425 Unable to build data connection: Operation not permitted

[stefanovs 0]

Using ICS 8.70 and the sample application OverbyteIcsSslFtpTst.dproj

FTP server is ProFTPD 1.3.5e Server (ProFTPD)

Getting this error when try to upload a file.

LastResponse was : '425 Unable to build data connection: Operation not permitted'

 

With FileZilla everything is ok.

If more info is needed?

 

Quote

> PASV
< 227 Entering Passive Mode (10,30,0,12,250,183).
! Upload Size 3,96K
! Passive connection requested to: 10.30.0.12:64183, control channel: 46.163.xx.xxx
! Suspicious LAN IP changed to control channel address
> STOR img.png
< 150 Opening ASCII mode data connection for img.png
< 425 Unable to build data connection: Operation not permitted
! STOR Failed

 

Also, not sure why in log is "ASCII mode" while "Binary mode" is checked.

 

Thanks

[Angus Robertson 574]

Look at the IP addresses, totally different for control and data channels.  Perhaps you are accessing FTP via a NAT router that can cause problems. 

 

Angus

 

[stefanovs 0]

The problem is that I do not have access/control to the FTP (owned by third party).

His position is that if FileZilla can do it - it is possible.

Download of files is ok, so it looks like it is a matter of settings at my side.

Do you have any suggestions?

[Angus Robertson 574]

Are you talking about Filezilla server or client?  Both are quite clever in handling poorly implemented NAT routers provided they are configured correctly.

 

ICS knows there is a problem, thus the suspicious comment, but I can not advise you with the partial redacted log you supplied. Look at the FileZilla log and see what is different. 

 

Angus

 

 

[stefanovs 0]

As I told - I do not have access/control to the server.

FileZilla client works fine.

Here is a log file from "OverbyteIcsSslFtpTst" (at the end there is GET first, which is ok, and then PUT, which fails)

 

Quote

Winsock version 2.2
WinSock 2.0
Running
Executing Requested Command
< 220 ProFTPD 1.3.5e Server (ProFTPD) [10.30.0.12]
Session Connected, error = 0
Request 1 Done.
StatusCode = 220
LastResponse was : '220 ProFTPD 1.3.5e Server (ProFTPD) [10.30.0.12]'
No error
Command Success
Executing Requested Command
> AUTH TLS
< 234 AUTH TLS successful
! SSL Connected OK with TLSv1.2, cipher ECDHE-RSA-AES256-GCM-SHA384, key auth RSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD
SSL handshake done, error #0 - SSL Connected OK with TLSv1.2, cipher ECDHE-RSA-AES256-GCM-SHA384, key auth RSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD
Request 48 Done.
StatusCode = 234
LastResponse was : '234 AUTH TLS successful'
No error
Command Success
Executing Requested Command
> USER **************
< 331 Password required for **************
Request 2 Done.
StatusCode = 331
LastResponse was : '331 Password required for **************'
No error
Command Success
Executing Requested Command
> PASS *************
< 230 User ************** logged in
Request 3 Done.
StatusCode = 230
LastResponse was : '230 User ************** logged in'
No error
Command Success
Executing Requested Command
> PBSZ 0
< 200 PBSZ 0 successful
Request 53 Done.
StatusCode = 200
LastResponse was : '200 PBSZ 0 successful'
No error
Command Success
Executing Requested Command
> PROT P
< 200 Protection set to Private
Request 52 Done.
StatusCode = 200
LastResponse was : '200 Protection set to Private'
No error
Command Success
Executing Requested Command
> PASV
< 227 Entering Passive Mode (10,30,0,12,250,75).
! Passive connection requested to: 10.30.0.12:64075, control channel: 46.163.***.***
! Suspicious LAN IP changed to control channel address
> RETR test.ini
< 150 Opening ASCII mode data connection for test.ini (320 bytes)
! SSL Connected OK with TLSv1.2, cipher ECDHE-RSA-AES256-GCM-SHA384, key auth RSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD
SSL handshake done, error #0 - SSL Connected OK with TLSv1.2, cipher ECDHE-RSA-AES256-GCM-SHA384, key auth RSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD
< 226 Transfer complete
! 320bytes received/sent in 281 milliseconds
Request 10 Done.
StatusCode = 226
LastResponse was : '226 Transfer complete'
No error
Command Success
Executing Requested Command
> PASV
< 227 Entering Passive Mode (10,30,0,12,251,22).
! Upload Size 320
! Passive connection requested to: 10.30.0.12:64278, control channel: 46.163.***.***
! Suspicious LAN IP changed to control channel address
> STOR test2.ini
< 150 Opening ASCII mode data connection for test2.ini
< 425 Unable to build data connection: Operation not permitted
! STOR Failed
Request 18 Done.
StatusCode = 425
LastResponse was : '425 Unable to build data connection: Operation not permitted'
Error = 425 (425 Unable to build data connection: Operation not permitted)
Command Failure

 

 

and here is a log from FileZilla (sorry that some parts are in Bulgarian, but it is readable)

 

Quote

Команда:    USER ********
Състояние:    Връзка от тип TLS/SSL е установена.
Отговор:    331 Password required for ********
Команда:    PASS ********
Отговор:    230 User ******** logged in
Команда:    OPTS UTF8 ON
Отговор:    200 UTF8 set to on
Команда:    PBSZ 0
Отговор:    200 PBSZ 0 successful
Команда:    PROT P
Отговор:    200 Protection set to Private
Състояние:    Връзката осъществена
Състояние:    Начало изтегляне /test.ini
Команда:    CWD /
Отговор:    250 CWD command successful
Команда:    TYPE I
Отговор:    200 Type set to I
Команда:    PASV
Отговор:    227 Entering Passive Mode (10,30,0,12,250,90).
Състояние:    Сървърът изпрати пасивен отговор с немаршрутируем адрес. Използване адреса на сървъра.
Команда:    RETR test.ini
Отговор:    150 Opening BINARY mode data connection for test.ini (320 bytes)
Отговор:    226 Transfer complete
Състояние:    Успешно прехвърляне на файл
Състояние:    Начало на качване на D:\\test.ini
Команда:    PASV
Отговор:    227 Entering Passive Mode (10,30,0,12,250,105).
Състояние:    Сървърът изпрати пасивен отговор с немаршрутируем адрес. Използване адреса на сървъра.
Команда:    STOR test.ini
Отговор:    150 Opening BINARY mode data connection for test.ini
Отговор:    226 Transfer complete
Състояние:    Успешно прехвърляне на файл

 

[Angus Robertson 574]

Sorry, I can not see what host name or IP address either client connected with, only the LAN 10.xx.xx.xx address the passive connection is trying to use, and I assume the FTP server is not on your LAN so is incorrect. 

 

The FileZilla log may make some comment after the passive mode line, but not in a language I understand.

 

A public FTP server should never offer a private 10.xx or 192.168.xx address for a passive connection, it is incorrectly configured.  There may be an issue with the ftpFixPasvLanIP FOptions which is attempting to fix this problem, but without more logging or testing there is little I can do.

 

Angus

 

[stefanovs 0]

Angus, Thank you for your efforts to help me, I do appreciate it 🙂

 

Translation of FileZilla log is easy:

 

Quote

Command: USER ********
Status: TLS/SSL connection established.
Answer: 331 Password required for ********
Command: PASS ********
Answer: 230 User ******** logged in
Command: OPTS UTF8 ON
Answer: 200 UTF8 set to on
Command: PBSZ 0
Answer: 200 PBSZ 0 successful
Command: PROT P
Answer: 200 Protection set to Private
Status: Connection established
Status: Starting to download /test.ini
Command: CWD /
Answer: 250 CWD command successful
Command: TYPE I
Answer: 200 Type set to I
Command: PASV
Answer: 227 Entering Passive Mode (10,30,0,12,250,90).
Status: The server sent a passive response with a non-routable address. Using the server address.
Command: RETR test.ini
Answer: 150 Opening BINARY mode data connection for test.ini (320 bytes)
Answer: 226 Transfer complete
Status: Successful file transfer
Status: Starting to upload D:\\test.ini
Command: PASV
Answer: 227 Entering Passive Mode (10,30,0,12,250,105).
Status: The server sent a passive response with a non-routable address. Using the server address.
Command: STOR test.ini
Answer: 150 Opening BINARY mode data connection for test.ini
Answer: 226 Transfer complete
Status: Successful file transfer

 

"ftpFixPasvLanIP" is switched ON.

 

The server is in a different LAN from the client and is accessible through real IP, which is mentioned in the log (same IP used for control channel as a result of ftpFixPasvLanIP=YES): "control channel: 46.163.***.***"

 

I'm not sure what more information I can provide, just let me know.

[Angus Robertson 574]

Well it seems ICS and FileZilla are both trying to compensate for the misconfigured server, the other difference in the logs is FileZilla has set binary mode, but you did not in ICS, perhaps the FTP server is giving a misleading error and does not like ASCII mode. 

 

You could also try the better FTP sample OverbyteIcsXferTst.dpr, it will probably set binary automatically.

 

Angus