amazon ec2 ftp RETR hangs

Question

The problem is with an Amazon ec2 instance "Red Hat Enterprise Linux Server 7.0 (Maipo)" (kernel 3.10.0-123.6.3.el7.x86_64)

When attempting to RETR a remote file the FTP client hangs indefinitely. I have no control of the remote server.

All incoming/outgoing ports are open in Amazon security groups.

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables modules list:

$ sudo lsmod
Module                  Size  Used by
nfnetlink_queue        18197  0
nfnetlink_log          17926  0
nfnetlink              14606  2 nfnetlink_log,nfnetlink_queue
bluetooth             372662  0
rfkill                 26536  1 bluetooth
isofs                  39842  0
nf_nat_ftp             12770  0
nf_conntrack_ftp       18638  1 nf_nat_ftp
nf_nat                 21798  1 nf_nat_ftp
nf_conntrack          101024  3 nf_nat_ftp,nf_nat,nf_conntrack_ftp
iptable_filter         12810  0
ip_tables              27239  1 iptable_filter
ext4                  528957  1
mbcache                14958  1 ext4
jbd2                   98341  1 ext4
crct10dif_pclmul       14289  0
crct10dif_common       12595  1 crct10dif_pclmul
crc32_pclmul           13113  0
ghash_clmulni_intel    13259  0
aesni_intel            55624  0
lrw                    13286  1 aesni_intel
gf128mul               14951  1 lrw
glue_helper            13990  1 aesni_intel
ablk_helper            13597  1 aesni_intel
cryptd                 20359  3 ghash_clmulni_intel,aesni_intel,ablk_helper
i2c_piix4              22106  0
serio_raw              13462  0
pcspkr                 12718  0
i2c_core               40325  1 i2c_piix4
mperf                  12667  0
xen_netfront           26679  0
xfs                   914152  1
libcrc32c              12644  1 xfs
ata_generic            12910  0
pata_acpi              13038  0
xen_blkfront           26864  3
ata_piix               35038  0
crc32c_intel           22079  1
libata                219478  3 pata_acpi,ata_generic,ata_piix
floppy                 69417  0

I am able to retrieve a file from a remote FTP server that I own:

sudo ftp -v -d  *.*.*.227
Connected to *.*.*.227 (*.*.*.227).
220-FileZilla Server version 0.9.47 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (*.*.*.227:root): nick
---> USER nick
331 Password required for nick
Password:
---> PASS XXXX
230 Logged on
---> SYST
215 UNIX emulated by FileZilla
Remote system type is UNIX.
ftp> ls
---> PASV
227 Entering Passive Mode (*,*,*,227,226,210)
---> LIST
150 Opening data channel for directory listing of "/"
drwxr-xr-x 1 ftp ftp              0 Sep 22 15:36 outgoing
-r--r--r-- 1 ftp ftp             12 Sep 22 15:22 test.txt
226 Successfully transferred "/"
ftp> get test.txt
local: test.txt remote: test.txt
---> PASV
227 Entering Passive Mode (*,*,*,227,226,211)
---> RETR test.txt
150 Opening data channel for file download from server of "/test.txt"
226 Successfully transferred "/test.txt"
12 bytes received in 0.00503 secs (2.39 Kbytes/sec)

However, when I try to do the same thing for another server that I do not own, the client hangs indefinitely after issuing the get command.

sudo ftp -v -d ftp.********.com
Connected to ftp.********.com (*.*.*.122).
220 ***** FTP Server.  All transfers are logged.
Name (ftp.********.com:root): ****uv9
---> USER ****uv9
331 User name okay, need password for ****uv9.
Password:
---> PASS XXXX
230 User ****uv9 logged in from *.*.*.248
---> SYST
215 UNIX Type: Apache FtpServer
Remote system type is UNIX.
ftp> ls
---> PASV
227 Entering Passive Mode (*,*,*,122,168,54)
---> LIST
150 File status okay; about to open data connection.
drwx------   3 user group            0 Dec 29  2011 files
226 Closing data connection.
ftp> cd files/data
---> CWD files/data
250 Directory changed to /files/data
ftp> ls
---> PASV
227 Entering Passive Mode (*,*,*,122,168,58)
---> LIST
150 File status okay; about to open data connection.
drwx------   3 user group            0 Sep 22 13:50 usr942
226 Closing data connection.
ftp> cd usr942
---> CWD usr942
250 Directory changed to /files/data/usr942
ftp> ls
---> PASV
227 Entering Passive Mode (*,*,*,122,168,95)
---> LIST
150 File status okay; about to open data connection.
-rw-------   1 user group      7700460 Sep 22 13:50 5492542.txt
226 Closing data connection.
ftp> get 5492542.txtf
local: 5492542.txtf remote: 5492542.txtf
---> PASV
227 Entering Passive Mode (*,*,*,122,168,104)
---> RETR 5492542.txtf
550 /files/data/usr942/5492542.txtf: No such file or directory.
ftp> get 5492542.txt
local: 5492542.txt remote: 5492542.txt
---> PASV
227 Entering Passive Mode (*,*,*,122,168,105)
---> RETR 5492542.txt
150 File status okay; about to open data connection.

That's it. It will hang until the timeout kicks in.

Here's some tcpdump from port 21:

17:25:44.327012 IP ip-*-*-*-39.us-west-1.compute.internal.48091 > ftp.******.com.ftp: Flags [P.], seq 169:212, ack 1239, win 18760, length 43
17:25:44.331344 IP ftp.******.com.ftp > ip-*-*-*-39.us-west-1.compute.internal.48091: Flags [P.], seq 1239:1293, ack 212, win 1522, length 54
17:25:44.371203 IP ip-*-*-*-39.us-west-1.compute.internal.48091 > ftp.******.com.ftp: Flags [.], ack 1293, win 18760, length 0
17:29:35.522664 IP ftp.******.com.ftp > ip-*-*-*-39.us-west-1.compute.internal.48091: Flags [R.], seq 1293, ack 212, win 9300, length 0

And here's some tcpdump from port 48091:

17:25:44.323187 IP ip-*-*-*-39.us-west-1.compute.internal.48091 > ftp.******.com.ftp: Flags [.], ack 722, win 18760, length 0
17:25:44.327012 IP ip-*-*-*-39.us-west-1.compute.internal.48091 > ftp.******.com.ftp: Flags [P.], seq 133:176, ack 722, win 18760, length 43
17:25:44.331344 IP ftp.******.com.ftp > ip-*-*-*-39.us-west-1.compute.internal.48091: Flags [P.], seq 722:776, ack 176, win 1522, length 54
17:25:44.371203 IP ip-*-*-*-39.us-west-1.compute.internal.48091 > ftp.******.com.ftp: Flags [.], ack 776, win 18760, length 0
17:29:35.522664 IP ftp.******.com.ftp > ip-*-*-*-39.us-west-1.compute.internal.48091: Flags [R.], seq 776, ack 176, win 9300, length 0

I been trying to solve this for 2 days to no avail.

UPDATE

I have noticed when I ping the host, I am getting alternating results.

PING ftp.********.com (*.*.*.122) 56(84) bytes of data.
64 bytes from ftp.********.com (*.*.*.122): icmp_seq=1 ttl=246 time=4.30 ms
64 bytes from b2b.********.com (*.*.*.122): icmp_seq=2 ttl=246 time=4.21 ms
64 bytes from ftp.********.com (*.*.*.122): icmp_seq=3 ttl=246 time=4.48 ms
64 bytes from b2b.********.com (*.*.*.122): icmp_seq=4 ttl=246 time=4.29 ms
64 bytes from ftp.********.com (*.*.*.122): icmp_seq=5 ttl=246 time=4.46 ms
64 bytes from b2b.********.com (*.*.*.122): icmp_seq=6 ttl=246 time=4.42 ms

I get the "500 Illegal PORT command ftp: bind: Address already in use" — user2914191, Sep 22 '14 at 22:01
Well, there is something wrong between Active/Passive mode and Firewall config at your side or remote side. — krisFR, Sep 22 '14 at 22:18

amazon ec2 ftp RETR hangs

0 Answers0