The Planet Forums > RRAS and Passive FTP

The Planet Forums > Operating Systems > Microsoft Windows

zubald

Feb 22 2005, 09:14 AM

We have RRAS on a number of Win2k3 servers, all using MS FTP. For FTP we have opened ports 20 and 21 in RRAS.

On most servers, passive mode FTP to the server works seamlessley. I assume RRAS knows to open the random high port outbound.

On a few servers, despite checking settings till I'm blue in the face, passive mode FTP does not work. So far, on two of these servers, a system crash and reboot has somehow magically resulted in passive mode FTP starting to work properly!

I've tried rebooting recalcitrant servers, restarting RRAS, editing RRAS settings and more. No change.

Anyone come across this at all and found the cause? Google has turned up nothing.

UncleCJ

Feb 25 2005, 06:07 PM

I had a similar problem and tracked it down to a disabled ALG.EXE.

From Microsoft http://support.microsoft.com/default.aspx?...kb;en-us;832017:

QUOTE

Application Layer Gateway Service
This subcomponent of the Internet Connection Sharing (ICS)/Internet Connection Firewall (ICF) service provides support for plug-ins that allow network protocols to pass through the firewall and work behind Internet Connection Sharing. Application Layer Gateway (ALG) plug-ins can open ports and change data (such as ports and IP addresses) that are embedded in packets. File Transfer Protocol (FTP) is the only network protocol with a plug-in that is included with Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition. The ALG FTP plug–in is designed to support active FTP sessions through the network address translation (NAT) engine that these components use. The ALG FTP plug–in supports these sessions by redirecting all traffic that passes through the NAT and that is destined for port 21 to a private listening port in the range of 3000 to 5000 on the loopback adapter. The ALG FTP plug–in then monitors and updates FTP control channel traffic so that the FTP plug-in can forward port mappings through the NAT for the FTP data channels. The FTP plug–in also updates ports in the FTP control channel stream.

Hope this helps.

zubald

Feb 28 2005, 09:30 AM

Thanks for the feedback, but I think some misunderstanding. I'm not using ICF (which is not compatible with multiple IPs) but the RRAS firewall, so as far as I'm aware ALG is not involved.

I did check and the ALG service is running on servers which do and don't display the problem, so it doesn't seem related.

Or have I misunderstood something?

UncleCJ

Mar 2 2005, 07:53 AM

I'm fairly certain alg.exe is used by RRAS as well as ICF.

I use RRAS myself and when I monitor ports while doing passive FTP transfers, I can clearly see alg.exe opening and handling the necessary ports for it.

zubald

Mar 2 2005, 11:28 AM

I think you're right! I tried stopping ALG on a server (running RRAS) on passive FTP was working ok and FTP stopped working. Actually I had to reboot the server to restore FTP, so anyone else reading this don't stop ALG unless you really need to!

The one remaining server with a passive FTP problem is currently inaccessible so I can't test just now, but I will definitely check this out. Thanks!

zubald

Mar 2 2005, 11:56 AM

Ok, I got onto the offending server and tried stopping ALG -- no effect on FTP. Rebooted, re-checked RRAS, no change. After a reboot ALG.exe is running again (it's in the task list) but still no passive FTP.

Is the FTP plug-in something separate that has to be enabled or installed? What did you do to get it working?

UncleCJ

Mar 2 2005, 01:39 PM

You could try using Active Ports. It was helpful in figuring out my problem, maybe it will be for you also.

When I run Active Ports with no current ftp connections, it shows a single instance of alg.exe listening on local 127.0.0.1.

When I connect to the FTP server, Active Ports shows 3 instances of alg.exe:
- listening on local 127.0.0.1 / random high port #
- established on local 127.0.0.1 / random high port #, to the remote client ip / random high port #
- established on local FTP server IP / random high port #, to the same local FTP server IP / port 21

And when I start transferring files, Active Ports shows more instances of alg.exe:
- established on local FTP server IP / random high port #, to the same local FTP server IP / port 21

You could also try disabling RRAS entirely and reinstalling/reconfiguring it, perhaps some component or registry entry got lost somewhere. Just some ideas...

Good luck.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.