Question : FTP---->FTPS, failed to establish connection for clients behind a firewall or router

Hello Expert
We have recently switched from FTP to FTPS
Then our clients start to have problems, some of them get 425 can't open data connection
I realize most of them are behind a firewall and router as well.
Please see the log

Code Snippet:

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31:

(000451) 2009-08-31 10:55:17 - (not logged in) Connected, sending welcome message... (000451) 2009-08-31 10:55:17 - (not logged in) 220- (000451) 2009-08-31 10:55:17 - (not logged in) 220- (000451) 2009-08-31 10:55:17 - (not logged in) 220- (000451) 2009-08-31 10:55:17 - (not logged in) 220- (000451) 2009-08-31 10:55:17 - (not logged in) 220 (000451) 2009-08-31 10:55:17 - (not logged in) USER (000451) 2009-08-31 10:55:17 - (not logged in) 331 Password required for (000451) 2009-08-31 10:55:17 - (not logged in) PASS ******** (000451) 2009-08-31 10:55:17 - >230 Logged on (000451) 2009-08-31 10:55:17 - > SYST (000451) 2009-08-31 10:55:17 - > 215 UNIX emulated by FileZilla (000451) 2009-08-31 10:55:18 - > PWD (000451) 2009-08-31 10:55:18 - > 257 "/" is current directory. (000451) 2009-08-31 10:55:18 - > TYPE I (000451) 2009-08-31 10:55:18 - > 200 Type set to I (000451) 2009-08-31 10:55:18 - > PASV (000451) 2009-08-31 10:55:18 - > 227 Entering Passive Mode (&&&,8,231) (000451) 2009-08-31 10:55:28 - > 425 Can't open data connection. (000451) 2009-08-31 10:55:28 - > QUIT (000451) 2009-08-31 10:55:28 - > 221 Goodbye (000451) 2009-08-31 10:55:28 - > disconnected. (000448) 2009-08-31 10:55:28 - > PASV (000448) 2009-08-31 10:55:28 - > 227 Entering Passive Mode (&&&,8,232) (000448) 2009-08-31 10:55:28 - > LIST (000448) 2009-08-31 10:55:39 - > 425 Can't open data connection. (000448) 2009-08-31 10:56:23 - > PASV (000448) 2009-08-31 10:56:23 - > 227 Entering Passive Mode (&&&&&,8,233) (000448) 2009-08-31 10:56:24 - > LIST (000448) 2009-08-31 10:56:34 - > 425 Can't open data connection. (000448) 2009-08-31 10:57:38 - > disconnected.

Open in New Window

Select All

Answer : FTP---->FTPS, failed to establish connection for clients behind a firewall or router

This is because when using FTPS the command/control session (tcp port 21 traffic) is encrypted and the firewall can't see it.  Since the firewall can't see it, it can see the PORT/PASV commands and does not know what ports the data connection is trying to use.  Since the firewall has no clue what data ports are being used it can't dynamically (and temporally) allow the connection to happen.

If both the client and server support it, you can have the client issue the CCC command before the put/get/ls commands.  CCC is the "clear channel command" command.  This causes the next command to be issued in the clear (that is not encrypted.

If your ftp client or server does not support the CCC command, then you need to make sure that:

If using active ftp then your firewall needs to allow outbound traffic with a source port of 20 and a destination port > 1023.  The other side must allow inbound traffic with source port of 20 and destination port > 1023.  If needed the firewalls can be setup just to allow the ports and direction for the specific IP addresses involved.

If using passive ftp, setup the ftp server to use a specific port range for the data connection (say like 10000-10049) and then your firewall needs to allow inbound traffic with a source port >1023 and a destination port range equal to to what you set your server to use for the data port.  The other side must allow outbound traffic with source port >1023 and destination port range equal to what you set your server to use for the data ports.

Also it would be best if your server and client supported extended passive or extended active ftp.  If they don't then you could still have problems.  This is because the firewall can't change the IP address on the PORT or PASV commands and so the other side sees the servers real IP address, not the NAT'ed address (assuming you are doing NAT).