip fine and reach it with 1 hop. I'm familiar with trace route, but being this is an FTP issue I didn't know if there was a way I could trace my route to that machine specifically on port 21 only.

@ incripshin,

It's been awhile since I've really got deep within FTP so as for active and passive I forget I need to re-read about both. I just remember that port 20 was for the data side of FTP protocol which is why I opened it up on the firewall. I didn't know it wasn't used for Passive FTP and that being said I need to do a lil more research on FTP.

I'm gonna figure out the issue here so I will know for future references, but I plan to have the FTP running on a different port. I read somewhere that doing that is best to use port 3000 or higher. Now your more experienced users would you recommend using a differnet port or a secure FTP?

Link to comment
Share on other sites

No. Port 21 is presently closed on my router. I only open it when I'm at a remote location I log into my router and open it to access the FTP then close it back. I did however just now (don't know why I didn't think of it before) try to access the server via linux and still get the 425 error so I would say it's safe to say it is definitely something dealing with the windows firewall.

Link to comment
Share on other sites

Ok something I'm finding very interesting. I'm looking at the firewall config via netsh. It says the log file is contained in C:WINDOWSpfirewall.log which that file doesn't even exist. (not sure if I need to enable logging or anything)

The interesting thing is it shows that the port is clearly open, but yet on the adapter I'm hosting on it says the opmode is disabled... yet in the network connections/nic properties it's enabled...  :-?

Domain profile configuration:
---------------------------------------------------
Operational mode                  = Disable
Exception mode                    = Enable

Standard profile configuration (current):
---------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable

Shared firewall configuration:
---------------------------------------------------
Operational mode                  = Enable

Domain firewall configuration:
---------------------------------------------------
Operational mode                  = Enable

Wireless firewall configuration:
---------------------------------------------------
Operational mode                  = Enable

Domain profile configuration:
----------------------------------------------------
Operational mode                  = Disable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Link to comment
Share on other sites

Just thought I'd add I can log in via command line FTP, locally and remotely, just not with any browser. I reset all of internet options Security Settings and Advanced Settings to default and am still not able to log in. Give up for the night, i'll take a stab at it tomorrow and hopefully figure it out.

Link to comment
Share on other sites

Just thought I'd add I can log in via command line FTP, locally and remotely, just not with any browser. I reset all of internet options Security Settings and Advanced Settings to default and am still not able to log in. Give up for the night, i'll take a stab at it tomorrow and hopefully figure it out.

Wait, what have you been using to FTP in all this time? A web broswer? and which one? IE has an option to logon via FTP. Other browsers require the old ftp://name:pass@xxx.xxx.xxx.xxx/ or ftp://name:pass@www.acme.com/ scenario

If no name or password are required as in anonymous ftp, you would use:

ftp://anonymous:password@xxx.xxx.xxx.xxx/

Link to comment
Share on other sites

Yea, sorry guess I should stated that. It does gives me the prompt for username and pass and it accepts my credentials, but them spits back 425 error. On another machine it simply timed out and I did netstat -a maybe -n can't remember on that machine while it was in the process of attempting to connect and sure enough port 21 was in the TIME_WAIT state.

It sounds like this is relative to that microsoft article now, but I don't see how every machine even remotely would get the same error. I had a buddy try it over the internet and he got the 425 also, but was able to via command line.

Link to comment
Share on other sites

Maybe try an FTP program seperately, like WS_FTP or Filezilla. Your browser may be blocking something? If command line ftp works, then it is either a config problem within the browser, or the server somehow rejects web browsers.

http://www.twistedpairrecords.com/digip/Ws_FTP_LE.rar

Link to comment
Share on other sites

@ digip,

Yea I am just gonna use a different port for FTP anyway (hoping the traffic won't be as noticeable to my ISP that way) but I gotta figure this out then I will do that. I'm gettin closer and closer I just gotta figure it out.

I've heard all about FileZilla and WS_FTP never really messed with them, I'm sure I will although I like using the browser mostly. If they have resume support im sure I will use them instead of a browser, will check out one now and see what happens.

Link to comment
Share on other sites

IE's FTP client works on most servers, but not all.  It gives really weird directory listings when connecting to a publicfile FTP server.  This specific issue isn't related, but it's an example of where mozilla and filezilla follow the (screwy) FTP spec more closely.

My guess is that IE and most other clients you've tried are not using active mode.  I would check what the default is, except that I'm in linux.  See KB323446 for how to enable active mode.  If this is the case, I'm guessing that your FTP server is running both active and passive, but passive doesn't work because the firewall isn't FTP-aware.  The solution then is to get your firewall to work properly with FTP.

A good idea if I'm wrong is to run wireshark/tcpdump while connecting with the CLI client that worked and some other client that doesn't work.  See how the connection phase is working.  Wireshark should make this pretty easy if you can filter well enough, since it parses common protocols like FTP.  Filter for tcp.port==21.  What you should be looking for are PORT or PASV commands.  This will tell you what kind of connection is being made, and probably why one client works while another doesn't.

Edit - The default for IE7 is to use passive FTP.  Switch it off and see if FTP works.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...