|
In port mode it would not
work because your client firewall is blocking incoming connections. You
can make port work by setting up Pro and your client firewall. (as you can see
in the log the client is sending a port command to IP 10.0.0, which is a non-routable
address. In passive mode, it should
work too, if the server and the firewall on the server side are setup correctly.
You have not sent a log failing in passive mode. Other than
the latest log which it failed for a different reason (invalid command during
transfer). You have not said what setup you did on the server, and you do
not need to open that many ports on your firewall. For that please restart Pro
and make sure you have your site option to passive. Claudio Robles WS_FTP Team Ipswitch, Inc Pd: Somebody was fixing the problem with unsubscribe
this morning, hope it is fixed already, but I have not received confirmation
yet. From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Troy D. Hilton Correction to my previous email. If I
enable SSL, whether active or passive mode, it will not connect. I have
configured ports 1024-65535 on the firewall for both inbound and outbound. Any
suggestions? What am I missing here? I did read an article from the KB
regarding setting ports 1024 and up for traffic when using active or passive
modes which I’ve followed. Still no dice. I noticed a lot of folks
“unsubscribing”. Hopefully, someone is still here that can provide
some direction. Troy D.
Hilton From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Troy D. Hilton OK, so here’s where I am. I have SSL
enabled on the server. I configured ports 1024-1034 to point from the public
side of the firewall to the private IP of the FTP server. I’ve also
configured port 443 for the FTP IP address as well. Now, when I attempt a login
with SSL enabled and Passive Mode disabled I get the following: WINSOCK.DLL: WinSock 2.0 WS_FTP Pro, Version 7.5, 2002.02.28 Connecting to 208.255.176.210:21 Connected to 208.255.176.210:21, Waiting for Server Response 220-CG2Direct.210 X2 WS_FTP Server 4.0.1 (204830698) 220-CG2 Direct FTP Server 220 CG2Direct.210 X2 WS_FTP Server 4.0.1 (204830698) Host type (1): WS_FTP Server AUTH SSL 234 SSL enabled and waiting for negotiation XAUT 2 C9;;;?7:C9;>;:6<D><98784?7;6<67;C<87876<C;<7;7<2C?81 230-user logged in 230-Howdy!!! 230 user logged in Host type (I): WS_FTP Server Host type (I): WS_FTP Server PWD 257 "/" is current directory PORT 10,0,0,253,8,222 200 command successful MLSD No socket PASV 421 invalid command during xfer No socket XPSV 421 invalid command during xfer No socket If I enable Passive
Mode and SSL I can login without issue and can view all my directories. If I
just select Passive Mode I can login. I’m not forcing SSL right now
though I’d like to. I feel I’m so close to nailing it down. Troy D.
Hilton From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Troy D. Hilton Hey Claudio, Well, my system does use a fixed IP but not
everyone who accesses this server can say that. It sounds like I need to open
some ports on the new firewall on the server side to allow for ports 1024 to
1034 for SSL. Btw, the firewall is a SonicWall TZ150. Troy D.
Hilton From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Claudio Robles We can see in the log that both
sides have a NAT firewall. The client is in 10.0.0 and the server is in
192.168.168 So for that to work (meaning to be able to
transfer files and directories in SSL), you would need to open and forward some
ports on at least one of those firewalls. You need fixed IP on the side
you setup because you need to forward those ports to the right machine. I
imagine that your client you could have DHCP so without fixed IP there, it
would be better to do the setup on the server side. The setup includes picking a range
of ports that would be used to listen on when establishing data channel,
setting up the server to listen on those ports, and setting up the firewall to
forward those ports to the server. Since you are NATing on the
server, you would also need to tell the server your external IP address. Your external IP address is
208.255.176.210 and you could choose ports 1024-1034. Define those
in the server firewall options. After setting up the server, you
would need to setup the firewall to forward the same ports to the
server. Do not know the details of your firewall so, not sure how
to do that. Claudio Robles WS_FTP Team Ipswitch, Inc From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Troy D. Hilton Hey Claudio, Here is my session log. Connecting to 208.255.176.210:21 Connected to 208.255.176.210:21, Waiting for Server Response 220-CG2Direct.210 X2 WS_FTP Server 4.0.1 (191203526) 220-CG2 Direct FTP Server 220 CG2Direct.210 X2 WS_FTP Server 4.0.1 (191203526) Host type (1): FTP PC/TCP AUTH SSL 234 SSL enabled and waiting for negotiation XAUT 2
B3>[EMAIL PROTECTED]>45:74A;A=72<8=;>@;@87B>A68:;7C?=<7474=5=@;6 230-user logged in 230-Howdy!!! 230 user logged in Host type (I): FTP PC/TCP Host type (I): FTP PC/TCP PWD 257 "/" is current directory PORT 10,0,0,253,12,47 200 command successful LIST 425 Can't open data connection. PASV 227 Entering Passive Mode (192,168,168,210,4,32). connecting data channel to 192.168.168.210:1056 connection timed
out; the connection timed out while waiting for a response from the server. I tried it without the SSL and it connects
but the directory listing is screwed up. Meaning, it shows a bunch of binary
files titled “System”. Nothing more. Any thoughts? Troy D.
Hilton From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Claudio Robles Could you send the session logs
from the client. So, it does not work in SSL and it
does work without it. In those cases, the firewall automatically
opens and forward the ports that it see (interpreting the FTP protocol), that
the client and server are negotiating for transferring files and directory
listings. In SSL, the server can not see or interpret the FTP Protocol
because the conversation is encrypted. Claudio Robles WS_FTP Team Ipswitch, Inc From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Troy D. Hilton Hello
All, I
realize
my last email wasn’t quite clear in accurately describing my problem.
Let’s see if I can explain it better. This
firewall is protecting 1 server, which is running FTP with SSL enabled. This
server also has a couple test websites, but that's it. Changing
the firewall was actually relatively easy once I understood the User Interface.
I'm not as familiar with the SonicWall appliances. I first tried the
configuration using a test laptop to mimic the server. For the test,
FTP worked like a charm. The difference between the laptop config and
production server are these: 1.
The production server and regional firewall were configured in
transparent mode, instead of NAT. Why? The original owner wanted it that way. 2.
The production server is running WS_FTP Server ver. 4.0 with a private SSL
Cert. The laptop is running IIS 5 with FTP services and no SSL. So,
I decided to change the configuration from transparent mode
to NAT mode since the original owner is gone and I have greater liberty. I
configured the new firewall for One-to-One NAT and gave the server all new
private IP addresses and a private gateway which matched the private IP of
the
firewall.
The public side of the firewall has the original public IP from the previous
firewall. I made sure that all of my route tables are correct. I then
reconfigured WS_FTP Server to use the new private IP address.
And rebooted the server. The result? I am able to communicate from the server
to the internet and can access the test websites on the server from the
internet, which means inbound and permitted outbound traffic is fine. This
is where I have my problem. When I attempt an FTP connection it makes the
initial Helo and will authenticate my username and password. I'm then prompted
regarding the SSL Certificate and am able to accept it. After a long pause
(I have my WS_FTP Pro client set for a 2 minute wait) I get an error that the
connection timed out, but I also get the "horn" that means the
connection was successful. In fact I even have the active button to disconnect
from the session. From what I figure, I'm actually logged in but not retrieving
the directory listing. As
for the NIC, it has two ports but I'm not using both ports at the same time so
there is no conflict of subnets and routes. I did switch ports on the card
thinking that perhaps there was a potential failure of that port. I
hope this helps to clarify my situation. I My feeling is that's something
simple that's not set or that I'm overlooking. Darned if I know what it is
though. Serveon, Inc. 302-529-8640 |
Title: Connection timeout error when making SSL connection
- [WS_FTP Forum] Connection timeout error when making SSL co... Troy D. Hilton
- RE: [WS_FTP Forum] Connection timeout error when maki... Claudio Robles
- RE: [WS_FTP Forum] Connection timeout error when ... Troy D. Hilton
- RE: [WS_FTP Forum] Connection timeout error w... Claudio Robles
- RE: [WS_FTP Forum] Connection timeout err... Troy D. Hilton
- RE: [WS_FTP Forum] Connection timeou... Troy D. Hilton
- RE: [WS_FTP Forum] Connection ti... Troy D. Hilton
- RE: [WS_FTP Forum] Connectio... Claudio Robles
- RE: [WS_FTP Forum] Connection timeout error when maki... Casey
- Re: [WS_FTP Forum] Connection timeout error when ... Barry West
- RE: [WS_FTP Forum] Connection timeout error w... Michael Blakley
- RE: [WS_FTP Forum] Connection timeout error when maki... Terry LeBlanc
- RE: [WS_FTP Forum] Connection timeout error when ... Troy D. Hilton
- RE: [WS_FTP Forum] Connection timeout error when maki... Terry LeBlanc
- RE: [WS_FTP Forum] Connection timeout error when ... Troy D. Hilton
- RE: [WS_FTP Forum] Connection timeout error when maki... Terry LeBlanc
- RE: [WS_FTP Forum] Connection timeout error when maki... Terry LeBlanc
