425 Can't Open Data Connection

When trying to ftp to a server using Internet browser.

Assuming you are using:

  • Windows Server 2008
  • IIS 6 (By default)



Problems:

When connecting to a FTP server using Internet Browser, FTP passive mode is being used. Check out here for details.

Usually it is due to the firewall.

To double confirm this, you can actually perform packet sniffing to see what is happening from the client side.

You can make use of Wireshark.



The following demonstrates a situation where passive mode is successful.



Check out here to figure out how to derive the port number from the syntax of (192,168.1.98,193,148)

The case below demonstrates that it is due to firewall problem because even though port 21 (control port) is opened, but the dynamic port for ftp passive mode is not opened through the firewall.

To double confirm this, turn off the firewall at the server side and try to perform FTP again.

Solution:

Assuming you are using Windows Firewall in Windows Server 2008.

By default setting, all outbound ports are opened.



So, the problem is actually the inbound port. By default, the port 21 is already opened in the Firewall. But this is not enough, because during passive mode, the client will communicate with the server via a dynamic port.

Check out the sniffing screen shots above.

Thus, you need to enable dynamic ports for FTP connection in the Firewall. But Windows Firewall don't have the option to let you configure inbound dynamic ports for FTP service.

Also, it doesn't allow you to configure a range of ports as well.

The solution is defined here or here.

which are..

  1. Define a limited range of dynamic ports for FTP passive mode.
  2. Then add this limited range of ports in the inbound list for Windows Firewall.

Follow the instruction but do remember the followings:
  • Run the command prompt as administrator
  • Define the ports with a bigger number. The port range I defined was 49000-49999 60000-60999 (check out here)
  • Remember to restart your server because restarting the FTP service is not good enough.


These are what I typed to the command prompt.

To define a range of port for FTP passive mode.



and to open the range of port in Windows Firewall (without having to key in one by one)



This works!

If you check out Windows Firewall...



And also, you may want to do port forwarding for your router.

Comments

ThePlague said…
Hi, I tried that on my server and it still didn't work, here's my log in case you can help me, thank you.

Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,xx,xx,192,44).
Command: LIST
Response: 425 Can’t open data connection.
Error: Failed to retrieve directory listing