If you turn of SSL (just for a temporary test) does it work? If so, it's most likely your firewall and not the server or your client setup.
In your firewall, do are you using a pre-defined "FTP" rule that you've modified? Some firewalls (notably Checkpoint) include a pre-defined definition for FTP. Unfortunately, Checkpoint tries to be "smart" and looks at the data and commands that are sent inside that FTP connection. It will block things that look "wrong" to it -- non standard FTP commands and the like. Well, since your connection is encrypted with SSL it can't see what's going on. It will block your connection. We've run into this a few times with our clients. Solution? Replace the firewall... no, seriously. The solution is to define a new service from scratch. Call it whatever you want (secure FTP would seem to make sense) and allow TCP traffic on Ports 20, 21 and 1024 to 5000. Another problem we've seen where you can connect but not actually transfer files is if you are doing double NAT -- your network is NAT'ed on the outbound side and the server's network is NAT'ed on the inbound side. In that instance, the connection data inside the SSL packets is reflecting the Client and the Server's internal network addresses -- not the global ones. This causes connectivity issues. Solution? Only reliable one I know of is to connect the "external" interface of the FTP Server outside of your firewall. Yes, outside. Assign it a public IP address. Put a second nic in to connect it to the internal network. Use some static routes so you have the connectivity you need -- DO NOT RUN A ROUTING PROTOCOL ON THE BOX OR YOU WILL POTENTIALLY BYPASS your Firewall. Use an Access Control List (filter list) on your router that connects your external network to the Internet to filter out everything except TCP 20, 21 and 1024 to 5000 to that external interface. This works well. Pete -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Wayne S. Rossi Sent: Monday, March 01, 2004 3:29 PM To: [EMAIL PROTECTED] Subject: Re: [WS_FTP Forum] Possible causes for error 504? Claudio: I've set up a range of ports for passive mode as described, and I'm no longer getting error 504, but there's still no listing of the data in the user's home folder, and upload attempts are not working. I've checked folder permissions, but nothing is changing. Wayne S. Rossi Programmer / Information Technology KML Technology, Inc. Phone: (856) 848-4200 x745 Fax: (856) 848-1617 Email: [EMAIL PROTECTED] ----- Original Message ----- From: "Claudio M Robles" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 01, 2004 2:07 PM Subject: Re: [WS_FTP Forum] Possible causes for error 504? > Wayne, > > You have problems establishing data channels, which are made in two ways: > passive or port mode. In passive mode the server chooses a port to wait for > a connection and tells the client where to connect to. In port mode, the > client chooses a port and tell the server where to connect to. Not sure > which mode you are using but if you want to allow any client to connect to > your server, it is better that you use passive mode. Take a look at this KB > to learn how to configure your server and firewall. > http://support.ipswitch.com/kb/FS-20031010-DM01.htm > > Claudio Robles > FTP Team > > ----- Original Message ----- > From: "Wayne S. Rossi" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, March 01, 2004 1:27 PM > Subject: Re: [WS_FTP Forum] Possible causes for error 504? > > > > I've checked, and made sure the firewall was allowing port 20, and made > sure > > that port 20 was properly routed. It hasn't helped, though. > > > > Wayne S. Rossi > > Programmer / Information Technology > > KML Technology, Inc. > > Phone: (856) 848-4200 x745 > > Fax: (856) 848-1617 > > Email: [EMAIL PROTECTED] > > > > ----- Original Message ----- > > From: <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, February 27, 2004 9:20 AM > > Subject: Re: [WS_FTP Forum] Possible causes for error 504? > > > > > > > I've never used WS_FTP server, but it sounds like you really do have a > > > problem with the data port. FTP is a funny protocol: it first uses port > > > 21 for chit-chat between the client and server, and then port 20 for the > > > actual data transfer. If you set up the server using the default > > > parameters, these two values are probably set, but check anyway. If > > > they are correct, you may have a firewall blocking port 20. Your > > > network administrator should know. > > > > > > Wayne S. Rossi wayne.rossi-at-kmltechnology.com |WS_FTP Pro| wrote: > > > > > > > I recently installed WS_FTP Server on a computer in our in-house > > > > network, and have mapped it to our IP address for outside connection. > > > > Currently, I can connect to the server with any FTP program, but any > > > > read attempts are generating error 504: > > > > > > > > Port failed 504 Invalid PORT address > > > > > > > > I have double and triple checked my permissions, > > > > > > If I'm not mistaken, on a conventionally configured system incorrect > > > permissions should give a 503, not a 504, so that will probably be a > > > blind alley. > > > > > > Good luck. > > > David. > > > > > > > but I'm not sure what could be causing it. Any tips on where I should > > > > be looking would be greatly appreciated. > > > > > > > > Wayne S. Rossi > > > > Programmer > > > > KML Technology, Inc. > > > > Phone: (856) 848-4200 x745 > > > > Fax: (856) 848-1617 > > > > Email: [EMAIL PROTECTED] > > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > > > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > > > to be removed from this list. > > > > > > > > > An Archive of this list is available at: > > > http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ > > > > > > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > > to be removed from this list. > > > > > > An Archive of this list is available at: > > http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ > > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > > An Archive of this list is available at: > http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ http://www.realmed.com/legal/confidential.htm Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/
