LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-12-2009, 11:19 AM   #1
mohitanchlia
Member
 
Registered: Aug 2008
Posts: 60

Rep: Reputation: 15
vsftpd - 425 failed to establish connection


I have been trying to debug this issue for a while now. What we see is that sometimes, only sometimes ACTIVE ftp from client get "425 Failed to establish connection" from our vsftpd server. I turned on verbose logs and saw that when vsftpd server is trying to connect back to client for eg: from port 20 -> 50502 on client's machine it just times out. I came accross the following link:

http://kalamazoolinux.org/presentati...conntrack.html

Then I checked /etc/init.d/iptables status and it says firewall is stopped. I did iptables -L and don't see any rules. Do you think it's worth adding ip_conntrack_ftp and some other things that above URL is talking about for tcp/ip connection.

I also ran script that logs netstat output and it looks like it sends SYNC_SENT and then is not able to ESTABLISH connection. Earlier I thought that it could be a PORT issue on client side but sometimes connection is successful on the same port that failed before, so I don't think it's a problem on client's side. I was thinking that may be adding ip_conntrack_ftp would be a good idea.
 
Old 03-13-2009, 06:36 AM   #2
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
short answer yes.
it is also good idea to prefer passive ftp on client side software.
 
Old 03-13-2009, 09:54 AM   #3
mohitanchlia
Member
 
Registered: Aug 2008
Posts: 60

Original Poster
Rep: Reputation: 15
After making the change this is how it looks. Is this ok?

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
 
Old 03-13-2009, 11:19 AM   #4
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
ip_nat_ftp and ip_contrack_ftp are kernel modules. u must load them:
Code:
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
"modinfo ip_conntrack_ftp" will show u the information about that module.
if u want to see if it is really loaded in kernel list the loaded modules with "lsmod" command.

By the way your iptables won't block anything. Because the default policy is ACCEPT and there is no rule that block anything. So it will allow everything.

best regards.
 
Old 03-13-2009, 02:19 PM   #5
mohitanchlia
Member
 
Registered: Aug 2008
Posts: 60

Original Poster
Rep: Reputation: 15
Is it possible to give a quick description of what ip_nat_ftp does? I read about ip_conntrack_ftp that for active ftp sessions it keeps track of incoming acks and correlates with the correct connection.

Also, would you know why ftp would work most of the times and sometimes I would see "425 failed to establish connection" error. And when I look at my netstat output from my script I see SYN_SENT but no ESTABLISH for that port.
 
Old 03-16-2009, 05:06 AM   #6
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
Actually these modules were written for firewalls not ftp servers. It can be client side problem. Do u know if client softwares use passive mode?

Edit: is your ftp server behind a firewall?
best regards
 
Old 03-16-2009, 10:29 AM   #7
mohitanchlia
Member
 
Registered: Aug 2008
Posts: 60

Original Poster
Rep: Reputation: 15
Client's use Active connection. So you think that by adding ip_conntrack_ftp will not help?
 
Old 03-17-2009, 05:43 PM   #8
mohitanchlia
Member
 
Registered: Aug 2008
Posts: 60

Original Poster
Rep: Reputation: 15
So I looked at the tcpdump and it looks like that SYN_SENT is sent but then there is no ACK back? When I look at the tcpdump does that show me those packets already processed by iptables or is it before iptables even receive them?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
425 - failed to establish connection with vsftp and the firewall on brucerowe Linux - Networking 4 02-07-2012 12:28 AM
vsftpd Problem with 425 Security: Bad IP connecting elchui Linux - Newbie 8 07-29-2011 09:21 AM
425 failed to establish connection for ftp Networking linuxhippy Slackware 4 05-02-2005 03:45 AM
vsftpd 425 error raven282 Linux - Networking 7 06-21-2003 01:09 AM
vsftpd 425 bad ip error raven282 Linux - Software 2 05-01-2003 03:29 AM


All times are GMT -5. The time now is 04:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration