FTP issues after clients are connected via direct access RRS feed

  • Question

  • Hello,

    We have clients running win 7/8 and 2012 DA,

    everything is working beside we cannot FTP to our unix server,

    It allows us to log in, but no other command works, even "lS" gives this error:

    502 illegal eprt command 425              can't build data connection

    If we use our normal VPN, it works just fine.


    Friday, July 12, 2013 12:10 PM

All replies

  • Unfortunately FTP uses direct IPv4 communication when talking to its server, and as far as I know it will not work over DirectAccess. As you probably know, all client-side traffic from the laptops is always IPv6 on a DA connection. so if a program is using communication with direct IPv4 addresses, this traffic never makes it over the DA IPsec tunnels.
    Monday, July 15, 2013 3:08 PM
  • I understand the IP V4 limitation here, but I don't believe statement "FTP uses direct IPv4 communication when talking to its server" is true.

    I have other FTP's which are working just not to this unix server.

    Jordan, is there a way for eg: wireshark, how can I confirm this?

    Thanks in Advance.

    Tuesday, July 16, 2013 7:00 AM
  • I feel this is more like a firewall issue, but which one, on the direct access server?

    On client machine's domain firewall is off, but public and private is on.

    Is there some DA consideration related to firewall?

    Tuesday, July 16, 2013 7:04 AM
  • Hi,

    Try these :

    • Be sure that you could access to your ftp server by name registered on your DNS
    • Look if your DA Gateway could access to your ftp : indeed if the FTP ports are blocked between the DA Gateway and your FTP server it will not work for your DA clients

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/

    Tuesday, July 16, 2013 8:07 AM
  • I am able to access FTP with DNS name.

    I logged into FTP on DA server, when I hit LS.. it says command successful ..but don't show any dir

    I have done cd /dirname ..its said 250cwd command successful

    There is no firewall between DA and this unix Server (Win firewall on DA is running)

    There is firewall for any connection coming from outside to our domain.

    Tuesday, July 16, 2013 10:06 AM
  • If DirectAccess is working to other resources, then your DA IPsec tunnels are flowing through to the DirectAccess server properly and any external firewall is not stopping your traffic.

    If you can hit the FTP service from the DirectAccess server, then there is not a firewall in between on the internal network (as you said) stopping the traffic, and a successful connection here shows that you have the correct route in your DirectAccess server's table for the packets to arrive. If packets can arrive from the DA server, they can arrive from the DA clients.

    If there was a firewall on the Unix server, that could potentially disrupt this, but typically not because in most DA installs the packets from the DA clients show up as coming from the internal IP address of the DA server, so the Unix server (if it had a firewall) would generally allow it anyway.

    I have always heard that FTP is a bugger with DirectAccess, because of the way it transmits packets. I'm actually a little surprised to hear you have it working to other FTP servers, because I didn't think that would work. Can you confirm that you are able to FTP over DirectAccess, ensuring that it is communicating over an IPv6 DA tunnel, and that it isn't somehow using an internet IPv4 connection directly? I could certainly be wrong about this, it's just what I've heard. I do DirectAccess all the time but honestly I don't see many folks using FTP in the wild anymore so I don't really run into it regularly.

    Tuesday, July 16, 2013 12:56 PM
  • Hello Jordan,

    Thanks for the detailed explanation,

    I am 100% sure about FTP works with DA.

    I have a FTP on win 2003 iis6, today I had verified can login, LS, and copy a file.

    I tried with another unix server and did not work.

    Wednesday, July 17, 2013 7:25 AM