Scenario

An Active FTP client in Azure cannot access a public FTP server.

Symptoms

Active FTP client from an Azure VM does not work if public FTP servers are accessed. Below mentioned are two scenarios:

  • Azure VM Active FTP Client to an internal FTP server on a Private IP (Working)
  • Azure VM Active FTP Client to a Public FTP server (Non-working)

Scenario 1

Azure VM Active FTP Client to an internal FTP server on a Private IP (Working)

In the below analysis, 10.4.0.10 is the FTP server and 10.4.0.4 is the FTP client.

Client Trace

 

5652  7:35:18 AM 8/29/2018  15.8079315    10.4.0.10    10.4.0.4     FTP     FTP:Response to Port 49782, '220  Microsoft FTP Service'    {TCP:16, IPv4:15}
5653  7:35:18 AM 8/29/2018  15.8113846    10.4.0.4    10.4.0.10    FTP     FTP:Request from Port 49782,'OPTS UTF8 ON'  {TCP:16, IPv4:15}
5654  7:35:18 AM 8/29/2018  15.8119267    10.4.0.10    10.4.0.4     FTP     FTP:Response to Port 49782, '200  OPTS UTF8 command successful - UTF8 encoding now ON.'    {TCP:16, IPv4:15}
5739  7:35:24 AM 8/29/2018  21.0043544    10.4.0.4    10.4.0.10    FTP     FTP:Request from Port 49782,'USER anonymous'     {TCP:16, IPv4:15}
5740  7:35:24 AM 8/29/2018  21.0116889    10.4.0.10    10.4.0.4     FTP     FTP:Response to Port 49782, '331  Anonymous access allowed, send identity (e-mail name) as password.'   {TCP:16, IPv4:15}
5777  7:35:24 AM 8/29/2018  21.9511610    10.4.0.4    10.4.0.10    FTP     FTP:Request from Port 49782,'PASS '   {TCP:16, IPv4:15}
5778  7:35:24 AM 8/29/2018  21.9531281    10.4.0.10    10.4.0.4     FTP     FTP:Response to Port 49782, '230  User logged in.'    {TCP:16, IPv4:15}
5820  7:35:26 AM 8/29/2018  23.8842803    10.4.0.4    10.4.0.10    FTP     FTP:Request from Port 49782,'PORT 10,4,0,4,194,119'  {TCP:16, IPv4:15} 
// It means that client is using 10.4.0.4 as IP and port will be (194*256)+119 which is equal to 49782.
5822  7:35:26 AM 8/29/2018  23.8855720    10.4.0.10    10.4.0.4     FTP     FTP:Response to Port 49782, '200  PORT command successful.'  {TCP:16, IPv4:15}
5826  7:35:26 AM 8/29/2018  23.8903879    10.4.0.4    10.4.0.10    FTP     FTP:Request from Port 49782, 'LIST'   {TCP:16, IPv4:15}
5827  7:35:26 AM 8/29/2018  23.8911353    10.4.0.10    10.4.0.4     FTP     FTP:Response to Port 49782, '125  Data connection already open; Transfer starting.'     {TCP:16, IPv4:15}
5828  7:35:26 AM 8/29/2018  23.8912029    10.4.0.10    10.4.0.4     FTP     FTP:Data Transfer To Client,DstPort = 49783,size = 452 bytes   {TCP:26, IPv4:15}
5831  7:35:26 AM 8/29/2018  23.8912187    10.4.0.10    10.4.0.4     FTP     FTP:Response to Port 49782, '226  Transfer complete.'  {TCP:16, IPv4:15}

Server Trace

135   7:35:18 AM 8/29/2018  11.2475846   svchost.exe   10.4.0.10    10.4.0.4     FTP   FTP:Response to Port 49782, '220  Microsoft FTP Service'    {TCP:17, IPv4:16}
136   7:35:18 AM 8/29/2018  11.2515345   svchost.exe   10.4.0.4     10.4.0.10    FTP   FTP:Request from Port 49782,'OPTS UTF8 ON'  {TCP:17, IPv4:16}
137   7:35:18 AM 8/29/2018  11.2515828   svchost.exe   10.4.0.10    10.4.0.4     FTP   FTP:Response to Port 49782, '200  OPTS UTF8 command successful - UTF8 encoding now ON.'    {TCP:17, IPv4:16}
183   7:35:24 AM 8/29/2018  16.4445764   svchost.exe   10.4.0.4     10.4.0.10    FTP   FTP:Request from Port 49782,'USER anonymous'     {TCP:17, IPv4:16}
184   7:35:24 AM 8/29/2018  16.4512790   svchost.exe   10.4.0.10    10.4.0.4     FTP   FTP:Response to Port 49782, '331  Anonymous access allowed, send identity (e-mail name) as password.'   {TCP:17, IPv4:16}
190   7:35:24 AM 8/29/2018  17.3912786   svchost.exe   10.4.0.4     10.4.0.10    FTP   FTP:Request from Port 49782,'PASS '   {TCP:17, IPv4:16}
191   7:35:24 AM 8/29/2018  17.3927657   svchost.exe   10.4.0.10    10.4.0.4     FTP   FTP:Response to Port 49782, '230  User logged in.'    {TCP:17, IPv4:16}
204   7:35:26 AM 8/29/2018  19.3248954   svchost.exe   10.4.0.4     10.4.0.10    FTP   FTP:Request from Port 49782,'PORT 10,4,0,4,194,119'  {TCP:17, IPv4:16}
Frame: Number = 204, Captured Frame Length = 77, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0D-3A-4D-62-32],SourceAddress:[74-83-EF-40-8E-EF]
+ Ipv4: Src = 10.4.0.4, Dest = 10.4.0.10, Next Protocol = TCP, Packet ID = 30703, Total IP Length = 63
+ Tcp: Flags=...AP..., SrcPort=49782, DstPort=FTP control(21), PayloadLen=23, Seq=1339072427 - 1339072450, Ack=2619344830, Win=8014 (scale factor 0x0) = 8014
- Ftp: Request from Port 49782,'PORT 10,4,0,4,194,119'
Command: PORT, Data port
CommandParameter: 10,4,0,4,194,119
206   7:35:26 AM 8/29/2018  19.3251174   svchost.exe   10.4.0.10    10.4.0.4     FTP   FTP:Response to Port 49782, '200  PORT command successful.'  {TCP:17, IPv4:16}
209   7:35:26 AM 8/29/2018  19.3305505   svchost.exe   10.4.0.4    10.4.0.10    FTP   FTP:Request from Port 49782, 'LIST'   {TCP:17, IPv4:16}
210   7:35:26 AM 8/29/2018  19.3307801   svchost.exe   10.4.0.10    10.4.0.4     FTP   FTP:Response to Port 49782, '125  Data connection already open; Transfer starting.'    {TCP:17, IPv4:16}
211   7:35:26 AM 8/29/2018  19.3308010   svchost.exe   10.4.0.10    10.4.0.4     FTP   FTP:Data Transfer To Client,DstPort = 49783,size = 452 bytes   {TCP:27, IPv4:16}
213   7:35:26 AM 8/29/2018  19.3309279   svchost.exe   10.4.0.10    10.4.0.4     FTP   FTP:Response to Port 49782, '226  Transfer complete.'  {TCP:17, IPv4:16}

Scenario 2

Azure VM Active FTP Client to a Public FTP server (Non-working)

 

Client trace 

81   7:41:37 AM 8/29/2018  3.1214190    137.117.91.58  FTPCLIENT   FTP     FTP:Response to Port 49828, '220  Microsoft FTP Service'    {TCP:13, IPv4:12}
82   7:41:37 AM 8/29/2018  3.1279121    FTPCLIENT   137.117.91.58  FTP     FTP:Request from Port 49828,'OPTS UTF8 ON'  {TCP:13, IPv4:12}
83   7:41:37 AM 8/29/2018  3.1287496    137.117.91.58  FTPCLIENT   FTP     FTP:Response to Port 49828, '200  OPTS UTF8 command successful - UTF8 encoding now ON.'    {TCP:13, IPv4:12}
168   7:41:41 AM 8/29/2018  6.8755964    FTPCLIENT   137.117.91.58  FTP     FTP:Request from Port 49828,'USER anonymous'     {TCP:13, IPv4:12}
169   7:41:41 AM 8/29/2018  6.8766400    137.117.91.58  FTPCLIENT   FTP     FTP:Response to Port 49828, '331  Anonymous access allowed, send identity (e-mail name) as password.'   {TCP:13, IPv4:12}
184   7:41:42 AM 8/29/2018  7.5977630    FTPCLIENT   137.117.91.58  FTP     FTP:Request from Port 49828,'PASS '   {TCP:13, IPv4:12}
185   7:41:42 AM 8/29/2018  7.5989318    137.117.91.58  FTPCLIENT   FTP     FTP:Response to Port 49828, '230  User logged in.'    {TCP:13, IPv4:12}
231   7:41:44 AM 8/29/2018  9.8514919    FTPCLIENT   137.117.91.58  FTP     FTP:Request from Port 49828,'PORT 10,4,0,4,194,165'  {TCP:13, IPv4:12}  // It means that client is using 10.4.0.4 as IP and port will be (194*256)+165 which is equal to 49829.
232   7:41:44 AM 8/29/2018  9.8519465    137.117.91.58  FTPCLIENT   FTP     FTP:Response to Port 49828, '501  Server cannot accept argument.'    {TCP:13, IPv4:12}
233   7:41:44 AM 8/29/2018  9.8589455    FTPCLIENT   137.117.91.58  FTP     FTP:Request from Port 49828, 'LIST'   {TCP:13, IPv4:12}
234   7:41:44 AM 8/29/2018  9.8598090    137.117.91.58  FTPCLIENT   FTP     FTP:Response to Port 49828, '150  Opening ASCII mode data connection.'     {TCP:13, IPv4:12}
235   7:41:44 AM 8/29/2018  9.8598090    137.117.91.58  FTPCLIENT   FTP     FTP:Response to Port 49828, '425  Cannot open data connection.'    {TCP:13, IPv4:12}

Server trace

17    7:41:37 AM 8/29/2018  1.5014622    svchost.exe   10.4.0.10    40.76.55.3     FTP   FTP:Response to Port 49828, '220  Microsoft FTP Service'    {TCP:6, IPv4:5}
18    7:41:37 AM 8/29/2018  1.5086495    svchost.exe   40.76.55.3    10.4.0.10     FTP   FTP:Request from Port 49828,'OPTS UTF8 ON'  {TCP:6, IPv4:5}
19    7:41:37 AM 8/29/2018  1.5087257    svchost.exe   10.4.0.10    40.76.55.3     FTP   FTP:Response to Port 49828, '200  OPTS UTF8 command successful - UTF8 encoding now ON.'    {TCP:6, IPv4:5}
55    7:41:41 AM 8/29/2018  5.2562891    svchost.exe   40.76.55.3    10.4.0.10     FTP   FTP:Request from Port 49828,'USER anonymous'     {TCP:6, IPv4:5}
56    7:41:41 AM 8/29/2018  5.2563694    svchost.exe   10.4.0.10    40.76.55.3     FTP   FTP:Response to Port 49828, '331  Anonymous access allowed, send identity (e-mail name) as password.'   {TCP:6, IPv4:5}
59    7:41:42 AM 8/29/2018  5.9782492    svchost.exe   40.76.55.3    10.4.0.10     FTP   FTP:Request from Port 49828,'PASS '   {TCP:6, IPv4:5}
60    7:41:42 AM 8/29/2018  5.9786165    svchost.exe   10.4.0.10    40.76.55.3     FTP   FTP:Response to Port 49828, '230  User logged in.'    {TCP:6, IPv4:5}
93    7:41:44 AM 8/29/2018  8.2319499    svchost.exe   40.76.55.3    10.4.0.10     FTP   FTP:Request from Port 49828,'PORT 10,4,0,4,194,165'  {TCP:6, IPv4:5}
Frame: Number = 93, Captured Frame Length = 77, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0D-3A-4D-62-32],SourceAddress:[12-34-56-78-9A-BC]
+ Ipv4: Src = 40.76.55.3, Dest = 10.4.0.10, Next Protocol = TCP, Packet ID = 10236, Total IP Length = 63
+ Tcp: Flags=...AP..., SrcPort=49828, DstPort=FTP control(21), PayloadLen=23, Seq=3303710432 - 3303710455, Ack=226272089, Win=8014 (scale factor 0x0) = 8014
- Ftp: Request from Port 49828,'PORT 10,4,0,4,194,165'
Command: PORT, Data port
CommandParameter: 10,4,0,4,194,165
94    7:41:44 AM 8/29/2018  8.2320384    svchost.exe   10.4.0.10    40.76.55.3     FTP   FTP:Response to Port 49828, '501  Server cannot accept argument.'     {TCP:6, IPv4:5}
95    7:41:44 AM 8/29/2018  8.2393523    svchost.exe   40.76.55.3    10.4.0.10     FTP   FTP:Request from Port 49828, 'LIST'   {TCP:6, IPv4:5}
96    7:41:44 AM 8/29/2018  8.2396166    svchost.exe   10.4.0.10    40.76.55.3     FTP   FTP:Response to Port 49828, '150  Opening ASCII mode data connection.'     {TCP:6, IPv4:5}
97    7:41:44 AM 8/29/2018  8.2396381    svchost.exe   10.4.0.10    40.76.55.3     FTP   FTP:Response to Port 49828, '425  Cannot open data connection.'     {TCP:6, IPv4:5}

As we can see in the above example, the PORT command fails with “501 Server cannot accept argument” when accessed the site via public IP address and the reason being, the source IP and the IP which is specified on the PORT query is conflicting which is not the case when tried accessing via private IP or locally.

Solution

Active FTP client from an Azure VM does not work if public FTP servers are accessed.

The reason is that the Virtual Machine itself (Guest OS) is not aware of its own public IP address.

When the packet reaches VFP, it gets SNAT'd by the SLB layer. Hence in the PORT query, Guest OS uses the Private IP address instead of the Public IP of the VM (See frame 93).

 

Client rejects this request and sends 501 as the Source IP in layer 3 and the IP in the PORT query are different.