locked
ftp requests to on-premise ftp client RRS feed

  • Question

  • Hi!

    I have a webrole in windows azure, which connects to my local (on-premise) ftp server and downloads files. It works in one of my hosted services. However, when I deploy the same code to another hosted service I get an error: 425 Can't open data connection.

    This ftp uses passive mode, no SSL, and I use FtpWebRequest class, but it has a custom port, and not the default 21.

    So I loggod on to the instace with the error, turned off all the firewall rules etc. and tryed again, but I still get the error. When I use explorer or IE to connect the ftp server, on the failing hosted service it just asks my username and password repeatedly, while in the working one it is ok.

    What can be the problem?

    (one difference I found is the VIP: the working hosted service starts with 65.XXX... the not working 168.XXX



    • Edited by ladeak Saturday, July 28, 2012 10:28 AM
    Saturday, July 28, 2012 10:05 AM

Answers

  • <<==== You are still not saying anything is helpful.

    One of the most common questions I get about FTP has to do with error 425, "Can't open data connection."  This is indeed a protocol level error that is defined in the RFC.  Its meaning is obvious:  the data connection (for a directory listing, upload, or download) was unable to be established.  
    
    First - the most common solution:  change the active/passive mode settings.  But that might not work, and if it does its only a band-aid covering up the real problem. 
    
    As I've mentioned in the past, one of the most common reasons that this error occurs is a misconfiguration of the FTP server software itself, related to SSL connections and firewalls, in which the connection tries to establish itself on a bogus ip address.  Read more about FTP SSL through a NAT firewall here, some potential solutions are included. 
    
    There are other less likely causes, such as: 
    •The server is configured to always use the same port for passive mode connections, or the client is configured to always use the same port for active mode connections, although in this case usually the software in question should raise a different error first, but I've seen this happen.
    •In passive mode, the firewall in front of the FTP server doesn't have the correct ports open.  So the server tells the client to connect to ipaddress 1.2.3.4 on port x, but the firewall doesn't allow incoming connections on port x.  Most firewalls are smart enough to open up the port when it sees the PASV response.  Vice versa for active mode and the firewall in front of the FTP client.

    As I stated earlier this appears to be an FTP Server configuration problem and NOT a problem with your coding. You will need to contact the forums that relate to the FTP server you are using for more help.

    Open port = http://www.canyouseeme.org/

    The above quotation comes from:

    http://geekswithblogs.net/Lance/archive/2008/01/24/ftp-error-425-quotcant-open-data-connection.quot.aspx

     

    Digital Forensic Software Developer
    CCS LABS Digital Forensic Software
    Mark as Answer or Vote up if useful thank you!



    • Edited by Dave A Gordon Saturday, August 11, 2012 10:50 PM
    • Proposed as answer by Dave A Gordon Saturday, August 11, 2012 10:50 PM
    • Marked as answer by ladeak Sunday, August 12, 2012 6:26 PM
    Saturday, August 11, 2012 10:48 PM

All replies

  • I would think that the problem is actually on the FTP Server end's configuration and not on the service side.

    Are you allowing connections on the server from all the VIPs you are using? Are you deploying the service to deployment - if so, each deployment may change the VIP. Deploy to staging and then swap to avoid that problem as well as preventing the offline time that deployment causes on the deployment role.

    Do you really need two different service deployments?


    Digital Forensic Software Developer
    CCS LABS Digital Forensic Software
    Mark as Answer or Vote up if useful thank you!

    • Marked as answer by ladeak Sunday, July 29, 2012 2:00 PM
    • Unmarked as answer by ladeak Saturday, August 11, 2012 8:41 PM
    Sunday, July 29, 2012 9:41 AM
  • Hi!

    Thanks for the ideas. I need two hosted services.

    Anyway, now I believe that the problem is on the ftp server's end. Unfortunately, I do not own ftp server and cannot modify the configuration on my own, so I might have to arrange the problem with the owner.

    I have tried to connect to a different ftp server (still passive mode, no ssl, but on port 21) and it worked.

    If anybody else has a new idea for a solution, I would really appreciate it! :)

    Sunday, July 29, 2012 11:28 AM
  • As I said,

    The problem seems to be the FTP server's configuration. As the owner to open the Proxy server's IP and port address that you are using and all should be fine.

    There is no other solution.

    Remember to mark my postings as helpful or the answer.


    Digital Forensic Software Developer
    CCS LABS Digital Forensic Software
    Mark as Answer or Vote up if useful thank you!

    • Proposed as answer by Dave A Gordon Saturday, August 11, 2012 10:51 PM
    Sunday, July 29, 2012 12:57 PM
  • I still could not figure out the problem. How would I know for sure, that the network is handling an ftp connection correctly on port 2100? In one of the instances it works, on another it does not work.
    Saturday, August 11, 2012 8:43 PM
  • Try to connect to the FTP port using Telnet - you can access it through the command prompt. Log in remotely to the Azure server running the WorkerRole that does not function and telnet from there. Is the Port really open? Again on the WorkerRole server go to OpenPort check and see if the port is actually open.

    Is your FTP server set up to accept more than one connection?

    Is Your FTP server set up to log connections? If So - check the log to see if a connection is being established.

    The Webroleor / WorkerRole - are they throwing any exceptions? Are you using logging? If not - start logging now.

    The web roles may need different ports - depending on how you have written your worker role.

    That's enough suggestions for you to work on just now. Remember to vote and answer of vote as helpful all posts that assist you.


    Digital Forensic Software Developer
    CCS LABS Digital Forensic Software
    Mark as Answer or Vote up if useful thank you!

    Saturday, August 11, 2012 9:53 PM
  • I have just did this.

    With telnet I get error 425. From another hosted service I can connect. From a third one, I cannot. In all hosted services I use a webrole and default configuration.

    I use logging, but even when I try to connect with total commander and turn off all firewall rules I get this error. My ftp server acceptes more the one connection.

    Hosted services are in the same datacenter, but might be in different clusters. Is there any chance that this caused the problem?

    What do you mean by "OpenPort"?

    Saturday, August 11, 2012 10:13 PM
  • <<==== You are still not saying anything is helpful.

    One of the most common questions I get about FTP has to do with error 425, "Can't open data connection."  This is indeed a protocol level error that is defined in the RFC.  Its meaning is obvious:  the data connection (for a directory listing, upload, or download) was unable to be established.  
    
    First - the most common solution:  change the active/passive mode settings.  But that might not work, and if it does its only a band-aid covering up the real problem. 
    
    As I've mentioned in the past, one of the most common reasons that this error occurs is a misconfiguration of the FTP server software itself, related to SSL connections and firewalls, in which the connection tries to establish itself on a bogus ip address.  Read more about FTP SSL through a NAT firewall here, some potential solutions are included. 
    
    There are other less likely causes, such as: 
    •The server is configured to always use the same port for passive mode connections, or the client is configured to always use the same port for active mode connections, although in this case usually the software in question should raise a different error first, but I've seen this happen.
    •In passive mode, the firewall in front of the FTP server doesn't have the correct ports open.  So the server tells the client to connect to ipaddress 1.2.3.4 on port x, but the firewall doesn't allow incoming connections on port x.  Most firewalls are smart enough to open up the port when it sees the PASV response.  Vice versa for active mode and the firewall in front of the FTP client.

    As I stated earlier this appears to be an FTP Server configuration problem and NOT a problem with your coding. You will need to contact the forums that relate to the FTP server you are using for more help.

    Open port = http://www.canyouseeme.org/

    The above quotation comes from:

    http://geekswithblogs.net/Lance/archive/2008/01/24/ftp-error-425-quotcant-open-data-connection.quot.aspx

     

    Digital Forensic Software Developer
    CCS LABS Digital Forensic Software
    Mark as Answer or Vote up if useful thank you!



    • Edited by Dave A Gordon Saturday, August 11, 2012 10:50 PM
    • Proposed as answer by Dave A Gordon Saturday, August 11, 2012 10:50 PM
    • Marked as answer by ladeak Sunday, August 12, 2012 6:26 PM
    Saturday, August 11, 2012 10:48 PM
  • I did connect to the FTP server provider, and the answer was everything works fine. I guess one of the routers is misconfigured between the ftp server and the virtual machine. As I wrote I could connect from a different hosted service to the ftp server, and from my home computer as well. That is why I think it might be a router in front of the webrole. But how could I figure this out?

    In openport on the server I get:

    Error: I could not see your service on 168.63.20.xxx on port (2100)
    Reason: Connection timed out

    even when I turned of Windows Firewall and add firewall exception for port 2100.

    Sunday, August 12, 2012 8:08 AM
  • The WorkerRole is connecting OUT to your local server - by default all outbound ports are open so again - the problem is on the INBOUND connection which is your local server. If your Router is Misconfigured then this forum is really not the place to get help. And as all the suggestions and advice and help you have been given is apparently not worth you voting it as helpful - I would be surprised if you are going to get any where further with this on this Forum.

    According to OpenPort = Time outs usually mean the port is not open. Is the IP above your local machine's public IP?

    As you have stated, and I have repeatedly stated - This is NOT an Azure issue - but a config problem on your side. You need to ask for help on either your FTP server's forum's or your router support forums.


    Digital Forensic Software Developer
    CCS LABS Digital Forensic Software
    Mark as Answer or Vote up if useful thank you!

    • Proposed as answer by Dave A Gordon Sunday, August 12, 2012 11:13 AM
    • Marked as answer by ladeak Sunday, August 12, 2012 6:26 PM
    • Unmarked as answer by ladeak Sunday, August 12, 2012 6:26 PM
    Sunday, August 12, 2012 11:13 AM
  • I will post the final solution. Your answer was helpful, but I could not solve the problem. Connecting to the ftp server with OpenPort works. Connecting from the instance to the ftp server with telnet, I get error 425. From another hosted service (configured by default) it works. How can I be sure, that not one of the routers of windows azure is misconfigured?
    Sunday, August 12, 2012 6:30 PM
  • Raise an Issue with Azure Support

    https://support.microsoft.com/oas/default.aspx?gprid=14928&st=1&wfxredirect=1&sd=gn&ln=en-us

    They will be able to advise you if there is a problem with the Azure setup or not. They may also have some other ideas. Perhaps imaging the working VM and using that image on the other instances - but they will know about the hardware side of things.


    Digital Forensic Software Developer
    CCS LABS Digital Forensic Software
    Mark as Answer or Vote up if useful thank you!

    Sunday, August 12, 2012 8:20 PM