none
Server 2012 VM on Azure - Passive FTP Won't Work

    Question

  • 've tried the suggestions on a number of sites (http://blogs.thesitedoctor.co.uk/tim/Trackback.aspx?guid=e81a4682-0851-490b-a3d2-adf254a701e7 and http://www.itq.nl/blogs/post/Walkthrough-Hosting-FTP-on-IIS-75-in-Windows-Azure-VM.aspx, and Passive FTP on Windows Azure Virtual Machine) and it won't work.

    FTP active and passive both work from the VM to itself. FTP active works from the outside world. FTP passive fails with the server responding back with "550 The network connection was aborted by the local system" (this message returns on the control channel/port 21 immediately after the SYN packet is sent to one of the dynamic ports).

    What I've done:

    1) Configured IIS on the VM with an FTP site

    2) Set the FTP firewall support IP address to the public IP address of the Azure VM instance (for what it's worth, I've also tried with this field empty and tried with the private IP address, none of them work)

    3) Set up endpoints for FTP control (TCP/21), FTP data (TCP/20), and FTP dynamic ports (7000 through 7003)

    4) Used appcmd.exe to set the port range for FTP (i.e. %windir%\system32\inetsrv\appcmd set config /section:system.ftpServer/firewallSupport /lowDataChannelPort:7000 /highDataChannelPort:7003)

    5) Restarted the FTP server (net stop ftpsvc and net start ftpsvc)

    6) Tried with the firewall both enabled and disabled (netsh advfirewall set global StatefulFtp enable)

    Any ideas? I've verified with Wireshark that the client is trying to use the dynamic port, and that the dynamic ports are being used when I try locally.

    Friday, June 14, 2013 8:05 PM

Answers

  • Update 8/13/2013 - This issue has been addressed in the portal update released 8/13/2013.

    Now when you create an endpoint in the portal, by default, no probe port is configured.

    If you check Create a load-balanced set, you'll see an additional page for Configure the load-balanced set where you can define probe port settings. If you leave it unchecked, no probe port is configured.

    For existing endpoints, you can verify if a probe port is configured by clicking Edit at the bottom of the page, and if it is a load-balanced endpoint you can check the option for Reconfigure the load-balanced set, and the next page shows the probe port settings.

    Create a load-balanced set is not enabled by default for new endpoints, and no probe port is configured:

    Add Endpoint - Specify the details of the endpoint

    By selecting Create a load-balanced set, there will be an additional page available for Configure the load-balanced set where you can configure probe port settings:

    Add Endpoint - Configure the load-balanced set

    ----------------------------------------

    We believe this may have to do with a recent change to how the portal creates endpoints. Now by default it configures a probe port on the endpoint where the probe port is the same as the endpoint port. The load balancer sends packets to the probe port to determine the health of the endpoint and if it does not get a response after a few retries, it will stop forwarding traffic to the endpoint port.

    Example scenario:

    Port 21 is open to all in Windows Firewall in the VM, so probe is successful, the endpoint is healthy and remote IPs can connect to it.

    Port 60005 (for example) is likely only open in the Windows Firewall in the VM to those remote IPs that negotiated the passive mode ftp. It is not open to the load balancer so the load balancer is unable to probe this port. As a result, the endpoint as unhealthy and stops sending traffic to the endpoint port.

    The 10.x.x.x address you see in the VM is the host server's IP address that the load balancer uses as the source IP to probe the port.

    Workaround:

    Remove the endpoints and then create them with Azure PowerShell using Add-AzureEndpoint, specifying only the name, protocol, localport and publicport parameters. This will create the endpoint without a probe port (which was the portal behavior until recently).

    For example, if my VM is named VM1 and it is in a cloud service CS1:

    Get-AzureVM -Servicename CS1 -Name VM1 | Add-AzureEndpoint -Name FTP-Dynamic-60005 -Protocol TCP -LocalPort 60005 -PublicPort 60005 | Update-AzureVM

    You can run Get-AzureVM to view the Name and ServiceName of each of your VMs.

    To view the existing endpoints for a VM, you can run:

    Get-AzureVM -ServiceName CS1 -Name VM | Get-AzureEndpoint

    If you had created an endpoint using the management portal, the ProbePort property will match the LocalPort property, which in this example is 6005 (not that there is anything special about that port number).

    LBSetName                : FTP-6005
    LocalPort                : 6005
    Name                     : FTP
    Port                     : 6005
    Protocol                 : tcp
    Vip                      : 137.135.122.157
    ProbePath                :
    ProbePort                : 6005
    ProbeProtocol            : tcp
    ProbeIntervalInSeconds   : 15
    ProbeTimeoutInSeconds    : 31
    EnableDirectServerReturn : False
    Acl                      : {}


    When you create an endpoint using Add-AzureEndpoint specifying just Name, Protocol, LocalPort, and PublicPort parameters, no probe port is configured. The output below shows an endpoint with no probe port configured (ProbePort is 0, LBSetName, and the other Probe* properties are blank).

    LBSetName                :
    LocalPort                : 6005
    Name                     : FTP
    Port                     : 6005
    Protocol                 : tcp
    Vip                      : 137.135.122.157
    ProbePath                :
    ProbePort                : 0
    ProbeProtocol            :
    ProbeIntervalInSeconds   :
    ProbeTimeoutInSeconds    :
    EnableDirectServerReturn : False
    Acl                      : {}

    This blog post shows how to automate the end-to-end configuration on Windows Server 2012. Since it is using Add-AzureEndpoint to add the endpoints, using this method you would not run into this issue with the probe ports.

    http://fabriccontroller.net/blog/posts/passive-ftp-and-dynamic-ports-in-iis8-and-windows-azure-virtual-machines/

    The script samples are here:

    https://github.com/sandrinodimattia/WindowsAzure-PassiveFTPinVM

    Thanks,
    Craig



    Saturday, June 22, 2013 3:54 AM
    Moderator

All replies

  • I am having exactly the same problem and it seems to be that something in Azure has changed in the last week or so. I had a passive FTP set up working great, then my virtual machine got deleted because I went over my usage allowance! (seems a little bit harsh to delete the VM surely just a stop would suffice).

    Since then I've restored my VM but been unable to get passive FTP working again. I've created completely new VM then used powershell scripts to set up FTP, Endpoints and Firewall - always the same 500 The network connection was aborted by the local machine and failed to retreive directory listing. I can do exactly the same process on a local VM and then access remotely no problem.

    I see that a few other people are having exactly the same issue: see post by Solomon in http://fabriccontroller.net/blog/posts/passive-ftp-and-dynamic-ports-in-iis8-and-windows-azure-virtual-machines/

    I notice in the FTP logs something weird. When the service was working fine, the log entries for DataChannelOpen, DataChannelClosed come from an external IP address i.e. the IP address of the client. Now in the logs of the not working services I see that these DataChannelOpen and DataChannelClosed entries have local IP addresses i.e. 10.X.X.X. Has something changed in the way that the endpoints are routed that is causing this problem?

    Saturday, June 15, 2013 1:22 AM
  • Hi Joel,

    Were you trying to set this up with R2 or 2012?

    Thanks,
    Craig

    Saturday, June 15, 2013 11:30 AM
    Moderator
  • Hi Craig,

    All of my VMs are Server 2012 with SQL 2012 SP1 (found in the 'Quick Create' menu).

    Thanks

    Joel

    Saturday, June 15, 2013 8:57 PM
  • Hi Craig,

    Any thoughts?

    Thanks

    Joel

    Sunday, June 16, 2013 8:14 PM
  • Certainly someone has some insight into how to make this work?  
    Tuesday, June 18, 2013 7:25 AM
  • I am experiencing the same problem at the moment, no FTP access. But since i only set it up a few days ago, it never worked for me. I believe i have all my settings correct. Have tried both withe FileZilla Server and ISS FTP. I am able to connect etc. but when it tries to get directory listing it fails... :-(

    Tuesday, June 18, 2013 11:50 AM
  • I'm having the same issue with Titan FTP server.  SFTP works now problem.  I created all the endpoints and opened the local firewall on the VM.  My my client begins to connect and then directory listing fails as well.
    Tuesday, June 18, 2013 1:59 PM
  • I'm using Server 2008 R2 instead of 2012 at the moment.
    Tuesday, June 18, 2013 2:00 PM
  • Can anyone at Microsoft provide some insight into how to resolve this?  This is preventing me from considering Azure as an augmentation or alternative to our current setup on EC2.
    Tuesday, June 18, 2013 6:37 PM
  • Anyone at all?  Can anyone at Microsoft please provide some insight into how to resolve this? 
    Wednesday, June 19, 2013 3:53 PM
  • Having the exact same problem. Everything worked great until the machine needed to be deleted and recreated (another issue).

    This is from a log describing the connection it seem like the AZURE VM rewrites the PASSIVE source IP to the IP (.42)
    So the server sees the passive connect as coming from another IP.

    Port 60005 is one of the OPEN passive ports.

    2013-06-20 13:04:25 ALLOW TCP XX.230.189.138 XXX.XX.24.42 63709   21       0 - 0 0 0 - - - RECEIVE
    2013-06-20 13:04:27 ALLOW TCP XX.86.24.40       XXX.XX.24.42 54281   60005 0 - 0 0 0 - - - RECEIVE

    When running Ipconfig /all the XX.86.24.40 is the same IP as the DNS. The actual server internal address is .42.

    All ports are open in the ENDPOINT configuration and in the Firewall.


    XXX is replacements in my actual IP.


    • Edited by Wendelstam Thursday, June 20, 2013 11:12 AM More info
    Wednesday, June 19, 2013 8:17 PM
  • Great detail, thanks for sharing.  This is a pretty big problem.  I can't migrate to Azure if I can't use passive FTP to publish from Visual Studio 2012 (and the workarounds to try and get it to use active FTP don't work either, like modifying the .pubxml files).
    Thursday, June 20, 2013 2:58 PM
  • I apologize for the delay. I am following up on this internally.

    In the meantime, if you are able to open a support ticket in the management portal, that can help us get the necessary information more quickly.

    Thanks,
    Craig

    Thursday, June 20, 2013 6:55 PM
    Moderator
  • I have created a ticket for this problem: 113062010529500
    Cheers
    Johan
    Thursday, June 20, 2013 7:01 PM
  • I can't.  I have billing support only.
    Thursday, June 20, 2013 7:11 PM
  • Hi Steve,

    When you say DataChannelOpen/DataChannelClosed come from the IP address of the client - where is the client? On-premises, or another Azure VM?

    Is the VM running FTP in a virtual network?

    Thanks,
    Craig

    Thursday, June 20, 2013 8:10 PM
    Moderator
  • I just tried this with Server 2008 R2 SP1 and it also will not work.
    Friday, June 21, 2013 12:04 AM
  • I have tried from both external IPs and from other VMs and neither work. Local connections work so I think that the router is the problem.

    Have tried with both IIS and Filezilla with the same result. I think that the passive connections source IP is translated to the gateway/routers IP instead of the clients IP.
    Friday, June 21, 2013 12:17 AM
  • I also tried with FileZilla FTP server using a custom port range for passive mode FTP.  Works great locally, but not through the Azure endpoint configuration (Windows Firewall had no impact).

    Friday, June 21, 2013 12:27 AM
  • Update 8/13/2013 - This issue has been addressed in the portal update released 8/13/2013.

    Now when you create an endpoint in the portal, by default, no probe port is configured.

    If you check Create a load-balanced set, you'll see an additional page for Configure the load-balanced set where you can define probe port settings. If you leave it unchecked, no probe port is configured.

    For existing endpoints, you can verify if a probe port is configured by clicking Edit at the bottom of the page, and if it is a load-balanced endpoint you can check the option for Reconfigure the load-balanced set, and the next page shows the probe port settings.

    Create a load-balanced set is not enabled by default for new endpoints, and no probe port is configured:

    Add Endpoint - Specify the details of the endpoint

    By selecting Create a load-balanced set, there will be an additional page available for Configure the load-balanced set where you can configure probe port settings:

    Add Endpoint - Configure the load-balanced set

    ----------------------------------------

    We believe this may have to do with a recent change to how the portal creates endpoints. Now by default it configures a probe port on the endpoint where the probe port is the same as the endpoint port. The load balancer sends packets to the probe port to determine the health of the endpoint and if it does not get a response after a few retries, it will stop forwarding traffic to the endpoint port.

    Example scenario:

    Port 21 is open to all in Windows Firewall in the VM, so probe is successful, the endpoint is healthy and remote IPs can connect to it.

    Port 60005 (for example) is likely only open in the Windows Firewall in the VM to those remote IPs that negotiated the passive mode ftp. It is not open to the load balancer so the load balancer is unable to probe this port. As a result, the endpoint as unhealthy and stops sending traffic to the endpoint port.

    The 10.x.x.x address you see in the VM is the host server's IP address that the load balancer uses as the source IP to probe the port.

    Workaround:

    Remove the endpoints and then create them with Azure PowerShell using Add-AzureEndpoint, specifying only the name, protocol, localport and publicport parameters. This will create the endpoint without a probe port (which was the portal behavior until recently).

    For example, if my VM is named VM1 and it is in a cloud service CS1:

    Get-AzureVM -Servicename CS1 -Name VM1 | Add-AzureEndpoint -Name FTP-Dynamic-60005 -Protocol TCP -LocalPort 60005 -PublicPort 60005 | Update-AzureVM

    You can run Get-AzureVM to view the Name and ServiceName of each of your VMs.

    To view the existing endpoints for a VM, you can run:

    Get-AzureVM -ServiceName CS1 -Name VM | Get-AzureEndpoint

    If you had created an endpoint using the management portal, the ProbePort property will match the LocalPort property, which in this example is 6005 (not that there is anything special about that port number).

    LBSetName                : FTP-6005
    LocalPort                : 6005
    Name                     : FTP
    Port                     : 6005
    Protocol                 : tcp
    Vip                      : 137.135.122.157
    ProbePath                :
    ProbePort                : 6005
    ProbeProtocol            : tcp
    ProbeIntervalInSeconds   : 15
    ProbeTimeoutInSeconds    : 31
    EnableDirectServerReturn : False
    Acl                      : {}


    When you create an endpoint using Add-AzureEndpoint specifying just Name, Protocol, LocalPort, and PublicPort parameters, no probe port is configured. The output below shows an endpoint with no probe port configured (ProbePort is 0, LBSetName, and the other Probe* properties are blank).

    LBSetName                :
    LocalPort                : 6005
    Name                     : FTP
    Port                     : 6005
    Protocol                 : tcp
    Vip                      : 137.135.122.157
    ProbePath                :
    ProbePort                : 0
    ProbeProtocol            :
    ProbeIntervalInSeconds   :
    ProbeTimeoutInSeconds    :
    EnableDirectServerReturn : False
    Acl                      : {}

    This blog post shows how to automate the end-to-end configuration on Windows Server 2012. Since it is using Add-AzureEndpoint to add the endpoints, using this method you would not run into this issue with the probe ports.

    http://fabriccontroller.net/blog/posts/passive-ftp-and-dynamic-ports-in-iis8-and-windows-azure-virtual-machines/

    The script samples are here:

    https://github.com/sandrinodimattia/WindowsAzure-PassiveFTPinVM

    Thanks,
    Craig



    Saturday, June 22, 2013 3:54 AM
    Moderator
  • Hi Craig.

    I removed and re-added the endpoints as you suggested and it solved the problem for me, so now everything works as it should.
    I did not know about the probe ports in the loadbalancer.

    get-azurevm -servicename CS1 -name VM1 | get-azureendpoint lists all the endpoints and the probe settings for each endpoint.

    Thank you for your help!

    Cheers
    Johan
    Saturday, June 22, 2013 1:41 PM
  • That worked for me as well!  When will this be fixed for the management dashboard?  
    Sunday, June 23, 2013 6:27 PM
  • In case anyone else has this issue - the public IP for the VM should be listed in the FTP Firewall Support page in IIS and the page for the site should be left empty.  
    Sunday, June 23, 2013 11:04 PM
  • Worked for me - great stuff!
    Monday, June 24, 2013 12:02 AM
  • Hi Craig, 

    This works for sure but in your Example you missed the Protocol section. Here is the Step-by-Step using Powershell ISE.

    • Import-Module azure
    • Get-AzurePublishSettingsFile -Realm cloudapp.net
    • Import-AzurePublishSettingsFile "D:\Azure\Enterprise-8-13-2013-credentials.publishsettings"
    • Get-AzureVM
    • Get-AzureVM -ServiceName "ServiceName" -Name "VMName" | Add-AzureEndpoint -Name "FTP" -Protocol "TCP" -PublicPort 21 -LocalPort 21 | Update-AzureVM
    • Get-AzureVM -ServiceName "ServiceName" -Name "VMName" | Get-AzureEndpoint
    • Get-AzureVM -ServiceName "ServiceName" -Name "VMName" | Add-AzureEndpoint -Name "FTP-Dynamic-60000" -Protocol "TCP" -PublicPort 60000 -LocalPort 60000 | Update-AzureVM
    • Get-AzureVM -ServiceName "ServiceName" -Name "VMName" | Get-AzureEndpoint

    The above screen shows no probe port configured (ProbePort : 0) LBsetName and other Probe* properties are blank. Appreciate Craig for sharing this information. 

    Thanks,

    Debarghya

    Tuesday, August 13, 2013 10:50 AM
  • Hi Debarghya,

    I've corrected the syntax in my example to include -Protocol TCP.

    Note that starting today (8/13/2013), the portal no longer configures probe ports by default. You must explicitly select them now. See my original answer in this thread for more information.

    Thanks,
    Craig


    Tuesday, August 13, 2013 12:48 PM
    Moderator
  • Can't this be done in one shot, like:

    $vm = Get-AzureVM -ServiceName "SvcName" -Name "VmName";
    $vm | Add-AzureEndpoint -Name "zPASSIVEFTP1" -Protocol "tcp" -LocalPort 49152 -PublicPort 49152
    $vm | Add-AzureEndpoint -Name "zPASSIVEFTP2" -Protocol "tcp" -LocalPort 49153 -PublicPort 49153
    n
    $vm | Add-AzureEndpoint -Name "zPASSIVEFTP10" -Protocol "tcp" -LocalPort 49161 -PublicPort 49161
    $vm | Add-AzureEndpoint -Name "zPASSIVEFTP11" -Protocol "tcp" -LocalPort 49162 -PublicPort 49162
    $vm | Update-AzureVM


    Tuesday, August 27, 2013 9:27 AM
  • Confusion, I could only get active to work too.  Active works fine with Filezilla and I don't need any other type of FTP transfer, I'm not publishing with VS.  Should I not bother trying to fix this then?  Or will there be some other fix for this?  I'd rather fix it in the UI than run some scripts.
    Tuesday, October 15, 2013 11:56 PM
  • Thanks for your post, this was helpful understanding the FTP setup. However, I am still having the same issue – cannot FTP from outside.

    I setup FTP in manage.windowsazure.com but had the same issues that the others had. After reading this post, I deleted the Endpoint and used Power Shell and the script mentioned in this post. The FTP works locally (ftp 10.0.0.4) but I still cannot FTP into the VM from outside. PowerShell did create the Endpoint “FTP-Dynamic-6005” with ports 60005 and the Firewall looks correct.

    I opened an Azure Developer Support Ticket 2 days ago and I am still working with the support team to resolve this issue.

    It takes me about 15 minutes to setup FTP on a Windows 2012 R2 server. I have been working on this for a week now. I am new to Azure but I have been a developer for a few decades and I have to think that it cannot be this difficult to get files onto an Azure Virtual Machine… I must be missing something?

    Basically, I want to upload a website (25 GB) and a database (1 GB) for one of our less critical sites to test Azure VM to replace some of our servers. I uploaded some files using Remote Connection but that takes about 3 days.

    Does anyone have a suggestion on how I can setup FTP, File Share, or any other way to get files onto an Azure VM that is faster than using the Remote Desktop?

    • Edited by lewhill Friday, January 17, 2014 1:30 AM
    Monday, January 13, 2014 6:08 PM
  • I am also having the same problems with a just created VM. Did you get response?
    Friday, January 31, 2014 11:45 AM