Ok, I guess I'm a little confused then. Why would you suspect the win2k box
has anything to do with this problem? It's not in the connection path, and
really has no function in getting box A to connect to the ftp server. DNS
isn't an issue, as it seems to be resolving the ip fine; active directory
isn't even remotely related to this. The only normal function that box
could perform that _might_ affect this is a DHCP server, and only then if
it's supplying bogus routing information to the DHCP clients. Obviously
that's not the problem, since other protocols work fine, and you said you're
getting a successful TCP/IP three way handshake (the Connected to ...
message).
If you look at the big picture, you're basically having a problem connecting
to an ftp server on the external internet from your internal lan. Do you
have any trouble connecting to other ftp servers on the internet?
As far as packet sniffers go, ethereal is probably your best bet. It's
free, (what a concept!) works well, has decoders for a LOT of protocols, and
you can get versions for linux and windows. Win2k server also comes with a
slightly crippled version of Network Monitor, but I think ethereal is much
better all around. Make sure you look through the documentation first,
especially the capture and display filters section. www.ethereal.org
So far everything is still pointing to a firewall/ftp server configuration
issue. What ftp daemon are you running? Are you running any firewalling
software on the web server at all or is it naked(!) on the internet? The
fact that you can get a connection, but no login prompt seems very strange
to me. If it was an active/passive issue, you should be seeing a login
prompt at the very least. The linux box isn't configured to drop
connections based on IP address is it?
-Ken
Gypsy writes:
>
>
> On Tue, 14 May 2002 13:48:19 -0400 Ken Billings <lists@coffeehouseltd.com> wrote:
>
>>Solving something like this is difficult without >knowing the specifics of the situation. I'm >assuming the box that was upgraded to win2k is >the firewall, right?
>
> No the firewall is a Lynksys Etherfass Cable/DSL router. The Win2k box is our network server it replaced a WinNT box.
>
>>What is the connection path to the web server >from both of your client boxes(mainly I'm >wondering if you have to go through the firewall >from outside _and_ inside)?
>
> We have three different static IP addresses provided by our ISP. The first is for our web server which is outside our firewall. The second is the IP address that is assigned to the firewall. The last is assigned to our VPN server which is also outside our firewall.
>
>>You said the firewall is set up the
>>same, but what _are_ those settings?
>
> It is set up with a LAN IP address & subnet mask, the internet IP address, subnet mask, DNS servers provided by our ISP, has DHCP disabled and the ftp and telnet ports are forwarded to an internal linux server. The IP address that has these ports forwarded is not the same IP address as the web server. The IP address being forwarded is XXX.XXX.XXX.123 the IP address for the web server is XXX.XXX.XXX.122.
>
>>Is ftp the only protocol that shows a problem?
>
> No, telnet, pop3, and snmp are extremely slow when accessed internally, but they will connect.
>
>>Have you tried both active and passive mode ftp?
>
> No, haven't tried that yet.
>
>>Are you getting _any_ connection at all(TCP >syn/ack handshaking, login prompt)?
>
> When using Win2k's ftp program it says it's connected to the IP address and then just sits there for awhile and then gives the message "connection closed by remote host" I, unfortunatly, don't have access to many diagnostic tools as my company does not see the benifit of purchasing them.
>
>>Almost the first thing I do in a situation like >this is to fire up a packet sniffer on all of >the boxes concerned. You should see the initial >SYN packet leave your client box, hit both >interfaces of the firewall, and show up on the >webserver. The response packet should go through >them all in reverse. If you see it disappear >somewhere along the way, then that's where you >should be looking.
>
> I hadn't thought of this. Could you recomend one for linux?
>
>>Usually ftp problems are firewall configuration >issues, especially active ftp.
>
> That's what I thought, but the firewall hasn't been changed. The only thing that is different is our network server.
>
> Our LAN and web server are not connected in any way. They have always been independent of each other and it was not until we replaced the WinNT server with the Win2k server that we started to have problems.
>
> Thanks,
>
> KL
> --
> Imagination is the seed of intelligence. Nourish it and watch it grow.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:32:38 EDT