|
Home > Archive > Unix administration > September 2005 > FTP connected ... but ...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
FTP connected ... but ...
|
|
|
| Hi,
I have a problem accessing a particular FTP site from a particular
network. I can access other FTP sites from this network and I can
access this FTP site from other networks.
When I try to connect, I get back the 'connected to xxx.xxx.xxx.xxx'
message but it then hangs. I can connect to it from my home machine
and it continues on to the login. The FTP site admin assures me there
is no Reverse DNS requirement in action and my network admin assures me
the Firewall is not the issue. (I can connect to other FTP sites
successfully anyway)
I don't know if it is relevant but the FTP site doesn't have a DNS
entry. I'm trying to connect to the IP address directly.
Any FTP or network gurus able to cast any light?
JohnK
| |
| ted@loft.tnolan.com (Ted Nolan 2005-09-23, 5:56 pm |
| In article <1127467935.037413.115760@g43g2000cwa.googlegroups.com>,
JohnK <johnk.dev.null@gmail.com> wrote:
>
>
>Hi,
>
>I have a problem accessing a particular FTP site from a particular
>network. I can access other FTP sites from this network and I can
>access this FTP site from other networks.
>When I try to connect, I get back the 'connected to xxx.xxx.xxx.xxx'
>message but it then hangs. I can connect to it from my home machine
>and it continues on to the login. The FTP site admin assures me there
>is no Reverse DNS requirement in action and my network admin assures me
>the Firewall is not the issue. (I can connect to other FTP sites
>successfully anyway)
>
>I don't know if it is relevant but the FTP site doesn't have a DNS
>entry. I'm trying to connect to the IP address directly.
>
>Any FTP or network gurus able to cast any light?
>
>JohnK
>
Try passive FTP if your client supports it. There can be firewall
issues with regular FTP. For some clients
ftp -p
will invoke passive mode, or you can try
ftp
ftp> passive
ftp> open wwww.xxxx.yyyy.zzz
Ted
| |
|
| Ted Nolan <tednolan> wrote:
> Try passive FTP if your client supports it. There can be firewall
> issues with regular FTP. For some clients
>
> ftp -p
>
> will invoke passive mode, or you can try
>
> ftp
> ftp> passive
> ftp> open wwww.xxxx.yyyy.zzz
>
Sun Microsystems Inc. SunOS 5.8 Generic Patch December 2002
$ ftp -p 193.195.77.150
ftp: p: unknown option
$ ftp
ftp> passive
?Invalid command
ftp>
No luck with that Ted... thanks anyway.
JohnK
| |
| ted@loft.tnolan.com (Ted Nolan 2005-09-23, 5:56 pm |
| In article <56SdnVE8-_1BpKneRVnyhg@pipex.net>,
JohnK <johnk.dev.null@gmail.com> wrote:
>
>
>Ted Nolan <tednolan> wrote:
>
>Sun Microsystems Inc. SunOS 5.8 Generic Patch December 2002
>$ ftp -p 193.195.77.150
>ftp: p: unknown option
>$ ftp
>ftp> passive
>?Invalid command
>ftp>
>
>No luck with that Ted... thanks anyway.
>
>JohnK
Ok, you're on a Sun, and Sun's FTP client dates back to when petroleum
was on the hoof..
You can try this then. If you have a web browser like netscape7
(probably firefox or mozilla as well, but I just checked netscape7)
on your Sun, it will do passive FTP for you. Use a URL like
ftp://userid:password@ftp.anywhere.com/
So, if you need to get file from subdir1 on machine somebox.example.com
and the user name is fooby with password quiix, use the URL
ftp://quiix:fooby@somebox.example.com/subdir1
and see what happens. With luck you will get a directory listing
that you can click to download files.
(You could also install a modern FTP client).
Ted
| |
|
|
| base60 2005-09-24, 2:48 am |
| JohnK wrote:
> Hi,
>
> I have a problem accessing a particular FTP site from a particular
> network. I can access other FTP sites from this network and I can
> access this FTP site from other networks.
> When I try to connect, I get back the 'connected to xxx.xxx.xxx.xxx'
> message but it then hangs. I can connect to it from my home machine
> and it continues on to the login. The FTP site admin assures me there
> is no Reverse DNS requirement in action and my network admin assures me
> the Firewall is not the issue. (I can connect to other FTP sites
> successfully anyway)
Sounds like a firewall.... possibly a hosed route.
You're inbound on port 21, but not outbound.
This is the sort of thing you see when someone has blocked
the ports that ftp is trying to respond to.
Check the inbound rules on the firewall you're trying to
ftp *from*.
A static route on the ftp server sending the bits to neverneverland
could do the same sort of thing... seems like.
>
> I don't know if it is relevant but the FTP site doesn't have a DNS
> entry. I'm trying to connect to the IP address directly.
>
> Any FTP or network gurus able to cast any light?
>
> JohnK
>
| |
| Barry Margolin 2005-09-24, 2:48 am |
| In article <qUVYe.116$yl.25@bignews1.bellsouth.net>,
ted@loft.tnolan.com (Ted Nolan <tednolan> ) wrote:
> In article <1127467935.037413.115760@g43g2000cwa.googlegroups.com>,
> JohnK <johnk.dev.null@gmail.com> wrote:
>
> Try passive FTP if your client supports it. There can be firewall
> issues with regular FTP. For some clients
The difference between passive and active FTP is only in the data
connection, not the control connection. He's never getting far enough
into the FTP protocol for it to matter.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
| Barry Margolin 2005-09-24, 2:48 am |
| In article <L44Ze.72200$Jp.1656473@twister.southeast.rr.com>,
base60 <nobody@whitehouse.com> wrote:
> JohnK wrote:
>
> Sounds like a firewall.... possibly a hosed route.
No it doesn't. If it were a routing problem, he'd never get connected
in the first place.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
|
| base60 wrote:
> You're inbound on port 21, but not outbound.
> Check the inbound rules on the firewall you're trying to
> ftp *from*.
So would there not need to be a specific firewall entry for this FTP
server that was in some way broken, in light of the fact that I can
connect fine to other sites like ftp.sun.com?
In any case I have already asked our firewall dept to rouse themselves
and look at that very issue as well asking here.
> A static route on the ftp server sending the bits to neverneverland
> could do the same sort of thing... seems like.
I am on a corporate network and my own IP is a 10.xx.xx.xx address. I
would have thought this would be NATed and so wouldn't be a problem but
if the FTP server had a specific 10.xx.xx.xx static route (say for a
management LAN or backup LAN) then could this be causing my packets to
go astray?
JohnK
| |
| base60 2005-09-24, 6:02 pm |
|
>
>
> No it doesn't. If it were a routing problem, he'd never get connected
> in the first place.
Let me be more precise: A routing problem on the system to which he
is trying to ftp -- not the originating system.
If that were the case, I believe he would get a connection, but not
receive any indication of the connection... and a snoop on the ftp
server would show the connection.
That said, I am speculating and will happily defer if you know
you're correct.
| |
| base60 2005-09-24, 6:02 pm |
| JohnK wrote:
> base60 wrote:
>
>
>
> So would there not need to be a specific firewall entry for this FTP
> server that was in some way broken, in light of the fact that I can
> connect fine to other sites like ftp.sun.com?
Firewalls are used to filter traffic and produce lots of strange
and wonderful effects.
>
> In any case I have already asked our firewall dept to rouse themselves
> and look at that very issue as well asking here.
>
>
>
> I am on a corporate network and my own IP is a 10.xx.xx.xx address. I
> would have thought this would be NATed and so wouldn't be a problem but
> if the FTP server had a specific 10.xx.xx.xx static route (say for a
> management LAN or backup LAN) then could this be causing my packets to
> go astray?
As indicated to my response to Barry, this is speculation that seemed
to fit what you were seeing.
You probably should do a snoop on the ftp server to see if you're
getting a connection and go from there.
| |
| Barry Margolin 2005-09-24, 6:02 pm |
| In article <XicZe.70219$SL.1368633@twister.southeast.rr.com>,
base60 <nobody@whitehouse.com> wrote:
>
> Let me be more precise: A routing problem on the system to which he
> is trying to ftp -- not the originating system.
>
> If that were the case, I believe he would get a connection, but not
> receive any indication of the connection... and a snoop on the ftp
> server would show the connection.
How? In order to get a connection, you have to receive a SYN-ACK in
response to the SYN you send out. If the server doesn't have a route
back to you, you'll never get the SYN-ACK.
However, if there's a proxy firewall involved, the problem could be that
the firewall accepts the connection immediately, then tries to connect
to the real server before passing the greeting message through. If
there's a routing problem between the firewall and the server, you will
see this symptom.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
| base60 2005-09-24, 6:02 pm |
| Barry Margolin wrote:
> In article <XicZe.70219$SL.1368633@twister.southeast.rr.com>,
> base60 <nobody@whitehouse.com> wrote:
>
>
>
>
> How? In order to get a connection, you have to receive a SYN-ACK in
> response to the SYN you send out. If the server doesn't have a route
> back to you, you'll never get the SYN-ACK.
Semantics, issue possibly...
Agreed, the connection would never be *complete*, because the syn-ack
would never be received.
But, the ftp server would have received/responded to the syn... seems
like this would result in a "hang" on the sending side. Correct?
Packages like portsentry can and are configured to automatically
create null/reject/blackhole routes.
>
> However, if there's a proxy firewall involved, the problem could be that
> the firewall accepts the connection immediately, then tries to connect
> to the real server before passing the greeting message through. If
> there's a routing problem between the firewall and the server, you will
> see this symptom.
Correct... and as I originally noted: "Sounds like a firewall"
| |
| Barry Margolin 2005-09-25, 2:54 am |
| In article <02fZe.70316$SL.1379294@twister.southeast.rr.com>,
base60 <nobody@whitehouse.com> wrote:
> Barry Margolin wrote:
>
> Semantics, issue possibly...
>
> Agreed, the connection would never be *complete*, because the syn-ack
> would never be received.
>
> But, the ftp server would have received/responded to the syn... seems
> like this would result in a "hang" on the sending side. Correct?
Correct. It would hang *before* saying "Connected". The OP said that
he gets that message and *then* it hangs.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
| base60 2005-09-25, 2:54 am |
| Barry Margolin wrote:
> In article <02fZe.70316$SL.1379294@twister.southeast.rr.com>,
> base60 <nobody@whitehouse.com> wrote:
>
>
>
>
> Correct. It would hang *before* saying "Connected". The OP said that
> he gets that message and *then* it hangs.
Yes, I read that... but I've not examined the ftp client code to know
where in the process it is issued, and users often confuse where they
saw a particular message... so I thought a route issue worth ruling out.
| |
|
| base60 wrote:
> Yes, I read that... but I've not examined the ftp client code to know
> where in the process it is issued, and users often confuse where they
> saw a particular message... so I thought a route issue worth ruling out.
>
Well I'm not offended by the suggestion that I might be confused, but it
definitely goes in this order -
Sun Microsystems Inc. SunOS 5.8 Generic Patch December 2002
$ ftp xxx.xxx.xxx.xxx
Connected to xxx.xxx.xxx.xxx.
... and there it hangs - until I control-C ..
^C
421 Service not available, remote server has closed connection
ftp>
I think the suggestion from Barry that the firewall is providing the
initial connection and then there is a routing problem back from the
server is worth investigating. It'll be sometime tomorrow before I can
make enquiries of the FTP site admin.
JohnK
| |
| base60 2005-09-25, 5:53 pm |
| JohnK wrote:
> base60 wrote:
>
>
> Well I'm not offended by the suggestion that I might be confused,
No offense intended.
And anyone who states that he isn't occasionally confused by the
outcome of computers/networking/etc. is probably not being
forthcoming :-)
Since I'm curious, at this point, I set up some various route
combinations and they do not produce the described situation
using linux -> [linux|solaris|aix]
So, probably a firewall... having the ftp server admin snoop
the connection would tell you a lot.
| |
| Barry Margolin 2005-09-27, 2:52 am |
| In article <4GoZe.1813$ua.115583@twister.southeast.rr.com>,
base60 <nobody@whitehouse.com> wrote:
> Yes, I read that... but I've not examined the ftp client code to know
> where in the process it is issued, and users often confuse where they
> saw a particular message... so I thought a route issue worth ruling out.
The OP wrote: "When I try to connect, I get back the 'connected to
xxx.xxx.xxx.xxx' message but it then hangs."
He'd have to be mightily confused to think that he got a message that he
never actually got. I am willing to give him the benefit of the doubt.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
| base60 2005-09-27, 8:50 pm |
| Barry Margolin wrote:
> In article <4GoZe.1813$ua.115583@twister.southeast.rr.com>,
> base60 <nobody@whitehouse.com> wrote:
>
>
>
>
> The OP wrote: "When I try to connect, I get back the 'connected to
> xxx.xxx.xxx.xxx' message but it then hangs."
>
> He'd have to be mightily confused to think that he got a message that he
> never actually got. I am willing to give him the benefit of the doubt.
No problem, but I've been involved with too many similar issues to be
willing to assume much of anything... cynical, I guess 
And, again, note that I did say it was probably a firewall.
|
|
|
|
|