FTP cannot establish a data session in passive mode 04/27 Update SLTechnology News&Howtos

FTP cannot establish a data session in passive mode

2025-04-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

Problem description:

In Aliyun, the FTP server is built using WINDOWS IIS, using passive mode, the passive port is specified, and the command and data port of FTP has been released. In the actual use, it is found that the use of dedicated FTP clients (such as WinSCP, lftp, browser, etc.) is normal. When using the FTP command, you can log in to the FTP server, but you can not establish a FTP data connection, so you can not list and transfer data files. Tip: ftp: connect: Resource temporarily unavailable.

Analysis:

Through the packet capture and the returned information, it is found that the FTP server returns the data port number and the server IP address, but the server IP address is the private network IP, not the actual public network IP. In this case, the FTP client will initiate a data session establishment request to the private network IP, and will prompt ftp: connect: Resource temporarily unavailable when the route times out because the route is unreachable.

After testing, the FTP server runs in Aliyun's VPC, while VPC does not perform NAT conversion between public network IP and private network IP by default. However, the dedicated FTP client and browser can extract the FTP data port number and initiate a data session request to the source public network IP according to the returned data packet, so it can be seen that the traditional FTP command is still not "smart".

Solution:

IIS:

You can manually specify the public network IP on the FTP server. When the FTP server returns the passive mode data port, it will return the socket information with the specified public network IP. As follows:

Vsftpd:

For vsftpd under Linux, you need to add: pasv_address= public network IP.

Or turn off the security check in PASV mode, that is, pasv_promiscuous=YES, which ensures that the data connection and the control connection come from the same IP address. Open this option carefully. The only reasonable use of this option is in an organization consisting of secure tunneling schemes. The default is NO.

Note: when using pasv_address to specify the public network IP, you must change the listening IP address to IPv4, that is, listen=YES, otherwise vsftpd will return the wrong passive socket, such as: 227 Entering Passive Mode. . When you enable IPv4 addresses, you need to disable snooping for IPv6 addresses because the two are mutually exclusive.

Listen=YES # when specifying the public network IP address in passive mode, you can only listen when the IPv4 address listen_ipv6=NO # conflicts with listen. By default, you can listen to IPv6 address. When listening in IPv4, IPv6 must be disabled, otherwise vsftpd.service will not be able to start pasv_enable=YESpasv_min_port=8900pasv_max_port=8909pasv_address=47.95.120.253 # Public network IP address # pasv_addr_resolve=YES#pasv_promiscuous=YES when passive mode is specified

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.