Jump to content



Photo

FTPS on IIS7 "Could not retrieve directory listing" error


  • Please log in to reply
26 replies to this topic

#1 atomicrabbit

atomicrabbit

    Neowinian

  • Joined: 14-June 07
  • Location: Canada

Posted 21 January 2011 - 21:19

I followed the tutorial from this page: Using FTP Over SSL

I'm using FTP7.5 on IIS7 on a WIndows Server 2008 machine. For testing purposes, I set to "Allow SSL Connections", not "required" and I can make the connection using SSL using WinSCP, but once connected, I get the "Could not retrieve directory listing" error. If I log in using plain FTP (no ssl), it works fine. I also noticed if I change the port bindings to a non-standard port (pretty much anything except 21) I get the same results, even with plain FTP. Is there something I'm missing?

I've allowed the FTP service (ftpsvc) and the appropriate ports in the windows firewall, but the only thing that fully works is plain FTP using port 21.


#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 21 January 2011 - 21:46

ftp can be tricky -- is the client coming in with active or passive.

in active the server makes the data connection back from source port 20 to port client gives, in passive server sends some port >1024 to client to connect too.. ftp through nat can be a problem.. With FTPS all traffic can be set to go through the SSL port both control and data which an remove some of the issues.

This is a great writeup on understanding how normal active and passive ftp works.

http://slacksite.com/other/ftp.html

directory listings, etc. use the data port - you telling the server to give you a listing is sent through control port which is 21 in standard ftp.

What router are you using? Many of them have helper applications that do some stuff in the background for ftp to work through nat.. With you connecting over some SSL port the helper might not see this - you should be able to require the ssl stuff to use the same connection for both data and control.

#3 OP atomicrabbit

atomicrabbit

    Neowinian

  • Joined: 14-June 07
  • Location: Canada

Posted 22 January 2011 - 02:15

The client (winscp) is using active, but I also tried passive with the same results, "Could not retrieve directory listing".

Also the router is an Asus RT-N16 running the latest version of Tomato firmware.

How can I set it up so that the control and data traffic all goes through the SSL port?

And why is it that plain FTP using the standard port 21 works perfectly, but anything else (non-standard port + plain FTP or FTPS + any port) does not work? I've never set up a FTP server in IIS before, but I have set up a few servers using Serv-U and never had this problem. I know that in the IIS console, you can set a Data Channel port range, but specifying the port range (in IIS > FTP Firewall Support) and opening that range in the firewall and router doesn't seem to work. fyi, the default data port range in IIS FTP is 49152-65535

#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 January 2011 - 03:44

Ok first things first is this client your testing with actually on the public side of your router?? Your clients not on the private lan with the IIS server and your just hitting the public IP of your router?

You state with active standard ftp, your client which Im going to assume is outside your router -- well in active your server is making the connection out your router back to the client - no port forwards required.

If you doing a nat reflection thing where your client is on the same network as the server and your hitting the public ip of your router then all kinds of weird **** could be happening.

Let me fire up IIS on my server so I can run through that tutorial of yours, etc.

#5 OP atomicrabbit

atomicrabbit

    Neowinian

  • Joined: 14-June 07
  • Location: Canada

Posted 22 January 2011 - 04:01

Yes, with active standard FTP, the client (on the public side of the router) is able to connect and fully interact with the ftp server. The firewall on the server has the ftpsvc allowed and port 21 forwarded on the router.

#6 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 36
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 22 January 2011 - 06:23

this seems to cover a bit more than that article you posted
http://learn.iis.net...ewall-settings/

#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 January 2011 - 14:38

What I would do as a quick test is turn off the firewall on the server.. Your behind a nat, unless you have hostiles on your local lan the software firewall is not much more than a PITA ;)

#8 OP atomicrabbit

atomicrabbit

    Neowinian

  • Joined: 14-June 07
  • Location: Canada

Posted 22 January 2011 - 16:40

tried turning windows firewall off -- same error from client. It connects, but then I get the 'could not retrieve directory listing' error.

And thanks sc302, I'm looking through that link now to see if there's some info to help fix my problem.

#9 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 January 2011 - 17:32

Its quite possible your nat router does not have a helper or is broken?

You state active ftp works, does passive? If you router does not have a helper or broken - then you would need to forward the ports your ftp server would use for passive connections.. And you would have to make sure the ftp server hands out the public IP vs its local IP.

Again the way that the ftp protocol works can be a bit of a pain to have it work through nat, etc. And then you have to take into account possible nat on the client side as well.

Did you read the article I linked to that explains how ftp passive and active work -- this will give you info to troubleshoot your problem.

Without actually looking at it, or even seeing the logs -- can you post up the log from your client.. So for example when connecting to a ftp server in active mode you see this.

so this is active connection to ftp on my local network.

Using FTP protocol.
Doing startup conversation with host.
PWD
257 "/" is your current location
Getting current directory name.
Retrieving directory listing...
TYPE A
200 TYPE is now ASCII
PORT 192,168,1,100,32,170
200 PORT command successful
LIST -a
150 Connecting to port 8362
226-Options: -a -l
226 20 matches total
Directory listing successful

See the port command there client told server to connect to my client IP at 192.168.1.100 on port 32*256+170 or 8362.

Now in a passive connection.

Getting current directory name.
Retrieving directory listing...
TYPE A
200 TYPE is now ASCII
PASV
227 Entering Passive Mode (192,168,1,99,13,242)
LIST -a
150 Accepted data connection
226-Options: -a -l
226 20 matches total
Directory listing successful

The ftp server tells the client to connect to it its 192.168.1.99 on port 13*256+242 or 3570

In this case if client was behind a NAT.. being told to connect to private IP would be pointless, and does the nat router on the server side forward port 3570 to the server?

Please post up the logs of your connection from the client -- on the pasv connect you need to look to see what the client is seeing.. Is it the public IP - what port, is that port forwarded on your router!

These commands are sent through the control channel -- so if your control channel is encrypted - option when using FTPS then the helper might not be able to change the private IP to the public one, nor will it be able to read the port it needs to open.

Now keep in mind you can have nat on both sides that could cause problems - even with a active connection -- the server is creating the connection from source port 20 to the client.. IF that client is behind a nat - the router needs to forward that traffic -- normally it does this through helper service for ftp, etc.

But without seeing your logs of your connections its hard to know where your problem is.

#10 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 January 2011 - 18:20

seems I missed my edit window ;)

edit: Another thing I would do is verify all the modes you want to use are working from a local machine connecting to the local IP of the server.. If it all works that way then it points to a problem on you router in the forwards or lack of or its ftp helper, etc.

I just got IIS and the ftp installed and taking a look at it now so can point you to exactly what could be the issue.. But again a test of local machine and logs from client outside your router would be most helpful in tracking down the root of your issue.

edit: Ok couple of things in that guide are already F'd up..

They clearly state this -

Make sure that the Allow SSL option is selected.

But then in the recap they state.
You chose to require Secure Sockets Layer (SSL) for the FTP site, and selected your SSL certificate.

And setting the server to only listen on the loopback -- because you will use the administrator account later?? Thats just nonsense -- if your going to want to use the ftp from any box other than the server, then your going to have to listen on that boxes IP address..

Well I set to required and picked my SSL cert -- but I take from the fact that you are using it without that you did not select required?

edit: Ok following that guide I can not even get a local SSL connection working.. So like I said before test that locally before you try from outside your router.. Looking into why the SSL is not working.

#11 OP atomicrabbit

atomicrabbit

    Neowinian

  • Joined: 14-June 07
  • Location: Canada

Posted 22 January 2011 - 19:33

ok, here are the logs...

FTP (active) -- this works
. 2011-01-21 20:51:33.038 Using FTP protocol.
. 2011-01-21 20:51:33.041 Doing startup conversation with host.
> 2011-01-21 20:51:33.044 PWD
< 2011-01-21 20:51:33.130 257 "/" is current directory.
. 2011-01-21 20:51:33.133 Getting current directory name.
. 2011-01-21 20:51:33.137 Retrieving directory listing...
> 2011-01-21 20:51:33.137 TYPE A
< 2011-01-21 20:51:33.212 200 Type set to A.
> 2011-01-21 20:51:33.213 PORT 192,168,1,77,253,128
< 2011-01-21 20:51:33.303 200 PORT command successful.
> 2011-01-21 20:51:33.303 LIST -a
< 2011-01-21 20:51:33.386 125 Data connection already open; Transfer starting.
< 2011-01-21 20:51:33.405 226 Transfer complete.
. 2011-01-21 20:51:33.718 Directory listing successful
. 2011-01-21 20:51:33.718 Startup conversation with host finished.
. 2011-01-21 20:51:33.793 Disconnected from server

FTP (passive) -- this works. XXX,XXX,XXX,XXX is the public IP of the server
. 2011-01-22 14:04:45.661 Using FTP protocol.
. 2011-01-22 14:04:45.664 Doing startup conversation with host.
> 2011-01-22 14:04:45.666 PWD
< 2011-01-22 14:04:45.703 257 "/" is current directory.
. 2011-01-22 14:04:45.706 Getting current directory name.
. 2011-01-22 14:04:45.710 Retrieving directory listing...
> 2011-01-22 14:04:45.710 TYPE A
< 2011-01-22 14:04:45.738 200 Type set to A.
> 2011-01-22 14:04:45.738 PASV
< 2011-01-22 14:04:45.771 227 Entering Passive Mode (XXX,XXX,XXX,XXX,207,225).
> 2011-01-22 14:04:45.771 LIST -a
< 2011-01-22 14:04:45.802 150 Opening ASCII mode data connection.
< 2011-01-22 14:04:46.252 226 Transfer complete.
. 2011-01-22 14:04:46.256 Directory listing successful
. 2011-01-22 14:04:46.256 Startup conversation with host finished.

FTPS (active) -- connects but craps out when using the data channel
. 2011-01-21 20:52:07.491 Using FTP protocol.
. 2011-01-21 20:52:07.494 Doing startup conversation with host.
> 2011-01-21 20:52:07.497 PWD
< 2011-01-21 20:52:07.578 257 "/" is current directory.
. 2011-01-21 20:52:07.581 Getting current directory name.
. 2011-01-21 20:52:07.585 Retrieving directory listing...
> 2011-01-21 20:52:07.585 TYPE A
< 2011-01-21 20:52:07.662 200 Type set to A.
> 2011-01-21 20:52:07.663 PORT 192,168,1,77,253,142
< 2011-01-21 20:52:07.747 501 Server cannot accept argument.
. 2011-01-21 20:52:07.747 Could not retrieve directory listing
. 2011-01-21 20:52:07.751 Retrieving directory listing...
> 2011-01-21 20:52:07.752 TYPE A
< 2011-01-21 20:52:07.827 200 Type set to A.
> 2011-01-21 20:52:07.827 PORT 192,168,1,77,253,143
< 2011-01-21 20:52:07.913 501 Server cannot accept argument.
. 2011-01-21 20:52:07.913 Could not retrieve directory listing
* 2011-01-21 20:52:07.913 (ECommand) Error listing directory '/'.
* 2011-01-21 20:52:07.913 Could not retrieve directory listing
* 2011-01-21 20:52:07.913 Server cannot accept argument.
. 2011-01-21 20:52:10.261 Startup conversation with host finished.

FTPS (passive) -- connects but craps out when using the data channel. 192,168,1,9 is the internal server IP
. 2011-01-21 20:50:04.525 Using FTP protocol.
. 2011-01-21 20:50:04.528 Doing startup conversation with host.
> 2011-01-21 20:50:04.531 PWD
< 2011-01-21 20:50:04.617 257 "/" is current directory.
. 2011-01-21 20:50:04.620 Getting current directory name.
. 2011-01-21 20:50:04.624 Retrieving directory listing...
> 2011-01-21 20:50:04.624 TYPE A
< 2011-01-21 20:50:04.703 200 Type set to A.
> 2011-01-21 20:50:04.809 PASV
< 2011-01-21 20:50:04.809 227 Entering Passive Mode (192,168,1,9,233,58).
> 2011-01-21 20:50:04.809 LIST -a
< 2011-01-21 20:50:04.870 150 Opening ASCII mode data connection.
. 2011-01-21 20:50:19.103 Timeout detected.
. 2011-01-21 20:50:19.171 Could not retrieve directory listing
* 2011-01-21 20:50:19.188 (ESshFatal) Lost connection.
* 2011-01-21 20:50:19.188 Timeout detected.
* 2011-01-21 20:50:19.188 Could not retrieve directory listing
* 2011-01-21 20:50:19.188 Opening ASCII mode data connection.
* 2011-01-21 20:50:19.188 Error listing directory '/'.

So as you can see, all the ports are within the server's default data channel port range of 49152-65535. For testing purposes, I forwarded that entire range from the server's router to the server.

EDIT:
And yes, I did notice a lot of inconsistencies with the tutorial. I currently have the server set to "allow SSL connections", not "require", for testing purposes. Once I have FTPS set up correctly and working, I will set it to "require". The cert I used is a self-signed certificate I created on the server. As I said in an earlier post, I can make the SSL connection (the client sees the certificate and can accept it), but the data channel is non-responsive.

I will test locally now and report back

#12 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 January 2011 - 19:52

Ok for starters there is NO freaking possible way this would work from outside your router without a helper at work

You say this works.. ftp active

PORT 192,168,1,77,253,128

But you just told your server to connect to a private IP 192.168.1.77 -- so your ftp helper must be changing the IP that the server sees in that command to your clients public IP.

Same goes for the passive connection -- you say your client is seeing a public IP.. Well how would your server send that public IP?? Its behind a nat, did you specific the public IP address it should send in the passive setup? If not then Helper at work!

Now with your control channel being encrypted -- its impossible for the helper to change this stuff, cuz it does not see it.

So see here in the FTPS passive

< 2011-01-21 20:50:04.809 227 Entering Passive Mode (192,168,1,9,233,58).

So now your client sees a PRIVATE IP 192.168.1.9 to connect too, not the public like in the normal ftp passive connection -- so no **** your client would not be able to connect.

And in the ftps ACTIVE connection your still seeing the
PORT 192,168,1,77,253,142

But this time the helper on your router can not fix it up, since its encrypted -- so your server tries to connect to 192.168.1.77 on port 64910 -- that sure and the hell would not work ;)

edit: quick question what version of winscp are you using?? Im having trouble with it connecting using either ftps imp or exp modes.. but filezilla client connects fine with ftpes -- not liking ftps at all either.. Did you setup your client to trust your servers CA on that self signed cert or something?

edit: seems there some issues with 4.3.1 beta that IM using and ftps and ftpes

http://winscp.net/fo...opic.php?t=9099
Topic "SSL_connect: error in SSLv3 read server hello B"

You must be using an older version 4.2.9? Cuz I can not get either to work with winscp even just locally.. Think I will fire up old faithful filezilla server and see if winscp is truely broken or IIS thing?

#13 OP atomicrabbit

atomicrabbit

    Neowinian

  • Joined: 14-June 07
  • Location: Canada

Posted 22 January 2011 - 20:04

yes :blush: I noticed this after posting them and seeing them all in the post above.

I'm trying to look into disabling the ftp help on the router. Both the client's router and server's router are running Tomato

#14 OP atomicrabbit

atomicrabbit

    Neowinian

  • Joined: 14-June 07
  • Location: Canada

Posted 22 January 2011 - 20:40

I'm using the latest stable version of winscp, 4.2.9

And I can successfully connect using FTP/FTPS locally using winscp.

Also, in winscp from the client computer, I get this warning:
Posted Image

If I click Yes or No, it will accept the certificate.

#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 January 2011 - 20:44

yup filezilla and winscp 4.3.1 work just fine with all modes be it ftps or ftpes ssl or tls, etc..

And you have much more control in filezilla server btw ;) hehehe You can easy set it to send public IP vs private it for passive connections. It listens on correct ftps port out of box ie 990..

What ties you to IIS?? I would suggest using filezilla server - FREE as well, and to be honest much more features than the ftp server that is part of IIS.

1.2.9 ??? You mean 4.2.9 ;)

BTW -- you understand your issue now don't you?? Your control channel is encrypted when using FTPS -- so your router helper is not working.. So if you want to use ftps through your router your going to have to get the server to send the right IP when in passive mode.

And in active mode on a client behind a nat, your going to have to make sure it sends its public IP, cuz if encrypted his helper is prob not going to work either.

Like I said ftp can be fun through nat ;) hehehehe

To be honest I would use SFTP -- its 1 PORT ;) so you only have to worry about the 1 nat inbound.. All traffic goes over the 1 port not like ftp with active or passive and the different data port.. Now throw SSL into the mix and you have new ports 990 and I believe 998 ftps data encryption..

Just setup SFTP ;) (ftp over ssh)