I have a problem that is driving me crazy... I'm hoping someone here can help! Here's the scenario:

We have a server on the internet running Win2k SP3 and IIS 5 behind a firewall. We can ftp to it from any client on our company network (also behind a firewall) except for the one that we need to sync our website from! On that machine (Win2k3) the ftp client reports "Connection Refused" or simply hangs (depending which client we try). We are using PASV mode. I can ping the host quite happily. The host does not have any IP exclusions set.

The same client can connect to many ftp sites, just not the important one!

Any tips or suggestions would be very gratefully received.

Thanks in advance
Mike.

Welcome to XtremePcCentral!

try turning passive off

are both machines behind the same firewall? are you connecting to a Public IP or private ip of the ftp server? What FTP client are you using?

Hi, thanks for the quick reply.

It's just the same with passive off. The firewalls are different; the client is behind our company network's firewall & the host is behind a firewall provided by our ISP. As I mentioned, other clients on the company network connect successfully via ftp.

It's a public ip we're connecting to, and we've tried using a variety of ftp clients: the built-in dos client, FTP Voyager and WSFTP to name a few. None get as far as prompting for a username.

Thanks again
Mike.

If you're getting connection refused then you're not even connecting to the remote site. I would double check the simple stuff and make sure you have the information correct. Ie, make sure you've got the correct IP and port for the remote host.

Also, if you can ping the site then you're getting past the companies firewall and the ISP's firewall, so that isn't the issue. Is it possible that the IP of the client has been banned by the remote site? I know that some FTP Servers will ban an IP if they "hammer" a site for too long...and if other clients can connect to it just fine then I think that's a possibility.

Unfortunately we've double, triple and ten-times checked the simple stuff. No joy. The ip is definately right and the port is standard 21.

No, there are no IP exclusions set. It's our own ftp server, on our own fully-managed windows box, and I have confirmed this - more than once today - via a terminal services session as administrator.

Thanks, though, for the suggestions - keep em coming!!

Mike.

Heh heh...just thought I'd ask. Gotta make sure the small stuff is out of the way. :D

Just re-read your initial post and confirmed that the client machine in question can FTP to other sites just fine...so that rules out the client machine being the problem. So it's gotta be something on the remote end. Or maybe (for some reason) the ISP's firewall is blocking it? Seems unlikely if other machines can get through just fine...something is blocking it from connecting to that remote site though.

Gouki, that sounds right to me. I'll recheck everything at the isp's end in the morning.

Thanks again
Mike.

Ya no problem...let us know what you find out. :)

Be careful with assuming that all is well if you can ping it. A true firewall could allow ICMP but block FTP. If you are going thru a real firewall, be sure to check your rules.

Well, no improvement unfortunately. The host sees all of our company workstations and servers as having the same IP address, of course... so it shouldn't be able to allow one yet deny another. I've rechecked firewalls at both ends - everything seems to be in order.

I'll just have to keep doing what I'm doing - which is to access shares from another server and do the ftp-ing from there. Thanks for all your suggestions.

Mike.

What client are you using? Try DOS and IE, one is active the other passive, one may work. Also, try a full client like WSFTP, sometimes they give better error messages.

Also, does the non working PC have something like zone-alarm on it maybe? What OS is it?

Yay! We finally got there. Turns out the firewall at our end was (wrongly) doing a NAT translation for that one server, so that an outgoing ftp session appeared to be from xxx.xxx.xxx.115 rather than xxx.xxx.xxx.114 like every other machine on our wan. So it failed to get past the firewall at the far end, which is locked down to only accept connections from xxx.xxx.xxx.114.

Weirdly (to me), this didn't show up when I checked the apparent IP by visiting http://checkip.dyndns.org/.

Thanks again to everyone who chipped in.
Mike.

Heh..good deal. Glad you got it figured out. :D