RE: [WS_FTP Forum] Connection timeout error when making SSL conne ction

[Terry LeBlanc]

Title: Connection timeout error when making SSL connection

Claudio, it's been a while, but I seem to remember that I was told by support that "implicit" SSL was not supported by WS_FTP.  Is that correct?  That would indicate that FTP/SSL (AUTH SSL) would have to be the selection.   Terry From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Claudio Robles Sent: Monday, February 06, 2006 4:27 PM To: WSFTP_Forum@list.ipswitch.com Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL conne ction    I have run WS_FTP Server and Client with double NAT and SSL for years without a problem.  However, as I said at least one side needs to be configure to forward a small range of ports and to send the external IP address instead of their own.     Here I include the logs for a session I just tried, where I connect from my box at work with IP 192.168.x.x to my Home box, which with IP 192.168.1.2, but across the Internet.   I did setup the server to use 5 ports, 1000-1004 and to return my home external IP address (69.254.3.94).  I also setup my home firewall (Linksys) to forward those 5 ports to my server.     These problems with double NAT and SSL are common to all FTP programs.  Not sure, if they use FileZilla with FTP or SFTP.  SFTP does not have this problem.   Claudio Robles WS_FTP Team Ipswitch, Inc.   Finding Host cao.cl ... [2006.02.06 16:10:07.532] Connecting to 69.254.3.94:21 [2006.02.06 16:10:07.563] Connected to 69.254.3.94:21 in 0.031256 seconds, Waiting for Server Response [2006.02.06 16:10:07.563] Initializing SSL Session ... [2006.02.06 16:10:10.423] 220 HP X2 WS_FTP Server 5.0.3 (181390554) [2006.02.06 16:10:10.423] AUTH TLS [2006.02.06 16:10:10.954] 234 SSL enabled and waiting for negotiation [2006.02.06 16:10:13.674] SSL session NOT set for reuse [2006.02.06 16:10:13.767] SSL Session Started. [2006.02.06 16:10:13.767] Host type (1): WS_FTP Server [2006.02.06 16:10:13.767] XAUT 2 [EMAIL PROTECTED]<>372A1B==?6>A>A4A=86>7B;=@<6><=2A:6>B;A>>=<8B?=< [2006.02.06 16:10:13.892] 230 user logged in [2006.02.06 16:10:13.892] Host type (I): WS_FTP Server [2006.02.06 16:10:13.892] PBSZ 0 [2006.02.06 16:10:13.939] 200 PBSZ=0 [2006.02.06 16:10:13.939] PROT P [2006.02.06 16:10:13.971] 200 PRIVATE data channel protection level set [2006.02.06 16:10:13.971] Sending "FEAT" command to determine what features this server supports. [2006.02.06 16:10:13.971] FEAT [2006.02.06 16:10:14.002] 211-Extensions supported [2006.02.06 16:10:14.002]  SIZE [2006.02.06 16:10:14.002]  MDTM [2006.02.06 16:10:14.002]  MLST size*;type*;perm*;create*;modify*; [2006.02.06 16:10:14.002]  LANG EN* [2006.02.06 16:10:14.002]  REST STREAM [2006.02.06 16:10:14.002]  TVFS [2006.02.06 16:10:14.002]  UTF8 [2006.02.06 16:10:14.002]  AUTH SSL;TLS-P; [2006.02.06 16:10:14.002]  PBSZ [2006.02.06 16:10:14.002]  PROT C;P; [2006.02.06 16:10:14.002] 211 end [2006.02.06 16:10:14.002] Finished interpreting "FEAT" response. [2006.02.06 16:10:14.002] Sending the FEAT command is optional.  You can disable it in the site options of the profile. [2006.02.06 16:10:14.002] PWD [2006.02.06 16:10:14.080] 257 "/users/crobles" is current directory[2006.02.06 16:10:14.080] TYPE A [2006.02.06 16:10:14.111] 200 Type set to ASCII. [2006.02.06 16:10:14.111] PASV [2006.02.06 16:10:14.158] 227 Entering Passive Mode (69,254,3,94,3,232). [2006.02.06 16:10:14.158] connecting data channel to 69.254.3.94:3,232(1000) [2006.02.06 16:10:14.174] data channel connected to 69.254.3.94:3,232(1000) [2006.02.06 16:10:14.174] MLSD [2006.02.06 16:10:14.205] 150 Opening ASCII data connection for directory listing 2006.02.06 16:10:14.658] # transferred 6200 bytes in 0.359 seconds, 134.757 Kbps ( 16.845 Kbps), transfer succeeded. [2006.02.06 16:10:14.658] 226 transfer complete     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry LeBlanc Sent: Monday, February 06, 2006 2:56 PM To: WSFTP_Forum@list.ipswitch.com Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL conne ction   Good feedback, Pete.  Not what I was wanting to hear...but good feedback.  Thanks.   Based on this info, we're better off sticking with FileZilla, which has worked beautifully in passive mode through 2 firewalls with NAT since we originally installed it.  No muss, no fuss.    I'll continue to monitor...    Terry From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Simpson Sent: Monday, February 06, 2006 2:20 PM To: WSFTP_Forum@list.ipswitch.com Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL conne ction   We've been using WS_FTP Server and Pro for SSL based FTP transfers for about 4 years.  It's been mostly reliable. Support at times has been difficult.  We are a fan of the product, but it does seem to be quite persnickety at times.  The iterations of the server since Version 5 have been much more problematic than version 4.  Trying to run SSL based FTP through a firewall has proven to be nearly impossible to implement reliably.   Of late, we've had several occasions where things were working just fine and then "poof" SSL is broken.  The tried-and-true fix has been simply to remove WS_FTP Server and reinstall it from scratch with the EXACT same settings.  Alternatively, sometimes it's just one client reporting the issue -- so we have them remove and reinstall the client.  Yes, it's labor intensive and a pain in the arse.  But it has worked every time something has gone "poof" for no good reason and when even ipSwitch support can not find a cause or fix.  My hypothesis is that changes in Windows 2003 Server and Win XP somehow monkey up some portion of the registry upon which the ipSwitch products rely.   My recommendations:   1.) If it was working, nothing has obviously changed, and now it does not work is to remove the product, reboot, and reinstall it with the exact same settings.  So far we're 5 for 5 on that "fix".   2.) If you're trying to use SSL through your firewall w/ FTP-- don't.  Put two NIC's in the server, expose one externally and run SSL on that NIC.  Yes, you need to do a bunch of "cleanup" on that nic -- nothing should be bound to it (no file sharing services, no print services) but TCP/IP.  Then use an ACL on your router between that NIC and the "global internet" and filter everything destined to that NIC except the ports you need for SSL w/ FTP (ports 21 and 1024-5000). Good Luck. Pete From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry LeBlanc Sent: Monday, February 06, 2006 12:05 PM To: WSFTP_Forum@list.ipswitch.com Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL conne ction We have, but it's been a few months.  We can call again, now that the crush to get the web server up and working is over.  We needed and found a solution to get us moving files securely after we hit a brick wall with WS_FTP Server...which surprised me.  I was the guy insisting on using it...   Terry     [ CONFIDENTIALITY NOTICE ]