|
|
You're in the
iis ftp
group:FTP server responds to PASV with wrong port on Server 2003
iis ftp:
I have loaded Server 2003 R2 Enterprise Edition onto a new server and set up MS FTP service. The PassivePortRange has been set to "5100-5200", but looking at network traffic, when the client requests a PASV connection, the server sends "Response: 227 Entering Passive Mode (192,168,xxx,xxx,19,137)" - 192,168,xxx,xxx being the IP address of the server and 19,137 equating to port 5001! I tried to take careful notes about how the previous server was set up (same OS and FTP server). The router, firewall and client settings have not changed. I just can't get the server to respond to the client PASV request with a port in the range 5100-5200
Weird, 19x256+137 does add up to 5001 :)
However I can repro it. I set my R2 to have the same port range. adsutil.vbs set msftpsvc/passiveportrange "5100-5200" passiveportrange : (string) "5100-5200" do a IISreset...... then I connect locally via ftp.exe, and do a quot pasv, i got: ftp> quot pasv 227> Entering Passive Mode (127,0,0,1,19,236) ftp> quot pasv 227> Entering Passive Mode (127,0,0,1,19,237) so the first will be port 5100, follow by 5101 can you try reset the value again.. -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] <ricksk@ozemail.com.au> wrote in message news:1156825825.753054.27830@i42g2000cwa.googlegroups.com... > Can anyone help with an FTP problem? > > I have loaded Server 2003 R2 Enterprise Edition onto a new server and > set up MS FTP service. The PassivePortRange has been set to > "5100-5200", but looking at network traffic, when the client requests a > PASV connection, the server sends "Response: 227 Entering Passive Mode > (192,168,xxx,xxx,19,137)" - 192,168,xxx,xxx being the IP address of the > server and 19,137 equating to port 5001! > > I tried to take careful notes about how the previous server was set up > (same OS and FTP server). The router, firewall and client settings have > not changed. I just can't get the server to respond to the client PASV > request with a port in the range 5100-5200 >
[quoted text, click to view]
> I have loaded Server 2003 R2 Enterprise Edition onto a new server and > set up MS FTP service. The PassivePortRange has been set to > "5100-5200", but looking at network traffic, when the client requests a > PASV connection, the server sends "Response: 227 Entering Passive Mode > (192,168,xxx,xxx,19,137)" - 192,168,xxx,xxx being the IP address of the > server and 19,137 equating to port 5001! I have the same behaviour on my server (Server 2003 SP1 standard edition): regardless of what I put in PassivePortRange, port range is beginning at 5001 (and, worse, doesn't use a maximum port numer, it just keeps counting up). I cannot find much information on it, but I found somewhere (I'm sorry I don't have a url anymore) that it might be because of the Routing and Remote Access service is running (which I indeed use). I didn't find the time yet to verify this. Nic.
I believe that's how it works. it will start at the begining of the
portrange and keep +1 -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] <nic@xs4all.nl> wrote in message news:1156934204.336151.246380@i3g2000cwc.googlegroups.com... >> I have loaded Server 2003 R2 Enterprise Edition onto a new server and >> set up MS FTP service. The PassivePortRange has been set to >> "5100-5200", but looking at network traffic, when the client requests a >> PASV connection, the server sends "Response: 227 Entering Passive Mode >> (192,168,xxx,xxx,19,137)" - 192,168,xxx,xxx being the IP address of the >> server and 19,137 equating to port 5001! > > I have the same behaviour on my server (Server 2003 SP1 standard > edition): regardless of what I put in PassivePortRange, port range is > beginning at 5001 (and, worse, doesn't use a maximum port numer, it > just keeps counting up). I cannot find much information on it, but I > found somewhere (I'm sorry I don't have a url anymore) that it might be > because of the Routing and Remote Access service is running (which I > indeed use). I didn't find the time yet to verify this. > > Nic. >
[quoted text, click to view]
> I believe that's how it works. it will start at the begining of the > portrange and keep +1 That's how it *should* work. But note the subtile differences :-) It's not starting at the beginning of the portrange: it's always starting at 5001, regardless of what you enter for the portrange. And it's not counting until the end of the portrange, but it just keeps counting....
I can't repro what you claimed. see my other post.
-- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Nic Limper" <nic@xs4all.nl> wrote in message news:1157096434.325801.70810@b28g2000cwb.googlegroups.com... >> I believe that's how it works. it will start at the begining of the >> portrange and keep +1 > > That's how it *should* work. But note the subtile differences :-) It's > not starting at the beginning of the portrange: it's always starting at > 5001, regardless of what you enter for the portrange. And it's not > counting until the end of the portrange, but it just keeps counting.... >
[quoted text, click to view] Nic Limper wrote: > > I believe that's how it works. it will start at the begining of the > > portrange and keep +1 > > That's how it *should* work. But note the subtile differences :-) It's > not starting at the beginning of the portrange: it's always starting at > 5001, regardless of what you enter for the portrange. And it's not > counting until the end of the portrange, but it just keeps counting.... I solved the problem on my server by disabling the Windows Firewall and configuring Routing and Remote Access - but watch out for the basic firewall in RRA. I don't know why it works. Maybe the FTP server needs it to correctly apply the PassivePortRange?
what did you change in RRA ?
ftp somehow related to RRA in certain why. i don't know the exact detail, but have seen some weird stuff with it -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "RSK" <ricksk@ozemail.com.au> wrote in message news:1157601957.440449.128210@e3g2000cwe.googlegroups.com... > > Nic Limper wrote: >> > I believe that's how it works. it will start at the begining of the >> > portrange and keep +1 >> >> That's how it *should* work. But note the subtile differences :-) It's >> not starting at the beginning of the portrange: it's always starting at >> 5001, regardless of what you enter for the portrange. And it's not >> counting until the end of the portrange, but it just keeps counting.... > > I solved the problem on my server by disabling the Windows Firewall and > configuring Routing and Remote Access - but watch out for the basic > firewall in RRA. I don't know why it works. Maybe the FTP server needs > it to correctly apply the PassivePortRange? >
I used the RRA Wizard and just configured it for LAN only and voila -
the passive ftp started working on the correct ports. If I added basic firewall, alas, back to the same problem. It would be good to know what one can and can't configure in RRA if one needs passive ftp with port range restriction Regards Rick [quoted text, click to view] Bernard Cheah [MVP] wrote:
> what did you change in RRA ? > ftp somehow related to RRA in certain why. i don't know the exact detail, > but have seen some weird stuff with it > > -- > Regards, > Bernard Cheah > http://www.iis.net/ > http://www.iis-resources.com/ > http://msmvps.com/blogs/bernard/ > > > "RSK" <ricksk@ozemail.com.au> wrote in message > news:1157601957.440449.128210@e3g2000cwe.googlegroups.com... > > > > Nic Limper wrote: > >> > I believe that's how it works. it will start at the begining of the > >> > portrange and keep +1 > >> > >> That's how it *should* work. But note the subtile differences :-) It's > >> not starting at the beginning of the portrange: it's always starting at > >> 5001, regardless of what you enter for the portrange. And it's not > >> counting until the end of the portrange, but it just keeps counting.... > > > > I solved the problem on my server by disabling the Windows Firewall and > > configuring Routing and Remote Access - but watch out for the basic > > firewall in RRA. I don't know why it works. Maybe the FTP server needs > > it to correctly apply the PassivePortRange? > >
ha! thanks for the update.
-- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "RSK" <ricksk@ozemail.com.au> wrote in message news:1158969509.679789.38910@m7g2000cwm.googlegroups.com... >I used the RRA Wizard and just configured it for LAN only and voila - > the passive ftp started working on the correct ports. If I added basic > firewall, alas, back to the same problem. > > It would be good to know what one can and can't configure in RRA if one > needs passive ftp with port range restriction > > Regards > Rick > > Bernard Cheah [MVP] wrote: >> what did you change in RRA ? >> ftp somehow related to RRA in certain why. i don't know the exact detail, >> but have seen some weird stuff with it >> >> -- >> Regards, >> Bernard Cheah >> http://www.iis.net/ >> http://www.iis-resources.com/ >> http://msmvps.com/blogs/bernard/ >> >> >> "RSK" <ricksk@ozemail.com.au> wrote in message >> news:1157601957.440449.128210@e3g2000cwe.googlegroups.com... >> > >> > Nic Limper wrote: >> >> > I believe that's how it works. it will start at the begining of the >> >> > portrange and keep +1 >> >> >> >> That's how it *should* work. But note the subtile differences :-) It's >> >> not starting at the beginning of the portrange: it's always starting >> >> at >> >> 5001, regardless of what you enter for the portrange. And it's not >> >> counting until the end of the portrange, but it just keeps >> >> counting.... >> > >> > I solved the problem on my server by disabling the Windows Firewall and >> > configuring Routing and Remote Access - but watch out for the basic >> > firewall in RRA. I don't know why it works. Maybe the FTP server needs >> > it to correctly apply the PassivePortRange? >> > >
We had this issue in Server 2003 since September - October 2005, it
started happening after a "patch Tuesday". We use RRAS to configure routing, this is what caused the problem. After many hours of support, Microsoft Enterprise Platforms Support found the solution in disabling the FTP proxy of RRAS, which seems to have a new bug since last year: - Issue command: NETSH ROUTING IP NAT DELETE FTP - Restart RRAS service After these steps, it immediately started working normally. Today we have been configuring a new Windows 2003 server: same problem, same solution. Hope this helps, Berend
Wow! excellent details!
-- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Berend Engelbrecht" <b.engelbrecht@gmail.com> wrote in message news:OiMmtdX6GHA.4620@TK2MSFTNGP02.phx.gbl... > We had this issue in Server 2003 since September - October 2005, it > started happening after a "patch Tuesday". We use RRAS to configure > routing, this is what caused the problem. > > After many hours of support, Microsoft Enterprise Platforms Support > found the solution in disabling the FTP proxy of RRAS, which seems to > have a new bug since last year: > > - Issue command: NETSH ROUTING IP NAT DELETE FTP > - Restart RRAS service > > After these steps, it immediately started working normally. Today we > have been configuring a new Windows 2003 server: same problem, same > solution. > > Hope this helps, > > Berend > > > *** Sent via Developersdex http://www.developersdex.com ***
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |