Title: Connection timeout error when making SSL connection

Troy,

 

   In port mode it would not work because your client firewall is blocking incoming connections.  You can make port work by setting up Pro and your client firewall. (as you can see in the log the client is sending a port command to IP 10.0.0, which is a non-routable address.

 

   In passive mode, it should work too, if the server and the firewall on the server side are setup correctly.   You have not sent a log failing in passive mode.  Other than the latest log which it failed for a different reason (invalid command during transfer).  You have not said what setup you did on the server, and you do not need to open that many ports on your firewall.

 

   For that please restart Pro and make sure you have your site option to passive.

 

Claudio Robles

WS_FTP Team

Ipswitch, Inc

Pd: Somebody was fixing the problem with unsubscribe this morning, hope it is fixed already, but I have not received confirmation yet.

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton
Sent: Monday, February 06, 2006 11:01 AM
To: WSFTP_Forum@list.ipswitch.com
Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL connection

 

Correction to my previous email. If I enable SSL, whether active or passive mode, it will not connect. I have configured ports 1024-65535 on the firewall for both inbound and outbound. Any suggestions? What am I missing here? I did read an article from the KB regarding setting ports 1024 and up for traffic when using active or passive modes which I’ve followed. Still no dice.

 

I noticed a lot of folks “unsubscribing”. Hopefully, someone is still here that can provide some direction.

 

Troy D. Hilton
Serveon, Inc.
[EMAIL PROTECTED]
302-529-8640


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton
Sent: Friday, February 03, 2006 3:14 PM
To: WSFTP_Forum@list.ipswitch.com
Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL connection

 

OK, so here’s where I am. I have SSL enabled on the server. I configured ports 1024-1034 to point from the public side of the firewall to the private IP of the FTP server. I’ve also configured port 443 for the FTP IP address as well. Now, when I attempt a login with SSL enabled and Passive Mode disabled I get the following:

WINSOCK.DLL: WinSock 2.0

WS_FTP Pro, Version 7.5, 2002.02.28

Connecting to 208.255.176.210:21

Connected to 208.255.176.210:21, Waiting for Server Response

220-CG2Direct.210 X2 WS_FTP Server 4.0.1 (204830698)

220-CG2 Direct FTP Server

220 CG2Direct.210 X2 WS_FTP Server 4.0.1 (204830698)

Host type (1): WS_FTP Server

AUTH SSL

234 SSL enabled and waiting for negotiation

XAUT 2 C9;;;?7:C9;>;:6<D><98784?7;6<67;C<87876<C;<7;7<2C?81

230-user logged in

230-Howdy!!!

230 user logged in

Host type (I): WS_FTP Server

Host type (I): WS_FTP Server

PWD

257 "/" is current directory

PORT 10,0,0,253,8,222

200 command successful

MLSD

No socket

PASV

421 invalid command during xfer

No socket

XPSV

421 invalid command during xfer

No socket

 

If I enable Passive Mode and SSL I can login without issue and can view all my directories. If I just select Passive Mode I can login. I’m not forcing SSL right now though I’d like to. I feel I’m so close to nailing it down.

Troy D. Hilton
Serveon, Inc.
[EMAIL PROTECTED]
302-529-8640


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton
Sent: Friday, February 03, 2006 2:14 PM
To: WSFTP_Forum@list.ipswitch.com
Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL connection

 

Hey Claudio,

 

Well, my system does use a fixed IP but not everyone who accesses this server can say that. It sounds like I need to open some ports on the new firewall on the server side to allow for ports 1024 to 1034 for SSL. Btw, the firewall is a SonicWall TZ150.

 

Troy D. Hilton
Serveon, Inc.
[EMAIL PROTECTED]
302-529-8640


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Claudio Robles
Sent: Friday, February 03, 2006 12:22 PM
To: WSFTP_Forum@list.ipswitch.com
Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL connection

 

Troy,

 

  We can see in the log that both sides have a NAT firewall.  The client is in 10.0.0 and the server is in 192.168.168  

So for that to work (meaning to be able to transfer files and directories in SSL), you would need to open and forward some ports on at least one of those firewalls.  You need fixed IP on the side you setup because you need to forward those ports to the right machine.  I imagine that your client you could have DHCP so without fixed IP there, it would be better to do the setup on the server side.

 

  The setup includes picking a range of ports that would be used to listen on when establishing data channel, setting up the server to listen on those ports, and setting up the firewall to forward those ports to the server.   Since you are NATing on the server, you would also need to tell the server your external IP address.

 Your external IP address is 208.255.176.210 and you could choose ports 1024-1034.   Define those in the server firewall options.   After setting up the server, you would need to setup the firewall to forward the same ports to the server.   Do not know the details of your firewall so, not sure how to do that.

 

Claudio Robles

WS_FTP Team

Ipswitch, Inc

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton
Sent: Friday, February 03, 2006 11:28 AM
To: WSFTP_Forum@list.ipswitch.com
Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL connection

 

Hey Claudio,

 

Here is my session log.

 

Connecting to 208.255.176.210:21

Connected to 208.255.176.210:21, Waiting for Server Response

220-CG2Direct.210 X2 WS_FTP Server 4.0.1 (191203526)

220-CG2 Direct FTP Server

220 CG2Direct.210 X2 WS_FTP Server 4.0.1 (191203526)

Host type (1): FTP PC/TCP

AUTH SSL

234 SSL enabled and waiting for negotiation

XAUT 2 B3>[EMAIL PROTECTED]>45:74A;A=72<8=;>@;@87B>A68:;7C?=<7474=5=@;6

230-user logged in

230-Howdy!!!

230 user logged in

Host type (I): FTP PC/TCP

Host type (I): FTP PC/TCP

PWD

257 "/" is current directory

PORT 10,0,0,253,12,47

200 command successful

LIST

425 Can't open data connection.

PASV

227 Entering Passive Mode (192,168,168,210,4,32).

connecting data channel to 192.168.168.210:1056

connection timed out; the connection timed out while waiting for a response from the server.

 

I tried it without the SSL and it connects but the directory listing is screwed up. Meaning, it shows a bunch of binary files titled “System”. Nothing more.

 

Any thoughts?

 

Troy D. Hilton
Serveon, Inc.
[EMAIL PROTECTED]
302-529-8640


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Claudio Robles
Sent: Friday, February 03, 2006 10:54 AM
To: WSFTP_Forum@list.ipswitch.com
Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL connection

 

Troy,

 

  Could you send the session logs from the client.

 

  So, it does not work in SSL and it does work without it.   In those cases, the firewall automatically opens and forward the ports that it see (interpreting the FTP protocol), that the client and server are negotiating for transferring files and directory listings.  In SSL, the server can not see or interpret the FTP Protocol because the conversation is encrypted.

 

Claudio Robles

WS_FTP Team

Ipswitch, Inc

  

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton
Sent: Friday, February 03, 2006 10:11 AM
To: WSFTP_Forum@list.ipswitch.com
Subject: [WS_FTP Forum] Connection timeout error when making SSL connection

 

Hello All,

I realize my last email wasn’t quite clear in accurately describing my problem. Let’s see if I can explain it better.

This firewall is protecting 1 server, which is running FTP with SSL enabled. This server also has a couple test websites, but that's it.

Changing the firewall was actually relatively easy once I understood the User Interface. I'm not as familiar with the SonicWall appliances. I first tried the configuration using a test laptop to mimic the server. For the test, FTP worked like a charm. The difference between the laptop config and production server are these:

1. The production server and regional firewall were configured in transparent mode, instead of NAT. Why? The original owner wanted it that way.

2. The production server is running WS_FTP Server ver. 4.0 with a private SSL Cert. The laptop is running IIS 5 with FTP services and no SSL.

So, I decided to change the configuration from transparent mode to NAT mode since the original owner is gone and I have greater liberty. I configured the new firewall for One-to-One NAT and gave the server all new private IP addresses and a private gateway which matched the private IP of the firewall. The public side of the firewall has the original public IP from the previous firewall. I made sure that all of my route tables are correct. I then reconfigured WS_FTP Server to use the new private IP address. And rebooted the server. The result? I am able to communicate from the server to the internet and can access the test websites on the server from the internet, which means inbound and permitted outbound traffic is fine.

This is where I have my problem. When I attempt an FTP connection it makes the initial Helo and will authenticate my username and password. I'm then prompted regarding the SSL Certificate and am able to accept it. After a long pause (I have my WS_FTP Pro client set for a 2 minute wait) I get an error that the connection timed out, but I also get the "horn" that means the connection was successful. In fact I even have the active button to disconnect from the session. From what I figure, I'm actually logged in but not retrieving the directory listing.

As for the NIC, it has two ports but I'm not using both ports at the same time so there is no conflict of subnets and routes. I did switch ports on the card thinking that perhaps there was a potential failure of that port.

I hope this helps to clarify my situation. I My feeling is that's something simple that's not set or that I'm overlooking. Darned if I know what it is though.

 

Troy D. Hilton

Serveon, Inc.

[EMAIL PROTECTED]

302-529-8640

Reply via email to