There are four areas which are typically at the root of MOVEit DMZ FTP/SSL problems:
MOVEit DMZ FTPS Server Configuration
MOVEit DMZ IPSec Configuration
Firewall Configuration
Client Configuration
To diagnose FTPS problems, it is best to first try to duplicate the problem using a client (i.e. MOVEit Freely) installed on the MOVEit DMZ server itself. Doing so will eliminate both the "IPSec" policy and "the network". If no problems are observed when using a client locally, next try a client on the same segment (going through IPSec but not the firewall) and finally a client on an "external" segment (going through IPSec and the firewall).
CAUTION: Remember to uninstall any client used on the MOVEit DMZ host after you have completed troubleshooting to avoid unattended misuse.
Most Common Problems
The most common problems usually involve one of the following conditions:
"FTP Aware" firewalls (e.g. Checkpoints) interfering in the FTPS explicit mode handshake.
Improperly exported/imported certificates from existing servers.
Missing firewall rules for implicit mode FTPS or data ports.
Missing IPSec rules for implicit mode FTPS or data ports.
Clients configured to use active mode, or to use implicit mode on the wrong port.
Servers running without implicit mode enabled.
Servers running behind a NAT device without any configured NAT masks.
This document covers diagnosing and correcting these problems and more.
How to Troubleshoot
Always begin your troubleshooting routine using a copy of MOVEit Freely temporarily installed on the same machine as MOVEit DMZ. This step avoids complicating your troubleshooting task by avoiding firewalls, routers and other network devices which may or may not be the culprit.
Throughout this section, the phrases "local client" and "remote client" are used to indicate an "FTPS client installed on the MOVEit DMZ server" and an "FTPS client installed on another desktop," respectively.
Also, remember that you may need to take different actions to different devices to get any changes to take effect. For example:
You need to START and STOP the MOVEit DMZ FTP service after making changes through the MOVEit DMZ Configuration Utility.
You need to "Un-Assign" and then "Assign" altered IPSec policies.
You may need to refresh your firewall after making firewall changes.
You will probably need to close and reopen connections after making client changes.
Common Symptoms and Resolutions
Local client times out when connecting to localhost in EXPLICIT mode.
Check to see that the MOVEit DMZ FTP server is running correctly.
Open the Services control panel and see if MOVEit DMZ FTP is Started
Open the MOVEit DMZ Config application and make sure the Explicit Port is set to 21.
Do a "netstat -a -n" from the command line and see that "Local Address=0.0.0.0:21" is in the "LISTENING" state.
Local client times out when connecting to localhost in IMPLICIT mode.
Check to see that the MOVEit DMZ FTP server is running correctly.
Open the Services control panel and see if MOVEit DMZ FTP is Started.
Open the MOVEit DMZ Config application and make sure the Implicit Port is set to 990.
Do a "netstat -a -n" from the command line and see that "Local Address=0.0.0.0:990" is in the "LISTENING" state.
Local client shows a "Handshake Failed" error while connecting.
Double check your client configuration:
You must access PORT 21 if using EXPLICIT mode.
You must access PORT 990 if using IMPLICIT mode.
If this certificate was exported from an existing secure server:
Check the FTP server log file. If you have a "not loaded" message near the top, you are probably using a certificate which was imported without its private key.
Perform the steps in the "Server Certificate Export/Import Instructions" as exactly as specified in the document.
If you are replacing an existing certificate or have installed multiple certificates:
Check the FTP server log file. If you have an "expired" message near the top, you are probably using the wrong certificate for FTP. (Pick the newest/most applicable certificate.)
Open the MOVEit DMZ Config application and reselect your certificate. (FTP Certs Tab)
START/STOP the MOVEit DMZ FTP service.
Local client shows a "530 Error Accessing 'http://myhost/machine.aspx'" or other strange authentication error after connecting.
Open the MOVEit DMZ Config application and make sure the following values are set as follows:
Machine URL: http://localhost/machine.aspx
Machine2 URL: http://localhost/machine.aspx
START/STOP the MOVEit DMZ FTP service.
If these values do not work, try these values instead:
HINT: You can usually use the MOVEit DMZ Check utility to find/fix this kind of problem, as it will affect ALL users equally!
Remote Client times out when connecting to MOVEitDMZ in EXPLICIT mode.
First check for the same "time out" problem using a Local Client.
Make sure TCP port 21 is open from AnyIP, AnyPort to MyIP on your firewall(s).
Make sure TCP port 21 is open from AnyIP, AnyPort to MOVEitDMZ on your firewall(s).
Remote Client times out when connecting to MOVEitDMZ in IMPLICIT mode.
First check for the same "time out" problem using a Local Client.
Make sure TCP port 990 is open from AnyIP, AnyPort to MyIP on your firewall(s).
Make sure TCP port 990 is open from AnyIP, AnyPort to MOVEitDMZ on your firewall(s).
Remote Client shows a "Handshake Failed" error while connecting in EXPLICIT mode.
First check for the same "handshake failed" problem using a Local Client.
If this problem does not occur when using a Local Client but occurs reliably when using a Remote Client, there is likely an "FTP aware" firewall in between the Remote Client and MOVEit DMZ. "FTP aware" firewalls work well with insecure FTP but commonly mangle the SSL "bootstrap" process of explicit mode secure FTP
Use implicit mode instead.
Remote Client shows a "Handshake Failed" error while connecting in IMPLICIT mode.
First check for the same "handshake failed" problem using a Local Client.
Double check your client configuration: you must access PORT 990, not port 21.
Username/password which works when used from Local Client does not work from Remote Client.
Open the MOVEit DMZ web interface (sign on as an admin) and...
Double-check that user's Remote Access settings. (You may be using Custom settings or Default settings to allow or prevent access from certain IP addresses.)
Double-check that organization's Locked Out IP Address settings. (This IP address may have been locked out and may need to be reset.)
Remote Client gets "Passive Mode Required" error.
Enable "Passive" mode or "Firewall Friendly" mode on your FTPS client configuration.
Remote Client gets "Bad Certificate" error.
Configure your FTPS client to use the "normal" hostname of your MOVEitDMZ server (i.e. moveit.stdnet.com) rather than its IP address.
Upgrade your server certificate to a "production" certificate, or...
...install this certificate (and perhaps its parent CA) on the client PC.
Remote Clients get "Non-Trusted Certificate" error.
Configure your FTPS client to connect to the MOVEitDMZ server by HOSTNAME, not IP address.
Remote Client reports "Cannot Create Security Credentials" error while running under Windows 95 or 98.
Old versions of Windows 95 and 98 may not have the SSL/TLS support required to run FTPS clients. Microsoft ships a program which contains the necessary upgrades with Windows 2000 called dsclient.exe. (This file is also available from Ipswitch.) This package needs to be installed on the remote client desktop - reboot required.
Remote Client cannot transfer files and/or list the contents of folders after signing on successfully.
Discussion: File transfer and directory list operations make use of FTPS data connections. 95% of the time, problems related to file transfer and directory list operations are due to connectivity problems involving these data connections.
Check the client logs to see if the server is returning a "Passive Mode Required" message and take the appropriate action, if required.
Double-Check your MOVEit DMZ FTP Config:
Enable Require Passive Mode
Restrict Passive Ports on 3000 to 3003
Double-Check your IPSec Policy (FTP Rule Filters)
Allow TCP from AnyIP, AnyPort to MyIP, Ports 3000-3003
Double-Check your Firewall Rules
Allow TCP from AnyIP, AnyPort to MOVEitDMZ, Ports 3000-3003
Double-Check your Client Configuration
Enable Passive Transfer Mode (a.k.a. "Firewall Friendly")
Check the client logs and examine the contents of the "227 Entering Passive Mode (208,212,86,143,11,186)" message.
The FIRST FOUR numbers in the body of the message are the IP address to which the remote client is attempting to connect its data channels. (i.e. 208,212,86,143,... means that I am trying to connect to 208.212.86.143)
If this IP address is DIFFERENT from the IP address the client normally connects to (i.e. 10.1.1.2, we are probably encountering a NAT problem. See FTP Server - Configuration of this manual for information on how to configure a NAT mask in the MOVEit DMZ Config application. (Use of NAT masks will allow your FTP server to send the correct "227" IP addresses to machines inside and outside your NAT boundaries.)
The LAST TWO numbers in the body of the message indicate the TCP port to which the remote client is attempting to connect its data channels. (i.e. "...11,186") To convert these digits into a meaningful port number, multiply the first number by 256 and add the second number. (i.e. (11 x 256) + 186 = Port 3002)
This port number should lie within the range of passive ports you configured on MOVEit DMZ FTP - if not, double check that the Restrict box has been checked next to this range in the MOVEit DMZ Config application.
Some remote clients, particularly command-line remote clients, correctly put the end user in his/her own home folder. However, other remote clients, particularly GUI remote clients, put the end user at the "root" folder instead.
Discussion: MOVEit DMZ FTP usually puts end users in their home directories whenever they connect. Unfortunately, it's up to the client to respect that setting, and many Windows clients automatically try to "cd" to the root (\) upon connection, regardless of where the FTP Server directed the client to start.
Configure GUI clients to respect your home directory, or...
Use MOVEit DMZ's user-level "CHROOT" setting to lock users to their home or default folder.
Common Errors in Debug Log
The following errors from the MOVEit DMZ FTP debug log usually point to specific configuration problems.
"530 Rejected--secure connection required" This indicates that an FTP client attempted to connect without using SSL when SSL was required.
"Connection security error: Failed to receive secure data. - SSL negotiation failed: Security handshake failed. - A client certificate is required." This indicates that an FTP/SSL client attempted to connect without a client certificate when the FTP server was configured to require a client certificate.
"Connection security error: Error 0x800b0109 (CERT_E_UNTRUSTEDROOT) returned by CertVerifyCertificateChainPolicy! - Connection security error: Error authenticating security credentials - SSL negotiation failed: Failed to verify the certificate trust." This indicates that an FTP/SSL client provided a client cert but the client cert did not chain up to a CA in the Microsoft Trusted Root Certificate Store.