Azure Troubleshooting: Active FTP client cannot access a public FTP server
Scenario
An Active FTP client in Azure cannot access a public FTP server.
Symptoms
Active FTP client from an Azure VM does not work if public FTP servers are accessed. Below mentioned are two scenarios:
- Azure VM Active FTP Client to an internal FTP server on a Private IP (Working)
- Azure VM Active FTP Client to a Public FTP server (Non-working)
Scenario 1
Azure VM Active FTP Client to an internal FTP server on a Private IP (Working)
In the below analysis, 10.4.0.10 is the FTP server and 10.4.0.4 is the FTP client.
Client Trace
5652 7:35:18 AM 8/29/2018 15.8079315 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '220 Microsoft FTP Service' {TCP:16, IPv4:15}
5653 7:35:18 AM 8/29/2018 15.8113846 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782,'OPTS UTF8 ON' {TCP:16, IPv4:15}
5654 7:35:18 AM 8/29/2018 15.8119267 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '200 OPTS UTF8 command successful - UTF8 encoding now ON.' {TCP:16, IPv4:15}
5739 7:35:24 AM 8/29/2018 21.0043544 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782,'USER anonymous' {TCP:16, IPv4:15}
5740 7:35:24 AM 8/29/2018 21.0116889 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '331 Anonymous access allowed, send identity (e-mail name) as password.' {TCP:16, IPv4:15}
5777 7:35:24 AM 8/29/2018 21.9511610 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782,'PASS ' {TCP:16, IPv4:15}
5778 7:35:24 AM 8/29/2018 21.9531281 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '230 User logged in.' {TCP:16, IPv4:15}
5820 7:35:26 AM 8/29/2018 23.8842803 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782,'PORT 10,4,0,4,194,119' {TCP:16, IPv4:15}
// It means that client is using 10.4.0.4 as IP and port will be (194*256)+119 which is equal to 49782.
5822 7:35:26 AM 8/29/2018 23.8855720 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '200 PORT command successful.' {TCP:16, IPv4:15}
5826 7:35:26 AM 8/29/2018 23.8903879 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782, 'LIST' {TCP:16, IPv4:15}
5827 7:35:26 AM 8/29/2018 23.8911353 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '125 Data connection already open; Transfer starting.' {TCP:16, IPv4:15}
5828 7:35:26 AM 8/29/2018 23.8912029 10.4.0.10 10.4.0.4 FTP FTP:Data Transfer To Client,DstPort = 49783,size = 452 bytes {TCP:26, IPv4:15}
5831 7:35:26 AM 8/29/2018 23.8912187 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '226 Transfer complete.' {TCP:16, IPv4:15}
Server Trace
135 7:35:18 AM 8/29/2018 11.2475846 svchost.exe 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '220 Microsoft FTP Service' {TCP:17, IPv4:16}
136 7:35:18 AM 8/29/2018 11.2515345 svchost.exe 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782,'OPTS UTF8 ON' {TCP:17, IPv4:16}
137 7:35:18 AM 8/29/2018 11.2515828 svchost.exe 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '200 OPTS UTF8 command successful - UTF8 encoding now ON.' {TCP:17, IPv4:16}
183 7:35:24 AM 8/29/2018 16.4445764 svchost.exe 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782,'USER anonymous' {TCP:17, IPv4:16}
184 7:35:24 AM 8/29/2018 16.4512790 svchost.exe 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '331 Anonymous access allowed, send identity (e-mail name) as password.' {TCP:17, IPv4:16}
190 7:35:24 AM 8/29/2018 17.3912786 svchost.exe 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782,'PASS ' {TCP:17, IPv4:16}
191 7:35:24 AM 8/29/2018 17.3927657 svchost.exe 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '230 User logged in.' {TCP:17, IPv4:16}
204 7:35:26 AM 8/29/2018 19.3248954 svchost.exe 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782,'PORT 10,4,0,4,194,119' {TCP:17, IPv4:16}
Frame: Number = 204, Captured Frame Length = 77, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0D-3A-4D-62-32],SourceAddress:[74-83-EF-40-8E-EF]
+ Ipv4: Src = 10.4.0.4, Dest = 10.4.0.10, Next Protocol = TCP, Packet ID = 30703, Total IP Length = 63
+ Tcp: Flags=...AP..., SrcPort=49782, DstPort=FTP control(21), PayloadLen=23, Seq=1339072427 - 1339072450, Ack=2619344830, Win=8014 (scale factor 0x0) = 8014
- Ftp: Request from Port 49782,'PORT 10,4,0,4,194,119'
Command: PORT, Data port
CommandParameter: 10,4,0,4,194,119
206 7:35:26 AM 8/29/2018 19.3251174 svchost.exe 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '200 PORT command successful.' {TCP:17, IPv4:16}
209 7:35:26 AM 8/29/2018 19.3305505 svchost.exe 10.4.0.4 10.4.0.10 FTP FTP:Request from Port 49782, 'LIST' {TCP:17, IPv4:16}
210 7:35:26 AM 8/29/2018 19.3307801 svchost.exe 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '125 Data connection already open; Transfer starting.' {TCP:17, IPv4:16}
211 7:35:26 AM 8/29/2018 19.3308010 svchost.exe 10.4.0.10 10.4.0.4 FTP FTP:Data Transfer To Client,DstPort = 49783,size = 452 bytes {TCP:27, IPv4:16}
213 7:35:26 AM 8/29/2018 19.3309279 svchost.exe 10.4.0.10 10.4.0.4 FTP FTP:Response to Port 49782, '226 Transfer complete.' {TCP:17, IPv4:16}
Scenario 2
Azure VM Active FTP Client to a Public FTP server (Non-working)
Client trace
81 7:41:37 AM 8/29/2018 3.1214190 137.117.91.58 FTPCLIENT FTP FTP:Response to Port 49828, '220 Microsoft FTP Service' {TCP:13, IPv4:12}
82 7:41:37 AM 8/29/2018 3.1279121 FTPCLIENT 137.117.91.58 FTP FTP:Request from Port 49828,'OPTS UTF8 ON' {TCP:13, IPv4:12}
83 7:41:37 AM 8/29/2018 3.1287496 137.117.91.58 FTPCLIENT FTP FTP:Response to Port 49828, '200 OPTS UTF8 command successful - UTF8 encoding now ON.' {TCP:13, IPv4:12}
168 7:41:41 AM 8/29/2018 6.8755964 FTPCLIENT 137.117.91.58 FTP FTP:Request from Port 49828,'USER anonymous' {TCP:13, IPv4:12}
169 7:41:41 AM 8/29/2018 6.8766400 137.117.91.58 FTPCLIENT FTP FTP:Response to Port 49828, '331 Anonymous access allowed, send identity (e-mail name) as password.' {TCP:13, IPv4:12}
184 7:41:42 AM 8/29/2018 7.5977630 FTPCLIENT 137.117.91.58 FTP FTP:Request from Port 49828,'PASS ' {TCP:13, IPv4:12}
185 7:41:42 AM 8/29/2018 7.5989318 137.117.91.58 FTPCLIENT FTP FTP:Response to Port 49828, '230 User logged in.' {TCP:13, IPv4:12}
231 7:41:44 AM 8/29/2018 9.8514919 FTPCLIENT 137.117.91.58 FTP FTP:Request from Port 49828,'PORT 10,4,0,4,194,165' {TCP:13, IPv4:12} // It means that client is using 10.4.0.4 as IP and port will be (194*256)+165 which is equal to 49829.
232 7:41:44 AM 8/29/2018 9.8519465 137.117.91.58 FTPCLIENT FTP FTP:Response to Port 49828, '501 Server cannot accept argument.' {TCP:13, IPv4:12}
233 7:41:44 AM 8/29/2018 9.8589455 FTPCLIENT 137.117.91.58 FTP FTP:Request from Port 49828, 'LIST' {TCP:13, IPv4:12}
234 7:41:44 AM 8/29/2018 9.8598090 137.117.91.58 FTPCLIENT FTP FTP:Response to Port 49828, '150 Opening ASCII mode data connection.' {TCP:13, IPv4:12}
235 7:41:44 AM 8/29/2018 9.8598090 137.117.91.58 FTPCLIENT FTP FTP:Response to Port 49828, '425 Cannot open data connection.' {TCP:13, IPv4:12}
Server trace
17 7:41:37 AM 8/29/2018 1.5014622 svchost.exe 10.4.0.10 40.76.55.3 FTP FTP:Response to Port 49828, '220 Microsoft FTP Service' {TCP:6, IPv4:5}
18 7:41:37 AM 8/29/2018 1.5086495 svchost.exe 40.76.55.3 10.4.0.10 FTP FTP:Request from Port 49828,'OPTS UTF8 ON' {TCP:6, IPv4:5}
19 7:41:37 AM 8/29/2018 1.5087257 svchost.exe 10.4.0.10 40.76.55.3 FTP FTP:Response to Port 49828, '200 OPTS UTF8 command successful - UTF8 encoding now ON.' {TCP:6, IPv4:5}
55 7:41:41 AM 8/29/2018 5.2562891 svchost.exe 40.76.55.3 10.4.0.10 FTP FTP:Request from Port 49828,'USER anonymous' {TCP:6, IPv4:5}
56 7:41:41 AM 8/29/2018 5.2563694 svchost.exe 10.4.0.10 40.76.55.3 FTP FTP:Response to Port 49828, '331 Anonymous access allowed, send identity (e-mail name) as password.' {TCP:6, IPv4:5}
59 7:41:42 AM 8/29/2018 5.9782492 svchost.exe 40.76.55.3 10.4.0.10 FTP FTP:Request from Port 49828,'PASS ' {TCP:6, IPv4:5}
60 7:41:42 AM 8/29/2018 5.9786165 svchost.exe 10.4.0.10 40.76.55.3 FTP FTP:Response to Port 49828, '230 User logged in.' {TCP:6, IPv4:5}
93 7:41:44 AM 8/29/2018 8.2319499 svchost.exe 40.76.55.3 10.4.0.10 FTP FTP:Request from Port 49828,'PORT 10,4,0,4,194,165' {TCP:6, IPv4:5}
Frame: Number = 93, Captured Frame Length = 77, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0D-3A-4D-62-32],SourceAddress:[12-34-56-78-9A-BC]
+ Ipv4: Src = 40.76.55.3, Dest = 10.4.0.10, Next Protocol = TCP, Packet ID = 10236, Total IP Length = 63
+ Tcp: Flags=...AP..., SrcPort=49828, DstPort=FTP control(21), PayloadLen=23, Seq=3303710432 - 3303710455, Ack=226272089, Win=8014 (scale factor 0x0) = 8014
- Ftp: Request from Port 49828,'PORT 10,4,0,4,194,165'
Command: PORT, Data port
CommandParameter: 10,4,0,4,194,165
94 7:41:44 AM 8/29/2018 8.2320384 svchost.exe 10.4.0.10 40.76.55.3 FTP FTP:Response to Port 49828, '501 Server cannot accept argument.' {TCP:6, IPv4:5}
95 7:41:44 AM 8/29/2018 8.2393523 svchost.exe 40.76.55.3 10.4.0.10 FTP FTP:Request from Port 49828, 'LIST' {TCP:6, IPv4:5}
96 7:41:44 AM 8/29/2018 8.2396166 svchost.exe 10.4.0.10 40.76.55.3 FTP FTP:Response to Port 49828, '150 Opening ASCII mode data connection.' {TCP:6, IPv4:5}
97 7:41:44 AM 8/29/2018 8.2396381 svchost.exe 10.4.0.10 40.76.55.3 FTP FTP:Response to Port 49828, '425 Cannot open data connection.' {TCP:6, IPv4:5}
As we can see in the above example, the PORT command fails with “501 Server cannot accept argument” when accessed the site via public IP address and the reason being, the source IP and the IP which is specified on the PORT query is conflicting which is not the case when tried accessing via private IP or locally.
Solution
Active FTP client from an Azure VM does not work if public FTP servers are accessed.
The reason is that the Virtual Machine itself (Guest OS) is not aware of its own public IP address.
When the packet reaches VFP, it gets SNAT'd by the SLB layer. Hence in the PORT query, Guest OS uses the Private IP address instead of the Public IP of the VM (See frame 93).
Client rejects this request and sends 501 as the Source IP in layer 3 and the IP in the PORT query are different.
The final solution for Scenario 2 (Azure VM Active FTP Client to a Public FTP server - Non-working) is to use Passive FTP Client.