How to use the FTP Server or FTP Client log to troubleshoot problems:
Here I will explain my tips and tricks on how to diagnose
problems that FTP servers have by reading and interpreting
the logs from the server or the client. I will also teach you my tips and tricks
of testing an FTP site.
When configuring PASV mode, you should specify a port range of
ports 50000 to 50100 (50000 to 50049 for Serv-U FTP Server).
If PASV mode is not working correctly, then reading the FTP log
will tell you if this PASV port range is set properly.
When you look at your FTP log, you should see something like this:
227 Entering Passive Mode (xxx.xxx.xxx.xxx,195,127)
Connecting to xxx.xxx.xxx.xxx port 50047
If the number in bold is not between 50000 and 50100
then your PASV IP port range is not set correctly.
If you cannot see the number in bold then use the following
equation to get that number:
X * 256 + Y = Number in bold.
The value X is the first number that appears after the IP address.
In this example, that number is 195.
The value Y is the second number that appears after the IP address.
In this example, that number is 127.
In this example:
227 Entering Passive Mode (xxx.xxx.xxx.xxx,195,127)
Connecting to xxx.xxx.xxx.xxx port 50047
195 * 256 = 49920 (195 multiplied by 256 is 49920)
49920 + 127 = 50047
The IP addresses substituted by the letter, "x" above, should
be your outside (WAN) IP address. Do not redirect PASV mode
to an internal (LAN) IP address.
Common mistake #2: Redirecting PASV mode to a LAN IP address
If you are getting a list error immediately after this part of the log,
and if it is within the range of 50000 to 50100, then that
means that the 50000 to 50100 port range is not being forwarded
in your router's settings.
If you are getting a:
"425 Cannot open data connection (10061)."
Or, if you are getting any error under PORT mode: (100xx)
Or, an "Error 530 Port command only accepts Client IP address"
error in your log when your FTP user is using PORT mode, then it
is usually the result of the person connecting to your FTP also being
behind a firewall/router. One sure way to fix this problem is using
PASV mode. If your FTP user has a spare 56k Internet connection that
he/she can use, try PORT mode again on the 56k connection.
Then it should work.
The error, ""Error 530 Port command only accepts Client IP address"
appears because the person connecting to your FTP is also being
behind a firewall/router. The "Client IP address" it talks about should
be
their OUTSIDE IP address.
Connecting to xxx.xxx.xxx.xxx port 21
Connection timed out
Delaying for 121 seconds before reconnect...
Aborting..
If your FTP user is getting a message like this in his/her log, then
that means that the port that the FTP server is running on is not
open, or that your FTP user is using the wrong IP address, or that
the FTP server is not running. This error is what your FTP user
will also get if you have not forwarded the port number that your
FTP server is running on in your router's settings. Your Internet
Service Provider can also cause this error message if they block
incoming traffic on port 21. Just try running your FTP server on a
port other than port 21, and avoid running it between ports
1024 - 4999.
Here is a website that has an FTP testing page that you can use
to obtain a log that you can then use to fix your problems.
http://www.gene6ftpserver.com/?page=ftptest&lang=en#result
Portforward.com has settings for almost every router.
You can use it to configure your router.
Click here to go to Portforward.com.
This link is valid as of January 17, 2005.
Is a port on your computer open, closed, or stealth?
Here is the website address for Gibson Research Corporation:
This link and the usage of their website described here is valid as of January 17, 2005.
Gibson Research Corporation is a security related website.
The "Shield's Up!" section of their website can be used
to see what ports on your computer are open or closed.
This way you can verify that the port that your FTP server is running
on is open. Here I will tell you how to do this.
When getting to the main page of their website, click on
,"Shield's up!”
Then on the next page, you scroll down until
you see a smaller link for, "Shield's up!” Click on it.
Then click on the "proceed" button.
After this, click on the, "Common Ports" button.
This will get their website to scan your computer to see
which common ports are open or closed.
The default FTP port of 21 will be scanned.
If you are not running your FTP site on port 21, then here is what
you do to get them to scan that port.
Scroll down to one of the port numbers on the left and click on it.
Then, on top of the screen where it says, "Jump" enter the port
number
that your FTP server is running on the box next to the, "jump"
button,
then click on the, "jump" button. Then you click on the, "Probe
this
port" button.
If their test says that the port that your FTP server is running on is
open, then your ftp server is accessible to other people on the
Internet.
If their test says that the port that your FTP server is running on is
closed, then your FTP server is inaccessible to other people on the Internet.
If their test says that the port that your FTP server is running on is
stealth, then your FTP server is inaccessible to other people on the Internet.
Stealthed ports are usually caused by hardware and/or software firewalls.
To fix this problem, you should disconnect your router and try the test again.
If after testing it again without the router connected, all of your ports are
still
stealthed, then the cause is probably a software firewall.
If after testing it again without the router connected, your ports are open
or closed, then the router is blocking the ports.
If some of your FTP ports show up as Stealthed, then you're probably
forwarding the port to a computer in your LAN which is not
running the FTP server. This problem is usually caused by the DHCP
server on a router when Static IP addresses are not defined for your
LAN under Windows.
Another online testing site is canyouseeme.org.
You can also use it to determine if your FTP site is blocked by a router/firewall.
Go to http://www.canyouseeme.org and try it.
If your FTP is accessible to people on the internet, it will tell you,
"Success: I can see your service".
If your FTP site is not accessible to people in the internet, then it will
tell you,
"Error: I could not see your service".
Portforward.com has settings for almost every router.
You can use it to configure your router.
Click here to go to Portforward.com.
Sometimes, this problem is caused by human error. Make sure that you
are forwarding the port to the computer that is running the FTP server.
Also, do not neglect to setup a Static IP address for your LAN under Windows.
Please refer to Step 1 of the tutorial, "What are the basic things that need to be done in order to get an FTP server working behind a router/firewall".