Archived Forum Post

Index of archived forum posts

Question:

FTP EPSV with some Firewalls

Mar 09 '14 at 11:02

FTP stopped working after a new firewall was enabled. What could be the problem?


Answer

Most firewalls are deep inspection firewalls. This means they are protocol-aware, meaning they inspect the higher-level protocol messages (assuming they are not encrypted) for information about how to behave. Regarding the FTP protocol, when a passive data connection is to be established, the FTP server chooses the port and responds to the PASV command with the port number that the client should connect to. A deep inspection firewall is aware of it (assuming the control connection is not SSL/TLS encrypted) and temporarily allows for an incoming connection on the specific port from the specific client IP address.

The EPSV command is for "extended passive mode" -- it offers some advantages which I won't go into here because frankly, I'd need to refresh my memory. In any case, Chilkat will automatically use EPSV when an FTP server indicates that it is supported. However, some deep-inspection firewalls do not recognize the EPSV command (as they do for PASV) and therefore the data connection is blocked in some way.

The solution is to set the Ftp2.UseEpsv property = false after connecting to the FTP server.

In some cases, the data connection never gets established or is blocked and there is a timeout in trying to establish the connection. In other cases, the TCP data connection is actually established, but then (if using SSL/TLS) the firewall terminates the connection and the error from Chilkat is:

Failed to convert data connection to TLS
This confuses matters because it points to some sort of SSL/TLS problem, when in fact it just the firewall "hanging up" on the client immediately after the connection is accepted.