question

adamt-0945 avatar image
0 Votes"
adamt-0945 asked MotoX80 commented

Bizarre Issue with FTP - IIS 7.5

Hi,

A bit of a complex situation here but I'll try to simplify it as much as I can.

Environment:

  • 2x servers (SVR01 & SVR02) sitting behind an external firewall. Both with the same FTP config.

  • External Public IP mapped to internal IP. All Ports are forwarded (DNAT'd).

  • FTP installed configured with IIS 7.5.

  • FTP ports:
    • Incoming = 990

    • Outgoing = 989

  • FTP access is IP restricted to 5 public (static) source IP addresses.

  • SSL enabled, using a wildcard certificate.

Problem is, out of the 5 source IP addresses allowed access, we have one specific having an a problem connecting to FTP. And to make it even more bizarre, they can connect to SVR01, but not SVR02.

They get past the firewall, connect to SVR02 they get the below, which is odd because SVR01 has the exact same config. Yes, i have googled that error below and most say the certificate needs to be configured at both the global (server ) level and FTP site level in IIS, which has been done.
"Error reading secure data from server. Connection Lost"

All other Source IP's can connect to both SVR01 and SVR02 without any issues whatsoever. I'm completely lost for options here.

They are using Core FTP client as all the newer clients aren't compatible with IIS 7.5 when it comes to file transfer.

Any help appreciated.

Thanks

windows-server-iis
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are both servers using the exact same certificate?

Anything interesting in the FTP logs? Or system/security/application event logs? You might have to run a network trace to see if a packet is getting dropped somewhere.


They are using Core FTP client as all the newer clients aren't compatible with IIS 7.5 when it comes to file transfer.

I find that comment surprising. I don't think that anything has really changed in FTP/FTPS in decades. Have the client try the FileZilla software just to see if it can connect. You might get a different error message that could help you solve the problem.

1 Vote 1 ·

Hi MotoX, thanks for replying.

Yes both servers are using the exact same certificate.

Yes I found it strange as well regarding Filezilla not able to fully function, up until i came across a few articles which described the issue and most recommended using Core FTP LE.

0 Votes 0 ·

You can set the Filezilla debug level to get more information.

105317-capture.jpg


105374-capture1.jpg


0 Votes 0 ·
capture.jpg (39.1 KiB)
capture1.jpg (57.8 KiB)

Below is the output for when we enabled debugging on filezilla. Does that mean TLS needs to be reconfigured somehow? Sorry, but some this is beyond me unfortunately and I can't make sense of it.

105596-image.png


0 Votes 0 ·
image.png (34.6 KiB)
MotoX80 avatar image
0 Votes"
MotoX80 answered

I think that you have something misconfigured in your network routing. You should see FTP responses from the server. That's before TLS is ever negotiated. Add a welcome message and look for it in the trace.

Also check your firewall settings. Make sure that you log dropped packets. then check c:\windows\System32\LogFiles\Firewall\pfirewall.log

Here's how I set up my FTP site.

105738-capture.jpg


105806-capture1.jpg


105739-capture2.jpg

105819-capture3.jpg



capture.jpg (31.0 KiB)
capture1.jpg (35.1 KiB)
capture2.jpg (27.3 KiB)
capture3.jpg (62.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

adamt-0945 avatar image
0 Votes"
adamt-0945 answered MotoX80 commented

A quick update on this. The network engineers have come back and ruled out any issues on the firewall. FYI the server is sitting behind a third party (NAT) firewall.

All source IPs have been allowed and they are now certain its to do with the TLS handshake on the server.

So keeping in mind SRV01 works OK but SRV02, is there a way of comparing the TLS versions/level on both servers to see if they are different?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you add a welcome message as I suggested? Do you see any trace entries labeled "Response:"?

Temporarily set your FTP site to allow non-ssl connections. (Plain old FTP.) Can you connect? That might answer the TLS question.

Use IISCrypto to analyze SSL/TLS.

https://www.nartac.com/

0 Votes 0 ·

Hi MotoX - Yes I added the welcome message as suggested and it was not presented. No trace entries labeled "Response".
I'll try the other suggestions; allow non-ssl and using the IISCrypto and see how we go.

Thanks

0 Votes 0 ·

I'd suggest running a network trace and see what happens with those response messages.

0 Votes 0 ·