topic Re: FTP - "Cant build Data Connection" Error in Operating System - HP-UX

FTP - "Cant build Data Connection" Error

Paul Condren — Fri, 16 Dec 2005 04:08:25 GMT

Morning all!

Ive been trying to ftp between two servers and am having a wierd experience. The transer works in one direction, but not the other.

ALthough I can log in with username and password, and cd to a directory, when I do the put it hangs for a few moments and then returns "Can't build data connection: connection timed out"

The network team are happy with the network and firewalls, and a ping also works. I foind it strange that this error only occors in one direction.

Out of 5 servers that the one server must send files to, 2 are having this issue and the other 3 are fine.

Any ideas please?

Thanks.

Re: FTP - "Cant build Data Connection" Error

Peter Godron — Fri, 16 Dec 2005 05:19:52 GMT

Paul,
I sssume your error code is 425.

This may be down to either:
1. Problem with access to port 20 and 21, due to firewall
The client attaches to port 21 on the server,who then opens a connection back to the client.

2. tcp problems
3. ftp software

Regards

Re: FTP - "Cant build Data Connection" Error

Matti_Kurkela — Fri, 16 Dec 2005 05:45:34 GMT

FTP is a tricky protocol to get through firewalls, because it requires several connections: the first is the control connection, which goes from the FTP client to the FTP server's port 21. This seems to work in your case.

The problem is with the data connections, which are used to transfer the files (or even the directory listings). The data connections have no specific ports, and in some cases the _server_ opens the data connection to the _client_.

See this page for more detail:
http://slacksite.com/other/ftp.html

Actually, even that description might not be entirely correct: it says that in active mode FTP, the server forms the data connection from port 20 of the server to a random port on the client, but a modern FTP servers MAY use a random port number at the server end too.

This means that the firewall MUST be able to read the FTP commands in the control connection to be able to properly handle all the possibilities.
This might require more configuration at the firewall, and the simplest firewalls might not be able to do it at all.

If the firewall is not aware of the FTP protocol, the network team should be able to make one of the FTP modes work for you by opening a more "loose" set of ports - and they should tell you which mode is allowed.

Re: FTP - "Cant build Data Connection" Error

Tvs — Fri, 16 Dec 2005 06:08:11 GMT

hi .

just try to create /usr/bin directory under the ftp home directory. and copy the nessasary executables like ls, cd, pwd and all to these directory

Re: FTP - "Cant build Data Connection" Error

Jesús Couto Fandiño — Fri, 16 Dec 2005 06:08:16 GMT

You can also try with passive mode FTP, if the servers support it. Passive changes the (weird) FTP convention of client connecting to port 21, then server connecting to client from port 20, for a more normal scheme where all connections start from the client.

Re: FTP - "Cant build Data Connection" Error

Paul Condren — Fri, 16 Dec 2005 06:09:45 GMT

I'm almost certain it is the firewalls.

Ive tested ftp to the server giving the error from another server in the dadacenter ant its workef fine, so its only the connection from one specific point thats the problem. Still strange that transfers in the oposite direction, thru the same firewalls work.

Re: FTP - "Cant build Data Connection" Error

rick jones — Mon, 19 Dec 2005 12:30:04 GMT

Paul - you have now experienced first hand why some folks - who aren't even "grey hats" do not like firewalls at all. If they aren't stateful they cannot deal with stuff like FTP transparantly, and if they are stateful, they tend to have limited state and so are unwilling to deal with long-lived connections.