Unable to connect to FileZilla FTP

TeK-FX

Limp Gawd
Joined
Jul 16, 2005
Messages
503
I have recently setup a FileZilla FTP server behind our Sonicwall appliance. It looks like the initial connection is all good, credentials are accepted, enters passive mode but when it attempts the MLSD command I get a connection refused. This only happens when connecting from an external IP. Internal IPs works fine and I am stumped as to what is causing this issue. I have attached part of the log file below. Any ideas? Thank you.


------------------------------------------------------

Reply: 230 Logged on
Command: SYST
Reply: 215 UNIX emulated by FileZilla
Command: FEAT
Reply: 211-Features:
Reply: MDTM
Reply: REST STREAM
Reply: SIZE
Reply: MLST type*;size*;modify*;
Reply: MLSD
Reply: AUTH SSL
Reply: AUTH TLS
Reply: PROT
Reply: PBSZ
Reply: UTF8
Reply: CLNT
Reply: MFMT
Reply: EPSV
Reply: EPRT
Reply: 211 End
Command: PBSZ 0
Reply: 200 PBSZ=0
Command: PROT P
Reply: 200 Protection level set to P
Command: PWD
Reply: 257 "/" is current directory.
Status: Current path is /
Command: TYPE I
Reply: 200 Type set to I
Command: PASV
Reply: 227 Entering Passive Mode (24,213,140,106,152,137)
Command: MLSD
Error: Could not establish data connection: Connection refused
 
Look at the traffic logs. See if there are any drops at that time or issues. Does the Sonic wall have any intelligents like the Palo Alto FWs? Or is it strictly acls
 
Sounds like you did not open the data transfer ports. To use FTP you need to open 21 to start the connection/handshake, then it negotiates a port from your specified range to use to transfer the data. It's best to limit the range of ports used to as small as you need. If you only expect to have 1 client connected at a time, reduce the range to a single port. Something like 55001, or 55001-55002 etc for a range. Then you need to make sure you open/forward those ports from your sonicwall to your FTP server.

That's also why it works internally, but not externally since you are bypassing the sonicwall and hitting the FTP server directly.


And make sure you're using either FTP over SSL (FTPs) or SSH (sFTP) so your traffic is encrypted. You can use the letsencrypt server to generate a CA signed cert for you to use for free if needed.
 
Look at the traffic logs. See if there are any drops at that time or issues. Does the Sonic wall have any intelligents like the Palo Alto FWs? Or is it strictly acls
I do not see anything in the log file trying to hit the FTP server

I followed that exact KB when setting this up.

Sounds like you did not open the data transfer ports. To use FTP you need to open 21 to start the connection/handshake, then it negotiates a port from your specified range to use to transfer the data. It's best to limit the range of ports used to as small as you need. If you only expect to have 1 client connected at a time, reduce the range to a single port. Something like 55001, or 55001-55002 etc for a range. Then you need to make sure you open/forward those ports from your sonicwall to your FTP server.

That's also why it works internally, but not externally since you are bypassing the sonicwall and hitting the FTP server directly.


And make sure you're using either FTP over SSL (FTPs) or SSH (sFTP) so your traffic is encrypted. You can use the letsencrypt server to generate a CA signed cert for you to use for free if needed.
I did setup ports 39000 - 39050 for data. When going through the previously mentioned KB from Sonicwall it states that this is optional. The SonicWall can determine the Data ports using DPI. I have been stumped on this for a couple days now and not sure where I am going wrong. Firewalls are new to me as it came as one of the responsibilities of this position I recently started so all help is appreciated. Thank you.

I am attaching the full log file from FTPtest.net

Status: Resolving address of 24.213.140.106
Status: Connecting to 24.213.140.106
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220-This system is the property of Therm Incorporated.
Reply: 220-Use of this system constitutes consent to monitoring.
Reply: 220-Monitoring may be conducted for the protection against improper
Reply: 220 or unauthorized use.
Command: CLNT https://ftptest.net on behalf of 24.213.140.106
Reply: 200 Don't care
Command: AUTH TLS
Reply: 234 Using authentication type TLS
Status: Performing TLS handshake...
Status: TLS handshake successful, verifying certificate...
Status: Received 1 certificates from server.
Status: cert[0]: subject='CN=ftp.therm.com,C=US,ST=New York,L=Ithaca,O=Therm Incorporated,OU=I.T.,[email protected]' issuer='CN=ftp.therm.com,C=US,ST=New York,L=Ithaca,O=Therm Incorporated,OU=I.T.,[email protected]'
Command: USER peter.mazzarese
Reply: 331 Password required for peter.mazzarese
Command: PASS **********
Reply: 230 Logged on
Command: SYST
Reply: 215 UNIX emulated by FileZilla
Command: FEAT
Reply: 211-Features:
Reply: MDTM
Reply: REST STREAM
Reply: SIZE
Reply: MLST type*;size*;modify*;
Reply: MLSD
Reply: AUTH SSL
Reply: AUTH TLS
Reply: PROT
Reply: PBSZ
Reply: UTF8
Reply: CLNT
Reply: MFMT
Reply: EPSV
Reply: EPRT
Reply: 211 End
Command: PBSZ 0
Reply: 200 PBSZ=0
Command: PROT P
Reply: 200 Protection level set to P
Command: PWD
Reply: 257 "/" is current directory.
Status: Current path is /
Command: TYPE I
Reply: 200 Type set to I
Command: PASV
Reply: 227 Entering Passive Mode (24,213,140,106,152,121)
Command: MLSD
Error: Could not establish data connection: Connection refused
 
Then you need to view the traffic logs on the sonicwall itself to confirm the traffic is being sent to the FTP server. The logs from the FTP client won't help diagnose where the problem is.

But if it works internally, but not externally, that pretty much confirms it's something on the sonicwall.
 
Quick update:

On a whim I decided to try forcing my server to connect on the default FTP data port, TCP 22, and it connected no problem! After some digging around I then went to the Sonicwall interface > Network > Services, found the FTP Data ports entry and modified it be a range of 30000-30050. From there I changed my FTP server settings back to a port range of 30000-30050 and it now works great!

Now my next step is to figure out why my FTP DNS server entry will only work on the LAN but not the WAN.
 
Last edited:
Quick update:

On a whim I decided to try forcing my server to connect on the default FTP data port, TCP 22, and it connected no problem! After some digging around I then went to the Sonicwall interface > Network > Services, found the FTP Data ports entry and modified it be a range of 30000-30050. From there I changed my FTP server settings back to a port range of 30000-30050 and it now works great!

Now my next step is to figure out why my FTP DNS server entry will only work on the LAN but not the WAN.

You will need a dynamic DNS service (if this is a home ISP) setup to resolve host names outside of your network.
 
This is a small business setup. From what I can tell they have a DNS server setup on the DC. I know they have a vpn.companyname.com subdomain but I am not sure where it is setup. Before I was hired onto this company they utilized a local managed services business to take care of IT. I may have to reach out to them and see what they have to say.
 
Lookup the main domain name to see where name servers for the domain name are hosted to see if maybe it will give you a better idea of where/who hosts it. I use dnsstuff.com to do lookups but there's a few free sites/services out there to use for lookup.

Unless the local DNS server is also publicly available, its only used to serve in house/local DNS requests. Any public requests from the outside will not see the records you add to the local DNS server.
 
Quick update:

On a whim I decided to try forcing my server to connect on the default FTP data port, TCP 22, and it connected no problem! After some digging around I then went to the Sonicwall interface > Network > Services, found the FTP Data ports entry and modified it be a range of 30000-30050. From there I changed my FTP server settings back to a port range of 30000-30050 and it now works great!

Now my next step is to figure out why my FTP DNS server entry will only work on the LAN but not the WAN.
Do you have a public IP or a NAT enabled? If not it ain't gonna work externally..
 
Lookup the main domain name to see where name servers for the domain name are hosted to see if maybe it will give you a better idea of where/who hosts it. I use dnsstuff.com to do lookups but there's a few free sites/services out there to use for lookup.

Unless the local DNS server is also publicly available, its only used to serve in house/local DNS requests. Any public requests from the outside will not see the records you add to the local DNS server.
I used dnsstuff.com and found that our name servers are going through ns1.biz.rr.com and ns2.biz.rr.com. What I am stumped on though is I created a CNAME webmail.companyname.com (redirects to a hosted exchange URL from Time Warner) on our DNS server and I can successfully access that outside of our network. Would it take some time for the creation of a new subdomain to propogate to our name servers?

Do you have a public IP or a NAT enabled? If not it ain't gonna work externally..
We do have a public IP address and if typing that into the FTP outside of the network you can successfully connect. I will take a look at the VPN NAT settings on the Sonicwall appliance to see if there is something I can find there to help me resolve this.
 
I used dnsstuff.com and found that our name servers are going through ns1.biz.rr.com and ns2.biz.rr.com. What I am stumped on though is I created a CNAME webmail.companyname.com (redirects to a hosted exchange URL from Time Warner) on our DNS server and I can successfully access that outside of our network. Would it take some time for the creation of a new subdomain to propogate to our name servers?


We do have a public IP address and if typing that into the FTP outside of the network you can successfully connect. I will take a look at the VPN NAT settings on the Sonicwall appliance to see if there is something I can find there to help me resolve this.
dns propergation can take some time. Try doing an nslookup for your record on Google public dns. I always find this picks up the records pretty quickly.
 
I used dnsstuff.com and found that our name servers are going through ns1.biz.rr.com and ns2.biz.rr.com. What I am stumped on though is I created a CNAME webmail.companyname.com (redirects to a hosted exchange URL from Time Warner) on our DNS server and I can successfully access that outside of our network. Would it take some time for the creation of a new subdomain to propogate to our name servers?


We do have a public IP address and if typing that into the FTP outside of the network you can successfully connect. I will take a look at the VPN NAT settings on the Sonicwall appliance to see if there is something I can find there to help me resolve this.


A new entry should resolve in a few minutes. Why are you setting up a CNAME though? That is to redirect to a different host name. I'm assuming you are trying to add something like FTP.companyname.com. You should add an 'A' record on the TW name servers for 'companyname.com' pointing 'FTP' to the public IP of the sonicwall.

But you keep saying you changed this internally. Changes made to the internal Active Directory DNS server will NOT propogate outside of your office. You need to change the records on the ns1/ns2.biz.rr.com name servers, as those are the DNS servers external users will query for any hostname at 'companyname.com'.


*Note* What you're saying is setting off some alarm bells here. Did the company set up their internal Active Directory with the public domain name? IE the AD domain is using 'companyname.COM' instead of 'companyname.INTERNAL' If so, that might be what is confusing. (I can explain in more detail if this is true).
 
A new entry should resolve in a few minutes. Why are you setting up a CNAME though? That is to redirect to a different host name. I'm assuming you are trying to add something like FTP.companyname.com. You should add an 'A' record on the TW name servers for 'companyname.com' pointing 'FTP' to the public IP of the sonicwall.

But you keep saying you changed this internally. Changes made to the internal Active Directory DNS server will NOT propogate outside of your office. You need to change the records on the ns1/ns2.biz.rr.com name servers, as those are the DNS servers external users will query for any hostname at 'companyname.com'.


*Note* What you're saying is setting off some alarm bells here. Did the company set up their internal Active Directory with the public domain name? IE the AD domain is using 'companyname.COM' instead of 'companyname.INTERNAL' If so, that might be what is confusing. (I can explain in more detail if this is true).

They have a bit of an unusual setup from what I can tell.

The company has their domain name hosted on GoDaddy (DNS Only, Off-site).
Their current website is hosted by a company called NextInteractives. From what I understand the guy running NextInteractives offered to design and host their website several years ago as he is a friend of the company owner.
I see nothing in the GoDaddy account pointing to the TW name servers.
Using dnsstuff.com I see that the vpn.company.com points to the TW name servers.
From what I can tell they have their AD setup with their public domain name. Looking at Active Directory Users and Computers I see DC1.companyname.com with companyname.com below it in the tree.

Let me know if you want any screenshots or other info that might help me figure out how this is all configured. Thank you.
 
They have a bit of an unusual setup from what I can tell.

The company has their domain name hosted on GoDaddy (DNS Only, Off-site).
Their current website is hosted by a company called NextInteractives. From what I understand the guy running NextInteractives offered to design and host their website several years ago as he is a friend of the company owner.
I see nothing in the GoDaddy account pointing to the TW name servers.
Using dnsstuff.com I see that the vpn.company.com points to the TW name servers.
From what I can tell they have their AD setup with their public domain name. Looking at Active Directory Users and Computers I see DC1.companyname.com with companyname.com below it in the tree.

Let me know if you want any screenshots or other info that might help me figure out how this is all configured. Thank you.


Then you need to update the godaddy name servers to add an 'A' record for 'FTP' and point to your sonicwall public IP. That's the only way this will work from the outside, as all external requests for *.companyname.com will be resolved by those name servers.

If you look at godaddy's DNS, you should see a www 'A' record (or possibly a CNAME) that is pointed to the NI service hosting their webpage.
 
Doing some more digging around I found out: GoDaddy is hosting the domain name which has NS records pointing to Network Solutions account pointing to the Time Warner DNS. I created an A record for the FTP pointing to our public IP on GoDaddy. I am going to give it a little time to propagate then give it a try. I will let you know the results!
 
Doing some more digging around I found out: GoDaddy is hosting the domain name which has NS records pointing to Network Solutions account pointing to the Time Warner DNS. I created an A record for the FTP pointing to our public IP on GoDaddy. I am going to give it a little time to propagate then give it a try. I will let you know the results!

Use mstoolbox against the companies domain and find out exactly what Name Servers are being returned. If Godaddy Name servers are not setup for that domain, adding the entry there won't do anything.
 
Use mstoolbox against the companies domain and find out exactly what Name Servers are being returned. If Godaddy Name servers are not setup for that domain, adding the entry there won't do anything.
To give an update on this situation. I contacted Spectrum as that is where our name servers are hosted. I have spent hours on the phone being passed department to department with no one having the ability to get me access to our records. I was told they are trying to get out of the DNS hosting game. I recently spoke with our account rep who in turn spoke with some of his engineers. Apparently they have been stripped of rights to modify DNS information or even access it. He suggested I create a ticket and he will get it escalated for me so I plan on doing that today. Now all I want is to get a list of our records and move them away! Thanks for all the help!
 
To give an update on this situation. I contacted Spectrum as that is where our name servers are hosted. I have spent hours on the phone being passed department to department with no one having the ability to get me access to our records. I was told they are trying to get out of the DNS hosting game. I recently spoke with our account rep who in turn spoke with some of his engineers. Apparently they have been stripped of rights to modify DNS information or even access it. He suggested I create a ticket and he will get it escalated for me so I plan on doing that today. Now all I want is to get a list of our records and move them away! Thanks for all the help!


So stop using spectrum for your domains name servers.... You just have to setup an alternate DNS service (I use namecheap since it's free), then it will give you a pair of name servers to use. Set up all your A records to match the current setup for your domain. Finally, log on the registrar for 'mycompany.com' domain and update the name servers to use the 2 you received from the new DNS host. Once that change is made, it should propogate on all DNS server in a couple hours (Depends on the TTL settings in place).
 
Back
Top