4

I know there are lots of post out there on this but I feel like I've tried everything. I've worked with my IT staff and we're all stumped. So here is all of the possibly useful information I can think of:

  • There was an FTP server in our datacenter with only a public IP.
  • I setup a new FTP server in AWS that had an internal IP on our network via Direct Connect and an EIP associated.
  • I configured it with the same version of PureFTPd (1.0.43) exactly the same except:
    • I added ForcePassiveIP PUBLIC_ELASTIC_IP
    • I changed the passive port range from 7000-50000 to 40000-50000
  • I copied the certificate from the old server to the new one
  • Then switched over the DNS

Here is where it gets weird:

  • I can connect to the FTP server from home or any other network outside of the office with no problem
  • I can connect with standard passive FTP over port 21 from inside the office
  • I cannot connect over FTPS (Explict FTP over TLS) still over port 21 from inside the office
  • I can connect to our corporate VPN from inside the office then connect fine to the server using FTPS
  • I don't manage the VPN or firewall but I've been told the office and vpn shared the same pool of public IPs for DHCP and are directed to through the same firewall. They do have different internal IPs.

Here it is failing (it times out on the PSBV 0 command and tries again):

Failing

And here it is working once on the VPN:

Working

Any ideas?

Supergibbs
  • 153
  • 7
  • I don't think we use IPv6 but I'll ask around. Thanks for the debug mode tip, didn't know about that. Unfortunately it didn't give any new useful information. I've tried lots of clients, all have the same issue. – Supergibbs Oct 08 '16 at 00:42
  • Did you update internal DNS too point to the correct IP address of the "new" FTP server too; DNS switch internal and external both, correct? Do you need to configure security in the AWS to say from the Direct Connect (incoming from the internal data network) IP address, allow TCP port 20-21 inbound and outbound as well as TCP ports 40000-50000 to\from the IP address\interface of the AWS Direct Connect end point? How does it route differently from the internal connection to FTPS versus the external method, IP address, DNS only, etc. etc.? – Vomit IT - Chunky Mess Style Oct 08 '16 at 04:11
  • I see 54.68.18.247 in the logs that work coming from the outside, but you're not showing what you're connecting to from the inside to it IP address wise? Maybe you're connecting to [the old] another FTP server; confirm from the server logs too what you see on an unsuccessful login or to negotiate the TLS/SSL stuff. Make sure the AWS Direct Connect allows TCP ports 20 and 21 for data and control as well as the passive TCP port range of 40000-50000 inbound and outbound to and from the internal data network IP address endpoint, IP ranges, etc. Consider running Wireshark traces and compare. – Vomit IT - Chunky Mess Style Oct 08 '16 at 04:17
  • When connected to the VPN, the FTPS traffic out it's interface likely works like the rest of the outside world to your server does from it's perspective; same route as browsing the Internet... The data network and the routing to this site from the Direct Connect, internal DNS name or private IP address, etc. in that direction seems to be the problem..... Look here too...http://stackoverflow.com/questions/7052875/setting-up-ftp-on-amazon-cloud-server last comment, will clean them up later. – Vomit IT - Chunky Mess Style Oct 08 '16 at 04:31
  • I am connecting via a public dns name that resolves to an public IP regardless of where I am so I don't think it's using some internal networking... – Supergibbs Oct 18 '16 at 23:57

1 Answers1

0

Did you check your corporate firewall ? It could be blocking your user subnet/vlan/IPs but it allows you when you come thru VPN (different subnet/vlan/IPs).

Algeriassic
  • 1,614
  • 10
  • 10
  • I'd agree except I can connect over plain FTP fine; it's only the FTPS that has issues and they use the same ports. – Supergibbs Oct 08 '16 at 00:40
  • They are using the same ports but, during session establishment, your firewall doesn't see the IP:port your FTPS is using for data transfer as it is being exchanged encrypted. – Algeriassic Oct 19 '16 at 21:22