Unable to get data channel open with certain FTP sites via ProxySG, but direct connection works via FileZilla or WinSCP

book

Article ID: 167047

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You are able to get the data connection open to a server when directly using FileZilla or WinSCP. When you set to use FTP Proxy, Generic proxy or SOCKS Proxy, the data connection fails.

Resolution

This issue could be due to a misconfigured FTP server which gives back a non-internet routable IP address for opening the data channel. A properly configured FTP server should give the Public IP address in return, so that the client can open the data channel. A sample response is given below


Status:    Connecting to 39.21.121.31:21...
Status:    Connection established, waiting for welcome message...
Response:    220 spftp/1.0.0000 Server [39.21.121.31]
Command:    USER anonymous
Response:    331 Password required for USER.
Command:    PASS **************
Response:    230 Login successful.
Command:    SYST
Response:    215 UNIX
Command:    FEAT
Response:    211-Extensions supported
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:    211 End
Status:    Server does not support non-ASCII characters.
Status:    Connected
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is current directory.
Command:    TYPE I
Response:    200 TYPE set to I.
Command:    PASV
Response:    227 Entering Passive Mode. (172,16,121,31,139,30)
Command:    LIST

 

The response from the server is requesting the client to connect to a internal IP address of 172.16.121.31 over port number 13930. This will fail to connect, as the IP address is non reachable over the Internet.

The FileZilla client has a fail back mechanism when such non-routable IP address are seen. It will use the public IP address instead. This will only work when FileZilla is trying to access the site view the Internet directly. Through a proxy it will still try the internal IP address. Find the two communications below.


FileZilla via Proxy

Status:    Connecting to 39.21.121.31 through proxy
Status:    Connecting to 192.168.1.2:8080...
Status:    Connection with proxy established, performing handshake...
Response:    Proxy reply: HTTP/1.1 200 Connection established
Status:    Connection established, waiting for welcome message...
Response:    220 spftp/1.0.0000 Server [39.21.121.31]
Command:    USER anonymous
Response:    331 Password required for USER.
Command:    PASS **************
Response:    230 Login successful.
Command:    SYST
Response:    215 UNIX
Command:    FEAT
Response:    211-Extensions supported
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:    211 End
Status:    Server does not support non-ASCII characters.
Status:    Connected
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is current directory.
Command:    TYPE I
Response:    200 TYPE set to I.
Command:    PASV
Response:    227 Entering Passive Mode. (172,16,121,31,143,20)
Command:    LIST
Error:  Connection timed out
Error:  Failed to retrieve directory listing



FileZilla via Direct Connection

Status:    Connecting to 39.21.121.31:21...
Status:    Connection established, waiting for welcome message...
Response:    220 spftp/1.0.0000 Server [39.21.121.31]
Command:    USER anonymous
Response:    331 Password required for USER.
Command:    PASS **************
Response:    230 Login successful.
Command:    SYST
Response:    215 UNIX
Command:    FEAT
Response:    211-Extensions supported
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:    211 End
Status:    Server does not support non-ASCII characters.
Status:    Connected
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is current directory.
Command:    TYPE I
Response:    200 TYPE set to I.
Command:    PASV
Response:    227 Entering Passive Mode. (172,16,121,31,128,45)
Command:    LIST
Status:    Server sent passive reply with unroutable address. Using server address instead.
Command:    LIST
Response:    150 Here comes the directory listing.
Response:    226 Directory send OK.
Status:    Directory listing successful

   

Here FileZilla uses the fail back method to use the public IP address instead of the private IP address, so does WinSCP.

We will not be able to correct this request in the ProxySG. The solution would be to either fix the server or use the direct method to access the server using FileZilla or WinSCP.